Merge pull request #501 from mutedmouse/master

Added unified output to netstat (linux) and ppid to pslist (mac)
volatilityfoundation · Dec 6, 2018 · 9c1c613 · 9c1c613
2 parents 0335b6f + c043acf
commit 9c1c613
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 5 deletions.
diff --git a/volatility/plugins/gui/editbox.py b/volatility/plugins/gui/editbox.py
@@ -39,6 +39,7 @@
 import volatility.plugins.common as common
 import volatility.plugins.gui.messagehooks as messagehooks
 import volatility.win32 as win32
+from volatility.renderers import TreeGrid
 
 supported_controls = {
     'edit'   : 'COMCTL_EDIT',
@@ -444,6 +445,45 @@ def render_table(self, outfd, data):
             # context, atom_class and is_wow64 are ignored
             self.table_row(outfd, pid, proc_name, str(ctrl))
 
+    def unified_output(self, data):
+        #output as volatility json format
+        return TreeGrid([("Wnd Context", str),
+                         ("Process ID", int),
+                         ("ImageFileName", str),
+                         ("IsWow64", str),
+                         ("atom_class", str),
+                         ("value-of WndExtra", str),
+                         ("nChars", int),
+                         ("selStart", int),
+                         ("selEnd", int),
+                         ("isPwdControl", int),
+                         ("undoPos", int),
+                         ("undoLen", int),
+                         ("address-of undoBuf", str),
+                         ("undoBuf", str),
+                         ("Data", str),
+                        ], self.generator(data))
+
+    def generator(self, data):
+        for context, atom_class, pid, proc_name, is_wow64, ctrl in data:
+            yield (0, [
+                str(context),
+                int(pid),
+                str(proc_name),
+                str('Yes' if is_wow64 else 'No'),
+                str(atom_class),
+                str(hex(int(ctrl.v()))),
+                int(ctrl.nChars),
+                int(ctrl.selStart),
+                int(ctrl.is_pwd()),
+                int(ctrl.undoPos),
+                int(ctrl.undoLen),
+                int(ctrl.selEnd),
+                str(ctrl.undoBuf),
+                str(ctrl.get_undo(no_crlf=True)),
+                str(ctrl.get_text()),
+                ])
+
     def render_text(self, outfd, data):
         """Output the results as a text report
         

diff --git a/volatility/plugins/linux/netstat.py b/volatility/plugins/linux/netstat.py
@@ -29,15 +29,60 @@
 import volatility.plugins.linux.common as linux_common
 import volatility.plugins.linux.lsof as linux_lsof
 import volatility.plugins.linux.pslist as linux_pslist
+from volatility.renderers import TreeGrid
 
 class linux_netstat(linux_pslist.linux_pslist):
     """Lists open sockets"""
 
     def __init__(self, config, *args, **kwargs):
         linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs)
         self._config.add_option('IGNORE_UNIX', short_option = 'U', default = None, help = 'ignore unix sockets', action = 'store_true')
-
+
+    def unified_output(self,data):
+        return TreeGrid([("Proto", str),
+                         ("Local IP", str),
+                         ("Local Port", int),
+                         ("Remote IP", str),
+                         ("Remote Port", int),
+                         ("State", str),
+                         ("Process", str),
+                         ("PID", str),
+                         ("Name", str),
+                         ],
+                         self.generator(data))
+
+    def generator(self, data):
+        for task in data:
+            for ents in task.netstat():
+                if ents[0] == socket.AF_INET:
+                    (_, proto, saddr, sport, daddr, dport, state) = ents[1]
+                    yield(0, [
+                              str(proto),
+                              str(saddr),
+                              int(sport),
+                              str(daddr),
+                              int(dport),
+                              str(state),
+                              str(task.comm),
+                              str(task.pid),
+                              str(name),
+                              ])
+
+                elif ents[0] == 1 and not self._config.IGNORE_UNIX:
+                    (name, inum) = ents[1]
+                    yield(0, [
+                              str("UNIX "+str(inum)),
+                              "-",
+                              0,
+                              "-",
+                              0,
+                              "-",
+                              str(task.comm),
+                              str(task.pid),
+                              str(name),
+                              ])
             # its a socket!
+
     def render_text(self, outfd, data):
         linux_common.set_plugin_members(self)
 

diff --git a/volatility/plugins/mac/pslist.py b/volatility/plugins/mac/pslist.py
@@ -43,7 +43,7 @@ def virtual_process_from_physical_offset(addr_space, offset):
         pspace = utils.load_as(addr_space.get_config(), astype = 'physical')
         proc = obj.Object("proc", vm = pspace,     offset = offset)
         task = obj.Object("task", vm = addr_space, offset = proc.task)
-        
+
         return task.bsd_info.dereference_as("proc")
 
     def allprocs(self):
@@ -99,6 +99,7 @@ def unified_output(self, data):
                                   ("Bits", str),
                                   ("DTB", Address),
                                   ("Start time", str),
+                                  ("PPID", int),
                                   ], self.generator(data))
     def generator(self, data):
         for proc in data:
@@ -118,6 +119,7 @@ def generator(self, data):
                        str(bit_string),
                        Address(proc.task.dereference_as("task").map.pmap.pm_cr3),
                        str(proc.start_time()),
+                       int(proc.p_ppid),
                        ])
 
     def render_text(self, outfd, data):
@@ -127,9 +129,11 @@ def render_text(self, outfd, data):
                           ("Uid", "8"),
                           ("Gid", "8"),
                           ("PGID", "8"),
-                          ("Bits", "12"), 
+                          ("Bits", "12"),
                           ("DTB", "#018x"),
-                          ("Start Time", "")])
+                          ("Start Time", ""),
+                          ("Ppid", "8"),
+                          ])
 
         for proc in data:
             if not proc.is_valid() or len(proc.p_comm) == 0:
@@ -146,4 +150,5 @@ def render_text(self, outfd, data):
                                   str(proc.p_pgrpid),
                                   bit_string,
                                   proc.task.dereference_as("task").map.pmap.pm_cr3,
-                                  proc.start_time())
+                                  proc.start_time(),
+                                  str(proc.p_ppid))