volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Feature: implement `VADWalk` plugin.

Open digitalisx opened this issue 2 years ago • 7 comments

Description

Hello, everyone in the community! 😃 There are some plugins that have not been implemented as they are updated from Volatility2 to 3. I found that VADWalk plugin has not yet migrated to 3. So I'm implemented (or porting) of VADWalk plugin according to the Volatility3 structure.

It was implemented so that the same results as Volatility 2 can be obtained by referring to the existing code.

Command

Help Command

> python3 vol.py -h
windows.vadwalk.VadWalk Walk the VAD tree.

Run Command

python3 vol.py -f case.vmem windows.vadwalk

Output Example

> python3 vol.py -f case.vmem -r pretty windows.vadwalk --pid=4708  
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
  |  PID |      Process |     Offset |     Parent |       Left |      Right |      Start |        End |  Tag
* | 4708 | rundll32.exe | 0x9db10a00 |        0x0 | 0x9db10168 | 0x9db110e0 | 0x75df0000 | 0x76001fff | Vad 
* | 4708 | rundll32.exe | 0x9db10168 | 0x9db10a00 | 0x9db10110 | 0x9d0c14a0 |   0xa70000 |   0xa83fff | Vad 
* | 4708 | rundll32.exe | 0x9db10110 | 0x9db10168 | 0x9db10bb8 | 0x9654d6a0 |   0x890000 |   0x893fff | Vad 
* | 4708 | rundll32.exe | 0x9db10bb8 | 0x9db10110 | 0x9db10b08 | 0xa1ccaaf0 |   0x830000 |   0x84cfff | Vad 
* | 4708 | rundll32.exe | 0x9db10b08 | 0x9db10bb8 |        0x0 | 0xa1ccb0c0 |   0x810000 |   0x81ffff | Vad 
* | 4708 | rundll32.exe | 0xa1ccb0c0 | 0x9db10b08 |        0x0 |        0x0 |   0x820000 |   0x823fff | VadS
* | 4708 | rundll32.exe | 0xa1ccaaf0 | 0x9db10bb8 |        0x0 |        0x0 |   0x850000 |   0x88ffff | VadS
* | 4708 | rundll32.exe | 0x9654d6a0 | 0x9db10110 | 0x9d0c1448 | 0xa0550020 |   0x9d0000 |   0x9d0fff | Vad 
* | 4708 | rundll32.exe | 0x9d0c1448 | 0x9654d6a0 | 0xa1ccb270 | 0x9d0c1a20 |   0x990000 |   0x992fff | Vad 
* | 4708 | rundll32.exe | 0xa1ccb270 | 0x9d0c1448 | 0x9db10848 | 0x9db10d18 |   0x8b0000 |   0x8b1fff | VadS
* | 4708 | rundll32.exe | 0x9db10848 | 0xa1ccb270 |        0x0 |        0x0 |   0x8a0000 |   0x8a0fff | Vad 
* | 4708 | rundll32.exe | 0x9db10d18 | 0xa1ccb270 |        0x0 |        0x0 |   0x8c0000 |   0x988fff | Vad 
* | 4708 | rundll32.exe | 0x9d0c1a20 | 0x9d0c1448 | 0x9d0c19c8 | 0x9d0c1bd8 |   0x9b0000 |   0x9b0fff | Vad 
* | 4708 | rundll32.exe | 0x9d0c19c8 | 0x9d0c1a20 |        0x0 |        0x0 |   0x9a0000 |   0x9a7fff | Vad

However, in the case of vaddump, it seems to have been absorbed by the dump option of vadinfo. In this PR, vadwalk is provided in a separate form of information from vadinfo, so we separated it into a separate plugin, but if you have any intention or policy in mind, please let me know 🤔

If you are interested in or have any comments on this PR, please feel free to leave a thread! 🙌

digitalisx avatar May 07 '22 15:05 digitalisx

Should be a quick one for you to check please @iMHLv2

ikelos avatar May 09 '22 06:05 ikelos

All right, now VADWalk plugin works intuitively in both x86, x64 architectures.

digitalisx avatar May 29 '22 23:05 digitalisx

Hello, @iMHLv2 I pull this up again. If you don't mind, can I ask for a review?

digitalisx avatar Jul 02 '22 18:07 digitalisx

I added a test to verify that the plugin works well :)

digitalisx avatar Jul 22 '22 10:07 digitalisx

This is also pending @iMHLv2 and a fix for the test/test_volatility.py conflict...

ikelos avatar Jul 31 '22 16:07 ikelos

Thank you for rechecked @ikelos, I resolved the conflict and made it a good state for merge.

digitalisx avatar Jul 31 '22 16:07 digitalisx

Hello @iMHLv2, I would like to pull up this on our list of interests once again. :)

digitalisx avatar Sep 17 '22 16:09 digitalisx

Hello @iMHLv2, This PR is still in my interest, could you check it out when your time is permit? :)

digitalisx avatar Oct 16 '22 20:10 digitalisx