Saturday, August 14, 2010

Upated Volatility SQLite plugins

I have recently updated the Volatility sqlite3 plugins (for 1.3.2 branch) with some minor changes:

1) Removal of path from image name
2) Lowercase of all processes, dlls, filenames, modules etc

To make things even more interesting, I have converted some of the scanning code to output in sqlite3 as well:


tar -cvzf vol_sql-0.3.tgz vol_sql-0.3/
vol_sql-0.3/
vol_sql-0.3/connections_2.py
vol_sql-0.3/connscan2sql.py
vol_sql-0.3/dlllist_2.py
vol_sql-0.3/driverscan2sql.py
vol_sql-0.3/files_2.py
vol_sql-0.3/filescan2sql.py
vol_sql-0.3/getsids.py
vol_sql-0.3/modscan2sql.py
vol_sql-0.3/modules_2.py
vol_sql-0.3/pslist_2.py
vol_sql-0.3/psscan3sql.py
vol_sql-0.3/sockets_2.py
vol_sql-0.3/sockscan2sql.py


Schema:


CREATE TABLE connections (pid integer, local text, remote text, memimage text);

CREATE TABLE connscan2(pid integer, local text, remote text, memimage text);

CREATE TABLE dlls (pname text, pid integer, cmdline text, base text, size text, path text, memimage text);

CREATE TABLE driverscan2(paddr text, objtype text, pointers integer, handles integer, start text, size text, srvckey text, driver text, path text, memimage text);

CREATE TABLE files (pid integer, file text, num integer, memimage text);

CREATE TABLE filescan2(paddr text, objtype text, pointers integer, handles integer, access text, file text, memimage text);

CREATE TABLE modscan2 (file text, base text, size text, name text, memimage text);

CREATE TABLE modules (file text, base text, size text, name text, memimage text);

CREATE TABLE process (pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text);

CREATE TABLE psscan3(pid integer, ppid integer, ctime text, etime text, offset text, pdb text, pname text, memimage text);

CREATE TABLE sids (pname text, pid integer, sid_string text, sid_name text, memimage text);

CREATE TABLE sockets (pid integer, port integer, proto text, ctime text, memimage text);

CREATE TABLE sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text);



So what kinds of queries could we make with the output of these plugins? Here are few brief examples.

Suppose you want to focus on one pid:


select * from files where pid = [pid]
select * from connections where pid = [pid]


etc..

Suppose you want to link up connections output with the process information:


select process.pname, connections.* from connections
join process where process.pid = connections.pid
order by connections.pid;



Suppose you have information from more than one image in your database and want to see if there are any dlls/processes/files in one image not represented in the others:


select * from dlls
where path not in
(select path from dlls where memimage is not [image name])



Suppose you don't care about dlls with a certain path, like winsxs for example:


select * from dlls
where path not in
(select path from dlls
where memimage is not [image name]) and
path not like '%winsxs%';



Want to output all files in alphabetical order?


select * from files order by file;



or by PID?


select * from files order by pid;



Now that we have sqlite output for some of the scanning plugins we can quickly compare for information missing from regular plugins. Here's an example of pslist vs psscan3 on an image released by Moyix in his post releasing psscan3:


select psscan3.pid, psscan3.ppid, psscan3.ctime,
psscan3.pname from psscan3
where pid not in (select pid from process)
order by pid;

0|0||idle
592|360|Sat Nov 15 23:42:56 2008|csrss.exe
660|616|Sat Nov 15 23:42:56 2008|services.exe
828|660|Sat Nov 15 23:42:57 2008|svchost.exe
924|660|Sat Nov 15 23:42:57 2008|svchost.exe
992|660|Sat Nov 15 23:43:25 2008|alg.exe
1016|660|Sat Nov 15 23:42:57 2008|svchost.exe
1696|1516|Wed Nov 26 07:43:28 2008|network_listene



Well, I'm sure you can think up a lot more crazy queries as well...

The older sqlite plugins usage can be found here. The newly converted plugins usage is:


./volatility plugin -f [image] -d [sqlite db]



At some point I'll cover output rendering in the 1.4 branch, which is more interesting :-) Until then:

Happy hunting!

No comments: