Difference between pages "List of Volatility Plugins" and "Libuna"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Malware Detection)
 
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
{{Infobox_Software |
 +
  name = libuna |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://libuna.sourceforge.net libuna.sourceforge.net] |
 +
}}
  
== Command Shell ==
+
The '''libuna''' package contains [[Linux]] based library and applications to read and write the [[Text File (TXT)]] format in different characters encodings.
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] (By [http://moyix.blogspot.com/2008/08/indroducing-volshell.html Moyix])- Creates a python shell can be used with the framework.
+
  
== Malware Detection ==
+
Libuna currently supports:
* [http://mhl-malware-scripts.googlecode.com/files/idt.py IDT] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints the Interrupt Descriptor Table (IDT) addresses for one processor
+
* Basic ASCII
* [http://mhl-malware-scripts.googlecode.com/files/driverirp.py DriverIRP] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Prints driver IRP function addresses
+
* Extended ASCII with [[Windows]] codepages 1250, 1251, 1252, 1253, 1254, 1255, 1256, 1257, 1258
* [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules
+
* UTF-8, UTF-16, UTF-32
* [http://mhl-malware-scripts.googlecode.com/files/malfind2.py malfind2] - (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process
+
* [http://mhl-malware-scripts.googlecode.com/files/orphan_threads.py orphan_threads] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detects hidden system/kernel threads
+
* [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks2.py usermode_hooks2] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
+
* [http://mhl-malware-scripts.googlecode.com/files/kernel_hooks.py kernel_hooks] (By [http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - Detect IAT/EAT/Inline hooks in kernel drivers
+
* [http://mhl-malware-scripts.googlecode.com/files/vap-0.1.zip Volatility Analyst Pack 0.1] (By [http://mnin.blogspot.com/2009/12/new-and-updated-volatility-plug-ins.html Michael Hale Ligh]) - A pack which contains updates to many of the listed modules
+
  
== Data Recovery ==
+
It was ported to other platforms like [[FreeBSD]] [[NetBSD]] [[OpenBSD]] [[Mac OS X]] and [[Windows]] as well.
  
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases
+
== History ==
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
+
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volreg-0.6.tar.gz Registry tools] (By [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
+
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
+
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
* [http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/threadqueues.py threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
+
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
+
  
== Process Enumeration ==
+
Libuna was created by [[Joachim Metz]] in 2008, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations]. The code pages are based on [http://www.gnu.org/software/libiconv/ libiconv] and documentation available by [[Microsoft]].
  
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
Currently libuna mainly supports the Windows codepages to be able to convert these when encountered in file formats that use them.
  
== Output Formatting ==
+
Libuna is intended as a character encoding support library and is used in:
 +
* [[libewf]]
 +
* [[libnk2]]
 +
* [[libpff]]
  
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] (By [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html Scudette]) - Produces a tree-style listing of processes
+
== Tools ==
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] (By [http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Jamie Levy AKA Gleeda]) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+
The '''libuna''' package contains the following tools:
 +
* '''unaexport''', which exports the plain text files in different encodings. It also allows end of line conversion and control over the byte order mark (BOM).
  
== Other Helper Tools ==
+
== External Links ==
  
Though these are not actual plugins they are helpful tools for obtaining output from the [[Volatility Framework]].
+
* [http://libuna.sourceforge.net libuna project site]
 
+
* [http://volatility.googlecode.com/files/vol-Report%28win%29.zip VolReport(win)] (By [http://volatility.googlecode.com/files/VolReport%28win%29_%20Simple%20Aggregation%20for%20Volatility%20Output.pdf SAL])
+
* [http://forensiczone.blogspot.com/2009/10/volatility-batch-file-maker.html Volatility Batch File Maker] (By [http://forensiczone.blogspot.com/2009/10/walk-through-volatility-batch-file.html Richard McQuown])
+

Revision as of 06:49, 31 January 2009

libuna
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: libuna.sourceforge.net

The libuna package contains Linux based library and applications to read and write the Text File (TXT) format in different characters encodings.

Libuna currently supports:

  • Basic ASCII
  • Extended ASCII with Windows codepages 1250, 1251, 1252, 1253, 1254, 1255, 1256, 1257, 1258
  • UTF-8, UTF-16, UTF-32

It was ported to other platforms like FreeBSD NetBSD OpenBSD Mac OS X and Windows as well.

History

Libuna was created by Joachim Metz in 2008, while working for Hoffmann Investigations. The code pages are based on libiconv and documentation available by Microsoft.

Currently libuna mainly supports the Windows codepages to be able to convert these when encountered in file formats that use them.

Libuna is intended as a character encoding support library and is used in:

Tools

The libuna package contains the following tools:

  • unaexport, which exports the plain text files in different encodings. It also allows end of line conversion and control over the byte order mark (BOM).

External Links