Python volatility.plugins.common.AbstractWindowsCommand() Examples
The following are 30
code examples of volatility.plugins.common.AbstractWindowsCommand().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.plugins.common
, or try the search function
.
.
Example #1
| Source File: mftparser.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("OFFSET", short_option = "o", default = None, help = "Physical offset for MFT Entries (comma delimited)") config.add_option('NOCHECK', short_option = 'N', default = False, help = 'Only all entries including w/null timestamps', action = "store_true") config.add_option("ENTRYSIZE", short_option = "E", default = 1024, help = "MFT Entry Size", action = "store", type = "int") config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted resident files') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("DEBUGOUT", default = False, help = "Output debugging messages", action = "store_true")
Example #2
| Source File: timeliner.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.remove_option("SAVE-EVT") config.remove_option("HIVE-OFFSET") config.remove_option("KEY") config.remove_option("BASE") config.remove_option("REGEX") config.remove_option("IGNORE-CASE") config.remove_option("DUMP-DIR") config.remove_option("OFFSET") config.remove_option("PID") config.remove_option("UNSAFE") self.types = ["Process", "Socket", "Shimcache", "Userassist", "IEHistory", "Thread", "Symlink", "Timer", "_CM_KEY_BODY", "LoadTime", "TimeDateStamp", "_HBASE_BLOCK", "_CMHIVE", "EvtLog", "ImageDate"] config.add_option('HIVE', short_option = 'H', help = 'Gather Timestamps from a Particular Registry Hive', type = 'str') config.add_option('USER', short_option = 'U', help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("TYPE", default = "".join([",".join(x for x in sorted(self.types))]), help = "Type of artifact to use in timeline (default is all, but \"Registry\")")
Example #3
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("ASEP-TYPE", short_option='t', default=None, help='Only collect the ASEP types specified. Select from: autoruns, services, appinit, winlogon, tasks, activesetup, sdb (comma-separated)', action='store', type='str') config.remove_option("VERBOSE") config.add_option("VERBOSE", short_option='v', default=False, help='Show entries that are normally filtered out (Ex. Services from the System32 folder)', action='store_true') self.process_dict = {} self.autoruns = [] self.services = [] self.appinit_dlls = [] self.winlogon = [] self.winlogon_registrations = [] self.tasks = [] self.activesetup = [] self.sdb = []
Example #4
| Source File: strings.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('STRING-FILE', short_option = 's', default = None, help = 'File output in strings format (offset:string)', action = 'store', type = 'str') config.add_option("SCAN", short_option = 'S', default = False, action = 'store_true', help = 'Use PSScan if no offset is provided') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('LOOKUP-PID', short_option = 'L', default = False, action = 'store_true', help = 'Lookup the ImageFileName of PIDs')
Example #5
| Source File: timeliner.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.remove_option("SAVE-EVT") config.remove_option("HIVE-OFFSET") config.remove_option("KEY") config.remove_option("BASE") config.remove_option("REGEX") config.remove_option("IGNORE-CASE") config.remove_option("DUMP-DIR") config.remove_option("OFFSET") config.remove_option("PID") config.remove_option("UNSAFE") self.types = ["Process", "Socket", "Shimcache", "Userassist", "IEHistory", "Thread", "Symlink", "Timer", "_CM_KEY_BODY", "LoadTime", "TimeDateStamp", "_HBASE_BLOCK", "_CMHIVE", "EvtLog", "ImageDate"] config.add_option('HIVE', short_option = 'H', help = 'Gather Timestamps from a Particular Registry Hive', type = 'str') config.add_option('USER', short_option = 'U', help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("TYPE", default = "".join([",".join(x for x in sorted(self.types))]), help = "Type of artifact to use in timeline (default is all, but \"Registry\")")
Example #6
| Source File: timeliner.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.remove_option("SAVE-EVT") config.remove_option("HIVE-OFFSET") config.remove_option("KEY") config.remove_option("BASE") config.remove_option("REGEX") config.remove_option("IGNORE-CASE") config.remove_option("DUMP-DIR") config.remove_option("OFFSET") config.remove_option("PID") config.remove_option("UNSAFE") self.types = ["Process", "Socket", "Shimcache", "Userassist", "IEHistory", "Thread", "Symlink", "Timer", "_CM_KEY_BODY", "LoadTime", "TimeDateStamp", "_HBASE_BLOCK", "_CMHIVE", "EvtLog", "ImageDate"] config.add_option('HIVE', short_option = 'H', help = 'Gather Timestamps from a Particular Registry Hive', type = 'str') config.add_option('USER', short_option = 'U', help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("TYPE", default = "".join([",".join(x for x in sorted(self.types))]), help = "Type of artifact to use in timeline (default is all, but \"Registry\")")
Example #7
| Source File: mftparser.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("OFFSET", short_option = "o", default = None, help = "Physical offset for MFT Entries (comma delimited)") config.add_option('NOCHECK', short_option = 'N', default = False, help = 'Only all entries including w/null timestamps', action = "store_true") config.add_option("ENTRYSIZE", short_option = "E", default = 1024, help = "MFT Entry Size", action = "store", type = "int") config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted resident files') config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") config.add_option("DEBUGOUT", default = False, help = "Output debugging messages", action = "store_true")
Example #8
| Source File: strings.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('STRING-FILE', short_option = 's', default = None, help = 'File output in strings format (offset:string)', action = 'store', type = 'str') config.add_option("SCAN", short_option = 'S', default = False, action = 'store_true', help = 'Use PSScan if no offset is provided') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('LOOKUP-PID', short_option = 'L', default = False, action = 'store_true', help = 'Lookup the ImageFileName of PIDs')
Example #9
| Source File: shimcache.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): self._addrspace = None common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
Example #10
| Source File: cmdhistory.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # The default comes from HKCU\Console\HistoryBufferSize config.add_option('MAX_HISTORY', short_option = 'M', default = MAX_HISTORY_DEFAULT, action = 'store', type = 'int', help = 'CommandCountMax (default = 50)')
Example #11
| Source File: impscan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Define a new PID option instead of inheriting from # taskmods.DllList because this one cannot be a comma # separated list of PIDs. config.remove_option('PID') config.add_option('PID', short_option = 'p', default = None, help = 'Process ID (leave off to scan kernel memory)', action = 'store', type = 'int') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') # The base address in kernel or process memory where # we begin scanning. This is an executable region with # assembly instructions like a .text or .code PE section. config.add_option('BASE', short_option = 'b', default = None, help = 'Base address in process memory if --pid ' + 'is supplied, otherwise an address in kernel space', action = 'store', type = 'int') # The size in bytes of data to scan from the base address. config.add_option('SIZE', short_option = 's', default = None, help = 'Size of memory to scan', action = 'store', type = 'int') self.forwarded_imports = { "RtlGetLastWin32Error" : "kernel32.dll!GetLastError", "RtlSetLastWin32Error" : "kernel32.dll!SetLastError", "RtlRestoreLastWin32Error" : "kernel32.dll!SetLastError", "RtlAllocateHeap" : "kernel32.dll!HeapAlloc", "RtlReAllocateHeap" : "kernel32.dll!HeapReAlloc", "RtlFreeHeap" : "kernel32.dll!HeapFree", "RtlEnterCriticalSection" : "kernel32.dll!EnterCriticalSection", "RtlLeaveCriticalSection" : "kernel32.dll!LeaveCriticalSection", "RtlDeleteCriticalSection" : "kernel32.dll!DeleteCriticalSection", "RtlZeroMemory" : "kernel32.dll!ZeroMemory", "RtlSizeHeap" : "kernel32.dll!HeapSize", "RtlUnwind" : "kernel32.dll!RtlUnwind", }
Example #12
| Source File: userassist.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = registryapi.RegistryApi(self._config)
Example #13
| Source File: strings.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('STRING-FILE', short_option = 's', default = None, help = 'File output in strings format (offset:string)', action = 'store', type = 'str') config.add_option("SCAN", short_option = 'S', default = False, action = 'store_true', help = 'Use PSScan if no offset is provided') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str')
Example #14
| Source File: lsadump.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)')
Example #15
| Source File: lsadump.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SAM-OFFSET', short_option = 's', type = 'int', help = 'SAM hive offset (virtual)')
Example #16
| Source File: lsadump.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)')
Example #17
| Source File: shellbags.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("MACHINE", default = "", help = "Machine name to add to timeline header") self.supported = ["FILE_ENTRY", "FOLDER_ENTRY", "CONTROL_PANEL", "VOLUME_NAME", "NETWORK_VOLUME_NAME", "NETWORK_SHARE", "UNKNOWN_00"] self.paths = {}
Example #18
| Source File: tcaudit.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('MIN-LENGTH', short_option = 'M', default = 5, help = 'Mimumim length of passphrases to identify', action = 'store', type = 'int')
Example #19
| Source File: psxview.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args): common.AbstractWindowsCommand.__init__(self, config, *args) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, help = "Physical Offset", action = "store_true") config.add_option("APPLY-RULES", short_option = 'R', default = False, help = "Apply known good rules", action = "store_true")
Example #20
| Source File: evtlogs.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SAVE-EVT', short_option = 'S', default = False, action = 'store_true', help = 'Save the raw .evt files also') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump executable files') self.extrasids = {}
Example #21
| Source File: editbox.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Filter specific processes config.add_option('PID', short_option='p', default=None, help='Operate on these Process IDs (comma-separated)', action='store', type='str') config.add_option('DUMP-DIR', short_option='D', default=None, help='Save the found text to files in this folder', action='store', type='str') self.fake_32bit = False
Example #22
| Source File: printkey.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', type = 'int', help = 'Hive offset (virtual)')
Example #23
| Source File: userassist.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None
Example #24
| Source File: amcache.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None
Example #25
| Source File: auditpol.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HEX', short_option = 'H', default = False, help = 'Output HEX of Policy\\PolAdtEv key', action = "store_true")
Example #26
| Source File: lsadump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)')
Example #27
| Source File: lsadump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)')
Example #28
| Source File: shimcache.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): self._addrspace = None common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
Example #29
| Source File: dumpregistry.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', default = None, help = 'Hive offset (virtual)', action = 'store', type = 'int') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted files')
Example #30
| Source File: shutdown.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') self.regapi = None
