sync with 2.3.1 from trunk

README.txt

@@ -152,7 +152,6 @@ Options:
                         A URN location from which to load an address space
   -w, --write           Enable write support
   --dtb=DTB             DTB Address
-  --cache-dtb           Cache virtual to physical mappings
   --output=text         Output in this format (format support is module
                         specific)
   --output-file=OUTPUT_FILE

volatility/commands.py

@@ -21,6 +21,8 @@
 import sys, textwrap
 import volatility.debug as debug
 import volatility.fmtspec as fmtspec
+import volatility.obj as obj
+import volatility.registry as registry
 import volatility.addrspace as addrspace
 
 class Command(object):
@@ -85,7 +87,14 @@ def calculate(self):
 
     def execute(self):
         """ Executes the plugin command."""
-        ## Executing plugins is done in two stages - first we calculate
+        # Check we can support the plugins
+        profs = registry.get_plugin_classes(obj.Profile)
+        if self._config.PROFILE not in profs:
+            debug.error("Invalid profile " + self._config.PROFILE + " selected")
+        if not self.is_valid_profile(profs[self._config.PROFILE]()):
+            debug.error("This command does not support the profile " + self._config.PROFILE)
+
+        # # Executing plugins is done in two stages - first we calculate
         data = self.calculate()
 
         ## Then we render the result in some way based on the

volatility/constants.py

@@ -24,7 +24,7 @@
 
 import os, sys
 
-VERSION = "2.3_beta"
+VERSION = "2.3.1"
 
 SCAN_BLOCKSIZE = 1024 * 1024 * 10
 

volatility/plugins/addrspaces/amd64.py

@@ -60,7 +60,6 @@ class AMD64PagedMemory(paged.AbstractWritablePagedMemory):
        "Windows Internals, 5th Edition", Microsoft Press, 2009.
     """
     order = 60
-    cache = False
     pae = False
     checkname = 'AMD64ValidAS'
     paging_address_space = True

volatility/plugins/addrspaces/arm.py

@@ -28,25 +28,12 @@
 
 class ArmAddressSpace(paged.AbstractWritablePagedMemory):
     order = 800
-    cache = False
     pae = False
     paging_address_space = True
     checkname = 'ArmValidAS'
     minimum_size = 0x1000
     alignment_gcd = 0x1000
 
-    def _cache_values(self):
-        '''
-        buf = self.base.read(self.dtb, 0x1000)
-        if buf is None:
-            self.cache = False
-        else:
-            self.pde_cache = struct.unpack('<' + 'I' * 0x400, buf)
-    
-        '''
-        #print "skipping cache"
-        pass
-
     def read_long_phys(self, addr):
         '''
         Returns an unsigned 32-bit integer from the address addr in

volatility/plugins/addrspaces/intel.py

@@ -69,7 +69,6 @@ class IA32PagedMemory(paged.AbstractWritablePagedMemory):
        "Windows Internals, 5th Edition", Microsoft Press, 2009.
     """
     order = 70
-    cache = False
     pae = False
     paging_address_space = True
     checkname = 'IA32ValidAS'

volatility/plugins/addrspaces/macho.py

@@ -143,7 +143,6 @@ class MachOAddressSpace(addrspace.AbstractRunBasedMemory):
     From there we can translate between incoming address requests to memory contents
     """
     order = 1
-    cache = False
     pae = True
     checkname = 'MachOValidAS'
 

volatility/plugins/addrspaces/paged.py

@@ -27,7 +27,6 @@ class AbstractPagedMemory(addrspace.AbstractVirtualAddressSpace):
         
     Note: Pages can be of any size
     """
-    cache = False
     checkname = "Intel"
 
     def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
@@ -44,12 +43,6 @@ def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs
 
         self.as_assert(self.dtb != None, "No valid DTB found")
 
-        # The caching code must be in a separate function to allow the
-        # PAE code, which inherits us, to have its own code.
-        self.cache = config.CACHE_DTB
-        if self.cache:
-            self._cache_values()
-
         if not skip_as_check:
             volmag = obj.VolMagic(self)
             if hasattr(volmag, self.checkname):
@@ -61,12 +54,6 @@ def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs
         #self.pagefile = config.PAGEFILE
         self.name = 'Kernel AS'
 
-    def _cache_values(self):
-        '''
-        We cache the top level tables to avoid having to 
-        look them up later.
-        '''
-
     def load_dtb(self):
         """Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
         try:
@@ -97,9 +84,6 @@ def register_options(config):
         config.add_option("DTB", type = 'int', default = 0,
                           help = "DTB Address")
 
