Skip to content

Commit

Permalink
Yapf-0.28.0 rerun across the whole codebase.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ikelos
ikelos committed Sep 21, 2019
1 parent dad8869 commit 72567e1
Show file tree
Hide file tree
Showing 91 changed files with 1,208 additions and 1,124 deletions.
118 changes: 55 additions & 63 deletions development/compare-vol.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,74 +205,66 @@ def run_test(self, plugin: VolatilityPlugin, image: VolatilityImage):

if __name__ == '__main__':
plugins = [
VolatilityPlugin(
name = "pslist", vol2_plugin_parameters = ["pslist"], vol3_plugin_parameters = ["windows.pslist"]),
VolatilityPlugin(
name = "psscan",
vol2_plugin_parameters = ["psscan"],
vol3_plugin_parameters = ["windows.psscan"],
rekall_plugin_parameters = ["psscan", "--scan_kernel"]),
VolatilityPlugin(
name = "driverscan",
vol2_plugin_parameters = ["driverscan"],
vol3_plugin_parameters = ["windows.driverscan"],
rekall_plugin_parameters = ["driverscan", "--scan_kernel"]),
VolatilityPlugin(
name = "handles", vol2_plugin_parameters = ["handles"], vol3_plugin_parameters = ["windows.handles"]),
VolatilityPlugin(
name = "modules", vol2_plugin_parameters = ["modules"], vol3_plugin_parameters = ["windows.modules"]),
VolatilityPlugin(
name = "hivelist",
vol2_plugin_parameters = ["hivelist"],
vol3_plugin_parameters = ["registry.hivelist"],
rekall_plugin_parameters = ["hives"]),
VolatilityPlugin(
name = "vadinfo",
vol2_plugin_parameters = ["vadinfo"],
vol3_plugin_parameters = ["windows.vadinfo"],
rekall_plugin_parameters = ["vad"]),
VolatilityPlugin(
name = "modscan",
vol2_plugin_parameters = ["modscan"],
vol3_plugin_parameters = ["windows.modscan"],
rekall_plugin_parameters = ["modscan", "--scan_kernel"]),
VolatilityPlugin(
name = "svcscan",
vol2_plugin_parameters = ["svcscan"],
vol3_plugin_parameters = ["windows.svcscan"],
rekall_plugin_parameters = ["svcscan"]),
VolatilityPlugin(name = "pslist",
vol2_plugin_parameters = ["pslist"],
vol3_plugin_parameters = ["windows.pslist"]),
VolatilityPlugin(name = "psscan",
vol2_plugin_parameters = ["psscan"],
vol3_plugin_parameters = ["windows.psscan"],
rekall_plugin_parameters = ["psscan", "--scan_kernel"]),
VolatilityPlugin(name = "driverscan",
vol2_plugin_parameters = ["driverscan"],
vol3_plugin_parameters = ["windows.driverscan"],
rekall_plugin_parameters = ["driverscan", "--scan_kernel"]),
VolatilityPlugin(name = "handles",
vol2_plugin_parameters = ["handles"],
vol3_plugin_parameters = ["windows.handles"]),
VolatilityPlugin(name = "modules",
vol2_plugin_parameters = ["modules"],
vol3_plugin_parameters = ["windows.modules"]),
VolatilityPlugin(name = "hivelist",
vol2_plugin_parameters = ["hivelist"],
vol3_plugin_parameters = ["registry.hivelist"],
rekall_plugin_parameters = ["hives"]),
VolatilityPlugin(name = "vadinfo",
vol2_plugin_parameters = ["vadinfo"],
vol3_plugin_parameters = ["windows.vadinfo"],
rekall_plugin_parameters = ["vad"]),
VolatilityPlugin(name = "modscan",
vol2_plugin_parameters = ["modscan"],
vol3_plugin_parameters = ["windows.modscan"],
rekall_plugin_parameters = ["modscan", "--scan_kernel"]),
VolatilityPlugin(name = "svcscan",
vol2_plugin_parameters = ["svcscan"],
vol3_plugin_parameters = ["windows.svcscan"],
rekall_plugin_parameters = ["svcscan"]),
VolatilityPlugin(name = "ssdt", vol2_plugin_parameters = ["ssdt"], vol3_plugin_parameters = ["windows.ssdt"]),
VolatilityPlugin(
name = "printkey",
vol2_plugin_parameters = ["printkey", "-K", "Classes"],
vol3_plugin_parameters = ["registry.printkey", "--key", "Classes"],
rekall_plugin_parameters = ["printkey", "--key", "Classes"])
VolatilityPlugin(name = "printkey",
vol2_plugin_parameters = ["printkey", "-K", "Classes"],
vol3_plugin_parameters = ["registry.printkey", "--key", "Classes"],
rekall_plugin_parameters = ["printkey", "--key", "Classes"])
]

parser = argparse.ArgumentParser()
parser.add_argument("--output-dir", type = str, default = os.getcwd(), help = "Directory to store all results")
parser.add_argument(
"--vol3path",
type = str,
default = os.path.join(os.getcwd(), 'volatility3'),
help = "Path ot the volatility 3 directory")
parser.add_argument(
"--vol2path",
type = str,
default = os.path.join(os.getcwd(), 'volatility'),
help = "Path to the volatility 2 directory")
parser.add_argument(
"--rekallpath",
type = str,
default = os.path.join(os.getcwd(), 'rekall'),
help = "Path to the rekall directory")
parser.add_argument(
"--frameworks",
nargs = "+",
type = str,
choices = [x.short_name.lower() for x in VolatilityTest.__subclasses__()],
default = [x.short_name.lower() for x in VolatilityTest.__subclasses__()],
help = "A comma separated list of frameworks to test")
parser.add_argument("--vol3path",
type = str,
default = os.path.join(os.getcwd(), 'volatility3'),
help = "Path ot the volatility 3 directory")
parser.add_argument("--vol2path",
type = str,
default = os.path.join(os.getcwd(), 'volatility'),
help = "Path to the volatility 2 directory")
parser.add_argument("--rekallpath",
type = str,
default = os.path.join(os.getcwd(), 'rekall'),
help = "Path to the rekall directory")
parser.add_argument("--frameworks",
nargs = "+",
type = str,
choices = [x.short_name.lower() for x in VolatilityTest.__subclasses__()],
default = [x.short_name.lower() for x in VolatilityTest.__subclasses__()],
help = "A comma separated list of frameworks to test")
parser.add_argument('images', metavar = 'IMAGE', type = str, nargs = '+', help = 'The list of images to compare')
args = parser.parse_args()

Expand Down
30 changes: 17 additions & 13 deletions development/mac-kdk/parse_pbzx2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,41 +9,43 @@

import struct, sys

def seekread(f, offset=None, length=0, relative=True):

def seekread(f, offset = None, length = 0, relative = True):
if (offset != None):
# offset provided, let's seek
f.seek(offset, [0,1,2][relative])
f.seek(offset, [0, 1, 2][relative])
if (length != 0):
return f.read(length)


def parse_pbzx(pbzx_path):
section = 0
xar_out_path = '%s.part%02d.cpio.xz' % (pbzx_path, section)
f = open(pbzx_path, 'rb')
# pbzx = f.read()
# f.close()
magic = seekread(f,length=4)
magic = seekread(f, length = 4)
if magic != 'pbzx':
raise "Error: Not a pbzx file"
# Read 8 bytes for initial flags
flags = seekread(f,length=8)
flags = seekread(f, length = 8)
# Interpret the flags as a 64-bit big-endian unsigned int
flags = struct.unpack('>Q', flags)[0]
xar_f = open(xar_out_path, 'wb')
while (flags & (1 << 24)):
# Read in more flags
flags = seekread(f,length=8)
flags = seekread(f, length = 8)
flags = struct.unpack('>Q', flags)[0]
# Read in length
f_length = seekread(f,length=8)
f_length = seekread(f, length = 8)
f_length = struct.unpack('>Q', f_length)[0]
xzmagic = seekread(f,length=6)
xzmagic = seekread(f, length = 6)
if xzmagic != '\xfd7zXZ\x00':
# This isn't xz content, this is actually _raw decompressed cpio_ chunk of 16MB in size...
# Let's back up ...
seekread(f,offset=-6,length=0)
seekread(f, offset = -6, length = 0)
# ... and split it out ...
f_content = seekread(f,length=f_length)
f_content = seekread(f, length = f_length)
section += 1
decomp_out = '%s.part%02d.cpio' % (pbzx_path, section)
g = open(decomp_out, 'wb')
Expand All @@ -57,8 +59,8 @@ def parse_pbzx(pbzx_path):
else:
f_length -= 6
# This part needs buffering
f_content = seekread(f,length=f_length)
tail = seekread(f,offset=-2,length=2)
f_content = seekread(f, length = f_length)
tail = seekread(f, offset = -2, length = 2)
xar_f.write(xzmagic)
xar_f.write(f_content)
if tail != 'YZ':
Expand All @@ -70,9 +72,11 @@ def parse_pbzx(pbzx_path):
except:
pass


