From 19e4c5f0018a88a499c1d4a029c710fd533341d9 Mon Sep 17 00:00:00 2001 From: Muted Mouse Date: Sat, 24 Mar 2018 17:22:36 -0400 Subject: [PATCH 1/3] add unified output --- volatility/plugins/linux/netstat.py | 47 ++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/volatility/plugins/linux/netstat.py b/volatility/plugins/linux/netstat.py index fd815540c..ce17a26b1 100644 --- a/volatility/plugins/linux/netstat.py +++ b/volatility/plugins/linux/netstat.py @@ -29,6 +29,7 @@ import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsof as linux_lsof import volatility.plugins.linux.pslist as linux_pslist +from volatility.renderers import TreeGrid class linux_netstat(linux_pslist.linux_pslist): """Lists open sockets""" @@ -36,8 +37,52 @@ class linux_netstat(linux_pslist.linux_pslist): def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('IGNORE_UNIX', short_option = 'U', default = None, help = 'ignore unix sockets', action = 'store_true') - + + def unified_output(self,data): + return TreeGrid([("Proto", str), + ("Local IP", str), + ("Local Port", int), + ("Remote IP", str), + ("Remote Port", int), + ("State", str), + ("Process", str), + ("PID", str), + ("Name", str), + ], + self.generator(data)) + + def generator(self, data): + for task in data: + for ents in task.netstat(): + if ents[0] == socket.AF_INET: + (_, proto, saddr, sport, daddr, dport, state) = ents[1] + yield(0, [ + str(proto), + str(saddr), + int(sport), + str(daddr), + int(dport), + str(state), + str(task.comm), + str(task.pid), + str(name), + ]) + + elif ents[0] == 1 and not self._config.IGNORE_UNIX: + (name, inum) = ents[1] + yield(0, [ + str("UNIX "+str(inum)), + "-", + 0, + "-", + 0, + "-", + str(task.comm), + str(task.pid), + str(name), + ]) # its a socket! + def render_text(self, outfd, data): linux_common.set_plugin_members(self) From 25b4fd9f0ea7e030b2aa4f63dddc6288357e3a26 Mon Sep 17 00:00:00 2001 From: Muted Mouse Date: Sat, 24 Mar 2018 17:25:09 -0400 Subject: [PATCH 2/3] added ppid to pslist unified and test output --- volatility/plugins/mac/pslist.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/volatility/plugins/mac/pslist.py b/volatility/plugins/mac/pslist.py index e411ab097..1de712ff2 100644 --- a/volatility/plugins/mac/pslist.py +++ b/volatility/plugins/mac/pslist.py @@ -43,7 +43,7 @@ def virtual_process_from_physical_offset(addr_space, offset): pspace = utils.load_as(addr_space.get_config(), astype = 'physical') proc = obj.Object("proc", vm = pspace, offset = offset) task = obj.Object("task", vm = addr_space, offset = proc.task) - + return task.bsd_info.dereference_as("proc") def allprocs(self): @@ -99,6 +99,7 @@ def unified_output(self, data): ("Bits", str), ("DTB", Address), ("Start time", str), + ("PPID", int), ], self.generator(data)) def generator(self, data): for proc in data: @@ -118,6 +119,7 @@ def generator(self, data): str(bit_string), Address(proc.task.dereference_as("task").map.pmap.pm_cr3), str(proc.start_time()), + int(proc.p_ppid), ]) def render_text(self, outfd, data): @@ -127,9 +129,11 @@ def render_text(self, outfd, data): ("Uid", "8"), ("Gid", "8"), ("PGID", "8"), - ("Bits", "12"), + ("Bits", "12"), ("DTB", "#018x"), - ("Start Time", "")]) + ("Start Time", ""), + ("Ppid", "8"), + ]) for proc in data: if not proc.is_valid() or len(proc.p_comm) == 0: @@ -146,4 +150,5 @@ def render_text(self, outfd, data): str(proc.p_pgrpid), bit_string, proc.task.dereference_as("task").map.pmap.pm_cr3, - proc.start_time()) + proc.start_time(), + str(proc.p_ppid)) From c043acfb1420fe0d5da378a654028107add7bc5b Mon Sep 17 00:00:00 2001 From: Muted Mouse Date: Sun, 25 Mar 2018 19:46:09 +0000 Subject: [PATCH 3/3] add unified_output to editbox plugin --- volatility/plugins/gui/editbox.py | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/volatility/plugins/gui/editbox.py b/volatility/plugins/gui/editbox.py index 51204da2a..e3025da35 100644 --- a/volatility/plugins/gui/editbox.py +++ b/volatility/plugins/gui/editbox.py @@ -39,6 +39,7 @@ import volatility.plugins.common as common import volatility.plugins.gui.messagehooks as messagehooks import volatility.win32 as win32 +from volatility.renderers import TreeGrid supported_controls = { 'edit' : 'COMCTL_EDIT', @@ -444,6 +445,45 @@ def render_table(self, outfd, data): # context, atom_class and is_wow64 are ignored self.table_row(outfd, pid, proc_name, str(ctrl)) + def unified_output(self, data): + #output as volatility json format + return TreeGrid([("Wnd Context", str), + ("Process ID", int), + ("ImageFileName", str), + ("IsWow64", str), + ("atom_class", str), + ("value-of WndExtra", str), + ("nChars", int), + ("selStart", int), + ("selEnd", int), + ("isPwdControl", int), + ("undoPos", int), + ("undoLen", int), + ("address-of undoBuf", str), + ("undoBuf", str), + ("Data", str), + ], self.generator(data)) + + def generator(self, data): + for context, atom_class, pid, proc_name, is_wow64, ctrl in data: + yield (0, [ + str(context), + int(pid), + str(proc_name), + str('Yes' if is_wow64 else 'No'), + str(atom_class), + str(hex(int(ctrl.v()))), + int(ctrl.nChars), + int(ctrl.selStart), + int(ctrl.is_pwd()), + int(ctrl.undoPos), + int(ctrl.undoLen), + int(ctrl.selEnd), + str(ctrl.undoBuf), + str(ctrl.get_undo(no_crlf=True)), + str(ctrl.get_text()), + ]) + def render_text(self, outfd, data): """Output the results as a text report