volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Feature: implement `VADTree` plugin.

Open digitalisx opened this issue 3 years ago • 1 comments

Description

Hello, everyone in the community! 😃 There are some plugins that have not been implemented as they are updated from Volatility2 to 3. I found that VADTree plugin has not yet migrated to 3. So I'm implemented (or porting) of VADTree plugin according to the Volatility3 structure.

Command

Help Command

> python3 vol.py -h
windows.vadtree.VadTree Walk the VAD tree and display in tree format.

Run Command

> python3 vol.py -f case.vmem windows.vadtree

Result

> python3 vol.py -f case.vmem -r pretty windows.vadtree --pid=508 
Volatility 3 Framework 2.2.0
Formatting...0.00               PDB scanning finished                        
         | PID |   Process |         Offset | Type |          Start |            End |  Tag
*        | 508 | csrss.exe | 0x97065bf58dd0 |  N/A |  0x1842f7a0000 |  0x1842f7a0fff | VadS
**       | 508 | csrss.exe | 0x97065bf575c0 |  N/A |  0x1842da00000 |  0x1842dbfffff | VadS
***      | 508 | csrss.exe | 0x97065bf58b00 |  N/A |   0x6086fc0000 |   0x6086ffffff | VadS
****     | 508 | csrss.exe | 0x97065bf57520 |  N/A |   0x6086e80000 |   0x6086ebffff | VadS
*****    | 508 | csrss.exe | 0x97065b6771f0 |  N/A |     0x7ffe2000 |     0x7ffe2fff | VadS
******   | 508 | csrss.exe | 0x97065b6777e0 |  N/A |     0x7ffe0000 |     0x7ffe0fff | VadS
******   | 508 | csrss.exe | 0x97065b677650 |  N/A |   0x6086c00000 |   0x6086dfffff | VadS
*******  | 508 | csrss.exe | 0x97065bf58ec0 |  N/A |   0x6086ba0000 |   0x6086bdffff | VadS
*****    | 508 | csrss.exe | 0x97065bf5cbb0 |  N/A |   0x6086f00000 |   0x6086f3ffff | VadS
******   | 508 | csrss.exe | 0x97065bf58ab0 |  N/A |   0x6086ec0000 |   0x6086efffff | VadS
******   | 508 | csrss.exe | 0x97065bf58a60 |  N/A |   0x6086f80000 |   0x6086fbffff | VadS
****     | 508 | csrss.exe | 0x97065bf57840 | Heap |  0x1842d8c0000 |  0x1842d8cafff | VadS
*****    | 508 | csrss.exe | 0x97065b481a60 | File |  0x1842d880000 |  0x1842d880fff | Vad 
******   | 508 | csrss.exe | 0x97065bf58f60 |  N/A |   0x6087040000 |   0x608707ffff | VadS
*******  | 508 | csrss.exe | 0x97065bf58d30 |  N/A |   0x6087000000 |   0x608703ffff | VadS
*******  | 508 | csrss.exe | 0x97065bf59fa0 |  N/A |   0x6087080000 |   0x60870bffff | VadS

However, I implementing logic for decision VAD Type, so I leave it as a draft PR.

digitalisx avatar May 29 '22 22:05 digitalisx

Added a description of the PR that was quickly submitted to draft to handle this issue (#731). This is still included in my interest and work object. 🙂

digitalisx avatar Jul 02 '22 18:07 digitalisx