def main():
result = parse_pbzx(sys.argv[1])
print "Now xz decompress the .xz chunks, then 'cat' them all together in order into a single new.cpio file"



if __name__ == '__main__':
main()
main()
14 changes: 10 additions & 4 deletions development/pdbparse-to-json.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,10 +322,16 @@ def read_basetypes(self) -> Dict:
file_group.add_argument("-f", "--file", metavar = "FILE", help = "PDB file to translate to ISF")
data_group = parser.add_argument_group("data", description = "Convert based on a GUID and filename pattern")
data_group.add_argument("-p", "--pattern", metavar = "PATTERN", help = "Filename pattern to recover PDB file")
data_group.add_argument(
"-g", "--guid", metavar = "GUID", help = "GUID + Age string for the required PDB file", default = None)
data_group.add_argument(
"-k", "--keep", action = "store_true", default = False, help = "Keep the downloaded PDB file")
data_group.add_argument("-g",
"--guid",
metavar = "GUID",
help = "GUID + Age string for the required PDB file",
default = None)
data_group.add_argument("-k",
"--keep",
action = "store_true",
default = False,
help = "Keep the downloaded PDB file")
args = parser.parse_args()

delfile = False
Expand Down
65 changes: 32 additions & 33 deletions setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,35 @@

from volatility.framework import constants

setuptools.setup(
name = "volatility",
description = "Memory forensics framework",
version = constants.PACKAGE_VERSION,
license = "VSL",
keywords = "volatility memory forensics framework windows linux volshell",
author = "Volatility Foundation",
author_email = "volatility@volatilityfoundation.org",
url = "https://volatilityfoundation.org/volatility/",
project_urls = {
"Bug Tracker": "https://github.com/volatilityfoundation/volatility3/issues",
"Documentation": "https://volatilityfoundation.org/volatility/docs/",
"Source Code": "https://github.com/volatilityfoundation/volatility3",
},
include_package_data = True,
exclude_package_data = {
'': ['development', 'development.*'],
'development': ['*']
},
packages = setuptools.find_packages(exclude = ["developement", "development.*"]),
entry_points = {
'console_scripts': [
'vol = volatility.cli:main',
'volshell = volatility.cli.volshell:main',
],
},
install_requires = ["pefile"],
extras_require = {
'jsonschema': ["jsonschema>=2.3.0"],
'yara': ["yara-python>=3.8.0"],
'disasm': ["capstone;platform_system=='Linux'", "capstone-windows;platform_system=='Windows'"],
'doc': ["sphinx>=1.8.2", "sphinx_autodoc_typehints>=1.4.0", "sphinx-rtd-theme>=0.4.3"],
})
setuptools.setup(name = "volatility",
description = "Memory forensics framework",
version = constants.PACKAGE_VERSION,
license = "VSL",
keywords = "volatility memory forensics framework windows linux volshell",
author = "Volatility Foundation",
author_email = "volatility@volatilityfoundation.org",
url = "https://volatilityfoundation.org/volatility/",
project_urls = {
"Bug Tracker": "https://github.com/volatilityfoundation/volatility3/issues",
"Documentation": "https://volatilityfoundation.org/volatility/docs/",
"Source Code": "https://github.com/volatilityfoundation/volatility3",
},
include_package_data = True,
exclude_package_data = {
'': ['development', 'development.*'],
'development': ['*']
},
packages = setuptools.find_packages(exclude = ["developement", "development.*"]),
entry_points = {
'console_scripts': [
'vol = volatility.cli:main',
'volshell = volatility.cli.volshell:main',
],
},
install_requires = ["pefile"],
extras_require = {
'jsonschema': ["jsonschema>=2.3.0"],
'yara': ["yara-python>=3.8.0"],
'disasm': ["capstone;platform_system=='Linux'", "capstone-windows;platform_system=='Windows'"],
'doc': ["sphinx>=1.8.2", "sphinx_autodoc_typehints>=1.4.0", "sphinx-rtd-theme>=0.4.3"],
})
Loading

0 comments on commit 72567e1

Please sign in to comment.