Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: implement VADTree plugin. #753

Draft
wants to merge 13 commits into
base: develop
Choose a base branch
from
Draft

Feature: implement VADTree plugin. #753

wants to merge 13 commits into from

Conversation

digitalisx
Copy link
Contributor

@digitalisx digitalisx commented May 29, 2022
edited
Loading

Description

Hello, everyone in the community! 😃
There are some plugins that have not been implemented as they are updated from Volatility2 to 3.
I found that VADTree plugin has not yet migrated to 3.
So I'm implemented (or porting) of VADTree plugin according to the Volatility3 structure.

Command

Help Command

> python3 vol.py -h
windows.vadtree.VadTree Walk the VAD tree and display in tree format.

Run Command

> python3 vol.py -f case.vmem windows.vadtree

Result

> python3 vol.py -f case.vmem -r pretty windows.vadtree --pid=508 
Volatility 3 Framework 2.2.0
Formatting...0.00               PDB scanning finished                        
         | PID |   Process |         Offset | Type |          Start |            End |  Tag
*        | 508 | csrss.exe | 0x97065bf58dd0 |  N/A |  0x1842f7a0000 |  0x1842f7a0fff | VadS
**       | 508 | csrss.exe | 0x97065bf575c0 |  N/A |  0x1842da00000 |  0x1842dbfffff | VadS
***      | 508 | csrss.exe | 0x97065bf58b00 |  N/A |   0x6086fc0000 |   0x6086ffffff | VadS
****     | 508 | csrss.exe | 0x97065bf57520 |  N/A |   0x6086e80000 |   0x6086ebffff | VadS
*****    | 508 | csrss.exe | 0x97065b6771f0 |  N/A |     0x7ffe2000 |     0x7ffe2fff | VadS
******   | 508 | csrss.exe | 0x97065b6777e0 |  N/A |     0x7ffe0000 |     0x7ffe0fff | VadS
******   | 508 | csrss.exe | 0x97065b677650 |  N/A |   0x6086c00000 |   0x6086dfffff | VadS
*******  | 508 | csrss.exe | 0x97065bf58ec0 |  N/A |   0x6086ba0000 |   0x6086bdffff | VadS
*****    | 508 | csrss.exe | 0x97065bf5cbb0 |  N/A |   0x6086f00000 |   0x6086f3ffff | VadS
******   | 508 | csrss.exe | 0x97065bf58ab0 |  N/A |   0x6086ec0000 |   0x6086efffff | VadS
******   | 508 | csrss.exe | 0x97065bf58a60 |  N/A |   0x6086f80000 |   0x6086fbffff | VadS
****     | 508 | csrss.exe | 0x97065bf57840 | Heap |  0x1842d8c0000 |  0x1842d8cafff | VadS
*****    | 508 | csrss.exe | 0x97065b481a60 | File |  0x1842d880000 |  0x1842d880fff | Vad 
******   | 508 | csrss.exe | 0x97065bf58f60 |  N/A |   0x6087040000 |   0x608707ffff | VadS
*******  | 508 | csrss.exe | 0x97065bf58d30 |  N/A |   0x6087000000 |   0x608703ffff | VadS
*******  | 508 | csrss.exe | 0x97065bf59fa0 |  N/A |   0x6087080000 |   0x60870bffff | VadS

However, I implementing logic for decision VAD Type, so I leave it as a draft PR.

@digitalisx digitalisx mentioned this pull request May 29, 2022
Closed
@digitalisx
Copy link
Contributor Author

Added a description of the PR that was quickly submitted to draft to handle this issue (#731).
This is still included in my interest and work object. 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikelos ikelos ikelos left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@digitalisx @ikelos