New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows: Add --base to modscan and modules #1099
base: develop
Are you sure you want to change the base?
Windows: Add --base to modscan and modules #1099
Conversation
In volatility2, the windows.moddump plugin allows you to extract a single module using a base address. This PR adds the same functionality to volatility3 in the windows.modscan and windows.modules plugins. The base address is passed in using --base=BASE where the module with base address BASE will be extracted. The matching volatility2 functionality can be found here: https://github.com/volatilityfoundation/volatility/blob/2.6.1/volatility/plugins/moddump.py#L71 Manual testing was performed on windows memory images across different windows versions to verify the expected output.
Hey @brandon-barnacle - nice to see another PR from you - I had a question about the description for It says I'm still thinking that the description can probably just be 🦊 Just a random internet vol user |
Hi @eve-mem - I think you are totally right here, so I'm gonna push a small change where i take out the "(hex)" from the description. |
For some reason I thought I'd commented on this already, but now I can't find it? I'd expect the If a specific base has been provided, can I suggest attempting to instantiate a module at the address, checking it passes that tests that modules need to pass for the modscan to succeed, and then outputs that rather than running through the generated list, at the very least for the modscan plugin? That would provide a speed boost, and valuable functionality, and the I'm not out to produce exactly the same output in the same way as volatility 2, just to provide the same functionality so that people don't turn to volatility 2 because they can't do something in volatility 3. As such, we don't have to duplicate the flags, and we should ensure that our flags make sense and are as simple and straightforward to understand as they can be, volatility 2 aside. |
Hi @ikelos, I think what you said here makes a lot of sense and was something that I thought about after I made the PR, so I think it is a good thing that you brought it up. I am going to work on making this change and see how it performs. |
In volatility2, the windows.moddump plugin allows you to extract a single module using a base address.
This PR adds the same functionality to volatility3 in the windows.modscan and windows.modules plugins.
The base address is passed in using --base=BASE where the module with base address BASE will be extracted.
The matching volatility2 functionality can be found here:
https://github.com/volatilityfoundation/volatility/blob/2.6.1/volatility/plugins/moddump.py#L71
Manual testing was performed on windows memory images across different windows versions to verify the expected output.