volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Can I provide a plugin with requirements without running automagic?

Open avgkoster opened this issue 4 years ago • 4 comments

Hello everyone I tried to connect volatility as a library to my script using the pslist plugin I do everything according to the instructions, but I can't connect the parameters to the plugin, the check for unsatisfied does not pass, please tell me what is wrong.

framework.require_interface_version(1,0,2)
ctx = contexts.Context()

failures = framework.import_files(plugins, True)
plugin_list = framework.list_plugins()

ctx.config['automagic.LayerStacker.PsList.single_location'] = 'file:///OtterCTF.vmem'
config_path = path_join('plugins','windows.pslist.PsList','nt_symbols.class')
ctx.config['plugins.windows.pslist.PsList.nt_symbols.class'] = 'volatility3.framework.symbols.windows.WindowsKernelIntermedSymbols'
config_path = path_join('plugins','windows.pslist.PsList','nt_symbols.isf_url')
ctx.config['plugins.windows.pslist.PsList.nt_symbols.isf_url'] = 'file:///123.json'

unsatisfied = pslist.PsList.unsatisfied(ctx, 'plugins.windows.pslist.PsList')

available = automagic.available(ctx)
automagics = automagic.choose_automagic(available,pslist.PsList)
errors = automagic.run(automagics, ctx, pslist.PsList, 'plugins.windows.pslist.PsList')

print(unsatisfied)

Checking for unsatisfied returns the following {'plugins.windows.pslist.PsList.primary': <TranslationLayerRequirement: primary>, 'plugins.windows.pslist.PsList.nt_symbols': <SymbolTableRequirement: nt_symbols>}

avgkoster avatar Sep 03 '21 11:09 avgkoster

Hiya, so the way that the volatility library verifies these requirements is to check that their value is fulfilled. You haven't actually filled nt_symbols or primary with the names of symbol tables or layers. It looks like you've provided the information those requirements need, but you still need to construct the objects.

Volatility does the construction by running the ConstructionMagic automagic, which liveshere. So you can either manually construct the symbol table and the layer, or you can ask the ConstructionMagic automagic to do it for you, but what you've got at the monent won't get satisified without some extra work...

ikelos avatar Sep 03 '21 14:09 ikelos

Please also see https://volatility3.readthedocs.io/en/latest/using-as-a-library.html#use-automagic

ikelos avatar Sep 03 '21 15:09 ikelos

I didn't understand from the instructions whether it is possible to skip the item with manual configuration and use the automagic method, will it make sense? Or in any case, you will need to call the automagic constructor?

avgkoster avatar Sep 03 '21 17:09 avgkoster

Hiya, so you can skip the automagic by constructing the necessary objects manually, but it looks from your configuration as though you're expecting volatility to turn your physical file location into a suitable layer stack with a directory table base and virtual kernel offset. If you don't have those values, it's highly recommended to run the automagic to get them.

We've also recently shifted most of the plugins from taking a primary layer requirement and an nt_symbols symbol requirement, to just taking a kernel module requirement. What this means is that you'll need to construct a layer or stack of layers, and the symbol table first. To do that you'll need to construct a physical layer, and then build other layers on top of it (such as an intel layer), then you'll need to construct the symbols (it looks like you've got the configuration for that already, so making the symbol table should be easy. Finally, you can either populate the kernel config option with the name of the kernel.

Something to note is that the single_location is a requirement on the stacker automagic, so won't be useful if you're not using the automagic.

A full configuration will end up having the following values set, and even then construction magic would be used to turn these back into the necssary objects.:

  "kernel.layer_name.class": "volatility3.framework.layers.intel.WindowsIntelPAE",
  "kernel.layer_name.kernel_virtual_offset": 2152558592,
  "kernel.layer_name.memory_layer.class": "volatility3.framework.layers.physical.FileLayer",
  "kernel.layer_name.memory_layer.location": "file:///path/to/image",
  "kernel.layer_name.page_map_offset": 3248128,
  "kernel.layer_name.swap_layers": true,
  "kernel.layer_name.swap_layers.number_of_elements": 0,
  "kernel.offset": 2152558592,
  "kernel.symbol_table_name.class": "volatility3.framework.symbols.windows.WindowsKernelIntermedSymbols",
  "kernel.symbol_table_name.isf_url": file:////123.json",

If you're just trying to work on a CTF, rather than build a fully-fledged tool that uses volatility, you might want to try out the volshell command, which will do the automagic to get you to the point a normal plugin would run, but then leave you in an interactive shell with all the volatility classes loaded and ready to be used. That might help you get to an answer more quickly than trying to use volatility directly as a library...

Hope that clarifies things?

ikelos avatar Sep 04 '21 12:09 ikelos