-        config.add_option("CACHE-DTB", action = "store_false", default = True,
-                          help = "Cache virtual to physical mappings")
-
     def vtop(self, addr):
         """Abstract function that converts virtual (paged) addresses to physical addresses"""
         pass

volatility/plugins/dumpfiles.py

@@ -834,6 +834,18 @@ def calculate(self):
                                     continue
                                 file_object = vad.FileObject
                                 if file_object:
+
+                                    # Filter for specific FILE_OBJECTS based on user defined
+                                    # regular expression. (Performance optimization)
+                                    if self._config.REGEX:
+                                        name = None
+                                        if file_object.FileName:
+                                            name = str(file_object.file_name_with_device())
+                                        if not name:
+                                            continue
+                                        if not file_re.search(name):
+                                            continue
+
                                     vadfiles.append(file_object)
                             except AttributeError:
                                 pass
@@ -845,7 +857,21 @@ def calculate(self):
                             otype = handle.get_object_type()
                             if otype == "File":
                                 file_obj = handle.dereference_as("_FILE_OBJECT")
-                                handlefiles.append(file_obj)
+
+                                if file_obj:
+
+                                    # Filter for specific FILE_OBJECTS based on user defined
+                                    # regular expression. (Performance Optimization)
+                                    if self._config.REGEX:
+                                        name = None
+                                        if file_obj.FileName:
+                                            name = str(file_obj.file_name_with_device())
+                                        if not name:
+                                            continue
+                                        if not file_re.search(name):
+                                            continue
+
+                                    handlefiles.append(file_obj)
 
                 # Append the lists of file objects
                 #allfiles = handlefiles + vadfiles
@@ -864,14 +890,6 @@ def calculate(self):
                 if file_obj.FileName:
                     name = str(file_obj.file_name_with_device())
 
-                # Filter for specific FILE_OBJECTS based on user defined
-                # regular expression.
-                if self._config.REGEX:
-                    if not name:
-                        continue
-                    if not file_re.search(name):
-                        continue
-
                 # The SECTION_OBJECT_POINTERS structure is used by the memory
                 # manager and cache manager to store file-mapping and cache information
                 # for a particular file stream. We will use it to determine what type

volatility/plugins/mftparser.py

@@ -522,20 +522,24 @@ def __init__(self, config, *args, **kwargs):
         config.add_option('CHECK', short_option = 'C', default = False,
                           help = 'Only print entries w/o null timestamps',
                           action = "store_true")
+
+        config.add_option("ENTRYSIZE", short_option = "E", default = 1024,
+                          help = "MFT Entry Size",
+                          action = "store", type = "int")
     def calculate(self):
         address_space = utils.load_as(self._config, astype = 'physical')
         scanner = MFTScanner(needles = ['FILE', 'BAAD'])
         mft_entries = []
         print "Scanning for MFT entries and building directory, this can take a while"
         for offset in scanner.scan(address_space):
-            mft_buff = address_space.read(offset, 1024)
+            mft_buff = address_space.read(offset, self._config.ENTRYSIZE)
             bufferas = addrspace.BufferAddressSpace(self._config, data = mft_buff)
             mft_entry = obj.Object('MFT_FILE_RECORD', vm = bufferas,
                                offset = 0)
             next_attr = mft_entry.ResidentAttributes
             end = mft_buff.find("\xff\xff\xff\xff")
             if end == -1:
-                end = 1024
+                end = self._config.ENTRYSIZE
             attributes = []
             while next_attr != None and next_attr.obj_offset <= end:
                 try:
@@ -576,11 +580,11 @@ def calculate(self):
                         continue
                     next_attr = self.advance_one(next_off, mft_buff, end)
                 elif attr == "DATA":
+                    start = next_attr.obj_offset + next_attr.ContentOffset
+                    theend = min(start + next_attr.ContentSize, end)
                     if next_attr.Header.NonResidentFlag == 1:
                         thedata = "Non-Resident"
                     else:
-                        start = next_attr.obj_offset + next_attr.ContentOffset
-                        theend = min(start + next_attr.ContentSize, end)
                         try:
                             contents = mft_buff[start:theend]
                         except TypeError:
@@ -590,7 +594,11 @@ def calculate(self):
                         if len(thedata) == 0:
                             thedata = "(Empty)"
                     attributes.append((attr, thedata))
-                    next_attr = None 
+                    next_off = theend 
+                    if next_off == start: 
+                        next_attr = None
+                        continue
+                    next_attr = self.advance_one(next_off, mft_buff, end)
                 elif attr == "ATTRIBUTE_LIST":
                     if next_attr.Header.NonResidentFlag == 1:
                         attributes.append((attr, "Non-Resident"))

