Volatility Plugin Contest

Posted by Bagpuss on August 24, 2013
Tags: digital forensics, volatility

Results are in for the 1st Annual Volatility Framework Plugin Contest - and I'm happy to say that I came joint fourth.

Since entering the plugin contest, I've substantially rewritten parts of my submission based on some suggestions by Aaron Walters. My symbols plugin now:

  • stores/caches its data using SQLite3 tables (which provides a large performance boost)
  • the method lookup (injected into _EPROCESS objects) now can perform both address to name and name to addresses lookups (with basic SQL regular expression support)
  • the FPO data structures (including the FPO program strings) are extracted from the PDB files (and so, it should now be possible to build WinDBG-like stack unwinds).
Here's an example of some of things that are now possible (here we work at a Volatility shell command line prompt with the symbols DB already built):
# simple address query lookup
volshell> self.proc.lookup(0xb25fc838)
'sysaudio.sys/PAGE!CClockInstance::ClockGetCorrelatedPhysicalTime'

# stack cookie address for ntoskrnl.exe
volshell> self.proc.lookup("ntoskrnl.exe/.data!___security_cookie")
[ 2153029696L ]

# "all" (known) stack cookie addresses within self.proc's address space
volshell> self.proc.lookup(".data!___security_cookie")
[ 2153029696L, 2154673632L, 4166547756L, ... ]

# wininet.dll stack cookie and cookie complement addresses ('%' matches 
# anything)
volshell> self.proc.lookup("wininet%/.data!%security_cookie%")
[ 1998821912, 1998822580 ]
Note: my exportstack plugin has been updated to utilise these plugin updates.

Thanks again to the Volatility team for providing such a great memory analysis framework. :-)