superponible / volatility-plugins Goto Github PK

View Code? Open in Web Editor NEW

197.0 14.0 52.0 63 KB

Plugins I've written for Volatility

Python 100.00%

volatility-plugins's Introduction

Volatility Plugins

Plugins I've made:

uninstallinfo.py - Dumps HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall from memory

prefetch.py - scan memory for prefetch files and dump filename and timestamps

idxparser.py - scan memory Java IDX files and extract details

firefoxhistory.py - firefoxhistory, firefoxcookies, and firefoxdownloads plugins to extract the following firefox history data: moz_places, moz_cookies, and moz_downloads

chromehistory.py - chromehistory, chromevisits, chromesearchterms, chromedownloads, chromedownloadchains, and chromecookies plugins to extract Chrome SQLite artifacts

sqlite_help.py - supporting functions SQLite used in Firefox and Chrome plugins

trustrecords.py - extract Office TrustRecords registry key information

ssdeepscan.py - like yarascan, but searches for pages matching an ssdeep hash

malfinddeep.py - whitelist code found by malfind based on an ssdeep hash

apihooksdeep.py - whitelist code found by apihooks based on an ssdeep hash

volatility-plugins's People

Contributors

Stargazers

Watchers

Forkers

kartikeyap vicgc hilaco phulc hiddenillusion warsang nickkarras mnrkbys ccgcyber aymansabri ntraiseharderror lamoreauxaj kootenpv stuxnet999 iljasir deerluca ostrichsec p4r4xor lzwgiter ameerpornillos 851579181 ksridevi2908 vantier tun4 thangld322 timwalita roerohan heapslip oldhercules n4rr34n6 icqw brodriguezo charygao tobyshawn zhjguang weijo lloydik czheisenberg zjf666 chixxx 403exploit b3nlkm txuyuan xophidia chthulhur 4m3rr0r 0xnoobody aiveni

volatility-plugins's Issues

Add full path to Prefetch

I'm not sure if during your research this information wasn't present or if it was more of a pain to follow the sections to get this information but it'd be useful to have. Either way, another option would be to enumerate kernel file paths via filescan and use those to brute force the prefetch hash. Since this may take some additional processing time, might serve better as an option is say verbose output is selected.

some sudo code for what I mean:

import volatility.plugins.filescan as filescan
...
fpaths = []
scanner = filescan.FileScan(self._config)
for fobj in scanner.calculate():
    fpath = "{0}".format(fobj.file_name_with_device() or '')
    if fpath:
        path = fpath.upper().rsplit('\\', 1)[0]
        if not path in fpaths:
            fpaths.append(fpath)

for offset, pf_header in pf_files:
    full_path = "{0}\\{1}".format(path, pf_header.Name)
    if pf_header.Version == 17:
        pf_hash = generateXpHash(full_path)
    elif pf_header.Version == 23:
        pf_hash = generateVistaHash(full_path)
    else:
        continue

    if pf_hash == pf_header.Hash:
        print "{0}-{1:X}.pf".format(full_path, pf_hash)
...

The hash functions above cab be leveraged from gleeda's script (https://github.com/gleeda/misc-scripts/blob/master/prefetch/prefetch_hash.py)

*** Failed to import volatility.plugins.chromehistory (ImportError: No module named csv)

volatility_2.6_win64_standalone --plugins=plugin -f MemoryDump_Lab6.raw --profile=Win7SP1x64 chromehistory

*** Failed to import volatility.plugins.chromehistory (ImportError: No module named csv)
*** Failed to import volatility.plugins.pycache.chromehistory.cpython-311 (ImportError: No module named pycache.chromehistory.cpython-311)
*** Failed to import volatility.plugins.pycache.apihooksdeep.cpython-311 (ImportError: No module named pycache.apihooksdeep.cpython-311)
*** Failed to import volatility.plugins.firefoxhistory (ImportError: No module named csv)
*** Failed to import volatility.plugins.pycache.firefoxhistory.cpython-311 (ImportError: No module named pycache.firefoxhistory.cpython-311)
ERROR : volatility.debug : You must specify something to do (try -h)

I tried two operating systems (windows and linux)

They all show this error

We use the standard version of volatility

Always this error

I always get this error with the plugin firefoxhistory

/volatility/volatility/plugins/firefoxhistory.py", line 443, in calculate 
if ord(ff_buff[start-1]) in (1, 2, 8, 9): 
TypeError: 'NoneType' object has no attribute '__getitem__'

Any idea ?

Upgrade to Volatility3?

I would be wonderful!
Thanks!!

Can chromecookies support Chrome 83?

Hi,
I'm using this plugin on Ubuntu 18.04.4 LTS to get cookies of Chrome 83 but it does not print out anything while chromehistory works just fine.
Steps:
I create the memory image follows this guide.

insmod lime-5.3.0-53-generic.ko "path=/home/anhtm/linux64.mem format=lime"
zip volatility/plugins/overlays/linux/Ubuntu_5.3.0-51-generic_profile.zip tools/linux/module.dwarf /boot/System.map-5.3.0-51-generic
python vol.py -f /home/anhtm/linux64.mem --profile=LinuxUbuntu_5_3_0-51-generic_profilex64 chromecookies

Results:

No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 VMotionMigrationAddressSpace: VMotionMigration requires a base
 EWFAddressSpace: No libEWF implementation found
 WindowsCrashDumpSpace64BitMap: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 VMotionMigrationAddressSpace: VMotion migration magic not found
 EWFAddressSpace: No libEWF implementation found
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareAddressSpace: Invalid VMware signature: 0x0
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxUbuntu_5_3_0-51-generic_profilex64 selected
 WindowsAMD64PagedMemory: Incompatible profile LinuxUbuntu_5_3_0-51-generic_profilex64 selected
 LinuxAMD64PagedMemory: Failed valid Address Space check
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_5_3_0-51-generic_profilex64 selected
 IA32PagedMemory: Incompatible profile LinuxUbuntu_5_3_0-51-generic_profilex64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

I need to get chrome cookies using this tool. Please help.

superponible / volatility-plugins Goto Github PK

volatility-plugins's Introduction

Volatility Plugins

volatility-plugins's People

Contributors

Stargazers

Watchers

Forkers

volatility-plugins's Issues

Add full path to Prefetch

*** Failed to import volatility.plugins.chromehistory (ImportError: No module named csv)

Always this error

Upgrade to Volatility3?

Can chromecookies support Chrome 83?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent