Wubi Posted July 26, 2012 Report Posted July 26, 2012 July 26, 2012 By Mayuresh Our first post regarding the Volatility Framework can be found here. An update – Volatility Framework version 2.1 RC3 – was released a few hours ago!“The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The Volatility framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.“Changes made to Volatility Framework:Prevent the ‘NoneObject as string’ warning when using regex with dlldump and moddumpAdded pas2vas for linux and windows.Added tests for Volatility Framework PFN modules.Started implementing yara discontiguous scanner.Fixed some Vad info bugs in the Volatility Framework.Added a single binary memory imager console application which unpacks the correct driver and takes an image.Fixed vaddump to write sparse output files in order to handle extremely huge vad mappings with no backing (see issue 306).Add a Length property to MMVAD to reduce confusion over the purpose of vad.End and minimize the chance of off-by-one errors when calculating vad lengths.Add scudette’s BaseYaraScanner, VadYaraScanner, and DiscontigYaraScanner to malfind.py. this fixes yarascan on x64 kernelmode. the EPROCESS.get_vads() API changes a bit. it results in greater speed when using ldrmodules because only the first 2 bytes are needed instead of the whole vad region. also a new method VADDump.dump_vad is added which aims to write vads to a file in small chunks rather than building a large buffer in memory, which can exhaust/consume the analysis system’s RAM.Make sure we don’t use the same variable for different things in malfind BaseScanner.Apply a remedy for issue 306 – vaddump on wow64 processes with MM_MAX_COMMIT. We don’t want to dump these multi-terabyte ranges with no valid pages.Bring back the ability for malfind to ignore VADs whose entire region is either unavailable due to paging or all 0?s…this was lost in r2077 because we avoided reading the entire range into memory at once.Fix an off-by-one error in the impscan plugin. use the new vad.Length property added in r2076Add a comment to yarascan which explains why module lookups will fail when operating in kernelmode on x64. It’ll be a known issue of the plugin for 2.1, after which time we’ll update trunk’s Pointer.v() and be able to test more thoroughly before a releaseAdded command lind argument parsing for backwards compatibility with the old Volatility Framework.Added threadscan and modscan again.Added tests for yarascan.Ported the netscan module to the new Volatility Framework.Updated documentation to winpmem binary and cleaned up the code a bit.Removed empty directory.Until we can fix the Pointer.v() 48-bit truncation globally, fix the yarascan module resolution on x64 by supplying it with a private version of find_module that does the truncationBump to rc3 bceause of the Pointer.v() fix for yarascan.Download Volatility Framework:Volatility Framework 2.1 RC3 - volatility-2.1-rc3.tar.gz/volatility-2.1_rc1.win32.exeSursa: Volatility Framework 2.1 version RC3! — PenTestIT Quote
