[Vol-dev] Pythonisms and volatility-isms for structs

Michael Hale Ligh michael.hale at gmail.com
Mon Apr 15 22:10:14 CDT 2013


Hey Edwin,

1) It depends what type of pattern you're trying to match. If the pattern
is a simple byte string like "one" or "\x0d\x0a" you can just do
address_space.zread(address, size) == "one". If the pattern is a regular
expression you can also use the python re module (some examples in the
moddump and driverirp plugins). Also you can use yara for pattern matching
(there's a yarascan for windows and now a linux_yarascan plugin so look in
there for examples). Also if you do happen to want to search also, you can
use proc.search_process_memory(["one", "two"]) etc.

2) There is partial documentation on the wiki, see the 2.0 developers guide
https://code.google.com/p/volatility/wiki/VolatilityObjects20. Its
obviously a little dated since we're almost in 2.3 but most is still
accurate. Or just check out how its done in one of the other plugins like
dumpcerts (
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/dumpcerts.py)
which manually defines a vtype (the structure name, members, offsets,
types) and then creates an "object class" (inherits from obj.CType) to give
it custom methods etc.

Hope it helps,
MHL



On Mon, Apr 15, 2013 at 8:37 AM, Edwin Smulders <edwin.smulders at gmail.com>wrote:

> Hello all,
>
> I have arrived at an implementation part of my research and I was
> wondering if you have any advice or documentation on some "pythonisms"
> and "volatility-isms" I could be using to do this implementation.
>
> My question is two-fold:
>
> 1) I have acquired a small part of memory using read/zread and want to
> match (not search) this part of memory to a specific pattern. Do you
> know of any pythonisms I could be using, other than checking and
> matching byte by byte? Is there some type pattern I could use? I
> suspect I'll just have to evaluate a list of rules, but I figured I'd
> ask anyway.
> 2) Some parts of memory I am interested in are originally (C) structs,
> I'd like to map these to objects similar to the way this is done for
> structs like 'task_struct' and 'mm_struct', is there any documentation
> on the way this is done?
>
> If it matters, this is all in process address space.
>
> Cheers,
> Edwin
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-dev/attachments/20130415/ca74bf3a/attachment.html


More information about the Vol-dev mailing list