[Vol-dev] get_symbol

Michael Hale Ligh michael.hale at gmail.com
Thu May 2 10:36:38 CDT 2013


Awesome work, Carl!

I'm looking forward to working with your solution. A pretty powerful update
to many of the existing volatility plugins could be to use the symbol
resolution as either its primary or secondary method of finding data
structures.

Also, don't forget about the plugin contest [1], I think this would make a
nice submission:
http://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-framework.html

Thanks,
MHL


On Wed, May 1, 2013 at 2:03 PM, Carl Pulley <c.pulley at acme-labs.org.uk>wrote:

> Hi Pranjal,
>   as promised, I've now released a plugin that wraps up pdbparse and so
> allows Windows symbol lookups.
>
> Symbol files are automatically downloaded upon demand and stored within
> the Volatility cache directories. As all testing has currently been on OS X
> and Ubuntu boxes, (ironically) there may be issues in using the code within
> a Windows environment!
>
> In the end, I didn't rework the name undecoration code (phew!). However,
> to avoid a possible segmentation fault, you currently need to apply a small
> patch when building pdbparse.
>
> FYI, undecoration doesn't process exported strings (though this shouldn't
> be hard to do as these are currently recognised, but not decoded) and
> there's a small number of (template?) related function names that do not
> get undecorated (this is in common with Wine's undname.c code - pdbparse's
> src/undname.c is based on the same code).
>
> Details of the (minor) pdbparse patch are here:
>
>   https://code.google.com/p/pdbparse/issues/detail?id=13
>
> and the plugin code is here:
>
>   https://github.com/carlpulley/volatility/blob/master/symbols.py
>
> Despite nomenclature, the idea is not to really use this code as a plugin!
> Either: extend the plugin (and so get access to its lookup method); or
> create an instance of the plugin's class and then call calculate (which
> will allow lookup to then be initialised and usable).
>
> Hope that helps,
>
>   Carl.
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-dev/attachments/20130502/4c6f0273/attachment.html


More information about the Vol-dev mailing list