volatility/plugins/overlays/windows/crash_vtypes.py

@@ -1,3 +1,23 @@
+# Volatility
+# Copyright (c) 2008-2013 Volatility Foundation
+#
+# This file is part of Volatility.
+#
+# Volatility is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License Version 2 as
+# published by the Free Software Foundation.  You may not use, modify or
+# distribute this program under any other version of the GNU General
+# Public License.
+#
+# Volatility is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 crash_vtypes = {
 ## These types are for crash dumps
   '_DMP_HEADER' : [ 0x1000, {

volatility/plugins/overlays/windows/hibernate_vtypes.py

@@ -1,3 +1,23 @@
+# Volatility
+# Copyright (c) 2008-2013 Volatility Foundation
+#
+# This file is part of Volatility.
+#
+# Volatility is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License Version 2 as
+# published by the Free Software Foundation.  You may not use, modify or
+# distribute this program under any other version of the GNU General
+# Public License.
+#
+# Volatility is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 import volatility.obj as obj
 
 hibernate_vtypes = {

volatility/plugins/overlays/windows/pe_vtypes.py

@@ -1,3 +1,23 @@
+# Volatility
+# Copyright (c) 2008-2013 Volatility Foundation
+#
+# This file is part of Volatility.
+#
+# Volatility is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License Version 2 as
+# published by the Free Software Foundation.  You may not use, modify or
+# distribute this program under any other version of the GNU General
+# Public License.
+#
+# Volatility is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 import volatility.exceptions as exceptions
 import volatility.obj as obj
 

volatility/plugins/overlays/windows/ssdt_vtypes.py

@@ -1,3 +1,23 @@
+# Volatility
+# Copyright (c) 2008-2013 Volatility Foundation
+#
+# This file is part of Volatility.
+#
+# Volatility is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License Version 2 as
+# published by the Free Software Foundation.  You may not use, modify or
+# distribute this program under any other version of the GNU General
+# Public License.
+#
+# Volatility is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 import sys
 import volatility.debug as debug
 import volatility.obj as obj

volatility/plugins/timeliner.py

@@ -59,11 +59,10 @@
 except ImportError:
     has_openpyxl = False
 
-class TimeLiner(dlldump.DLLDump, procdump.ProcExeDump, evtlogs.EvtLogs, userassist.UserAssist):
+class TimeLiner(dlldump.DLLDump, procdump.ProcExeDump, userassist.UserAssist):
     """ Creates a timeline from various artifacts in memory """
 
     def __init__(self, config, *args):  
-        evtlogs.EvtLogs.__init__(self, config, *args)
         config.remove_option("SAVE-EVT")
         userassist.UserAssist.__init__(self, config, *args)
         config.remove_option("HIVE-OFFSET")
@@ -181,9 +180,10 @@ def calculate(self):
                             sock.obj_offset)
                 yield line
 
-            stuff = evtlogs.EvtLogs.calculate(self)
+            evt = evtlogs.EvtLogs(self._config)
+            stuff = evt.calculate()
             for name, buf in stuff:
-                for fields in self.parse_evt_info(name, buf, rawtime = True):
+                for fields in evt.parse_evt_info(name, buf, rawtime = True):
                     if not body:
                         line = '{0} |[EVT LOG]|{1}|{2}|{3}|{4}|{5}|{6}|{7}\n'.format(
                             fields[0], fields[1], fields[2], fields[3], fields[4], fields[5], fields[6], fields[7])
@@ -241,6 +241,7 @@ def calculate(self):
         data = moddump.ModDump(self._config).calculate()
 
         for addr_space, procs, mod_base, mod_name in data:
+            mod_name = str(mod_name or '')
             space = tasks.find_space(addr_space, procs, mod_base)
             if space != None:
                 try:
@@ -327,6 +328,7 @@ def calculate(self):
                 dlls = []
             for proc, ps_ad, base, basename in dlls:
                 if ps_ad.is_valid_address(base):
+                    basename = str(basename or '')
                     if basename == task.ImageFileName:
                         continue
                     try: