Volatility Plugin Contest
Results are in for the 1st Annual Volatility Framework Plugin Contest - and I'm happy to say that I came joint fourth.
Since entering the plugin contest, I've substantially rewritten parts of my submission based on some suggestions by Aaron Walters. My symbols plugin now:
- stores/caches its data using SQLite3 tables (which provides a large performance boost)
- the method lookup (injected into _EPROCESS objects) now can perform both address to name and name to addresses lookups (with basic SQL regular expression support)
- the FPO data structures (including the FPO program strings) are extracted from the PDB files (and so, it should now be possible to build WinDBG-like stack unwinds).
# simple address query lookup volshell> self.proc.lookup(0xb25fc838) 'sysaudio.sys/PAGE!CClockInstance::ClockGetCorrelatedPhysicalTime' # stack cookie address for ntoskrnl.exe volshell> self.proc.lookup("ntoskrnl.exe/.data!___security_cookie") [ 2153029696L ] # "all" (known) stack cookie addresses within self.proc's address space volshell> self.proc.lookup(".data!___security_cookie") [ 2153029696L, 2154673632L, 4166547756L, ... ] # wininet.dll stack cookie and cookie complement addresses ('%' matches # anything) volshell> self.proc.lookup("wininet%/.data!%security_cookie%") [ 1998821912, 1998822580 ]Note: my exportstack plugin has been updated to utilise these plugin updates.
Thanks again to the Volatility team for providing such a great memory analysis framework. :-)