Added light mode in volatility threads plugin

Cisco-Talos · Jul 8, 2019 · caf8f95 · caf8f95
1 parent a40b596
commit caf8f95
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/volatility/volatility/plugins/malware/threads.py b/volatility/volatility/plugins/malware/threads.py
@@ -257,6 +257,10 @@ def __init__(self, config, *args, **kwargs):
 
         config.add_option("LISTTAGS", short_option = 'L', default = False,
                           action = 'store_true', help = 'List all available tags')
+        if 'light_mode' in kwargs:
+            self.light_mode = True
+        else:
+            self.light_mode = False
 
     def get_hooked_tables(self, addr_space):
         """This function finds SSDTs in an address space, checks
@@ -351,7 +355,7 @@ def calculate(self):
             get("memory_model", "32bit") == "32bit"
 
         # Get a list of hooked SSDTs but only on x86
-        if self.bits32:
+        if not self.light_mode and self.bits32:
             hooked_tables = self.get_hooked_tables(addr_space)
         else:
             hooked_tables = None
@@ -368,10 +372,11 @@ def calculate(self):
                     list_of_type("_ETHREAD", "ThreadListEntry"):
                 seen_threads[thread.obj_vm.vtop(thread.obj_offset)] = (False, thread)
 
-        # Now scan for threads and save any that haven't been seen
-        for thread in modscan.ThrdScan(self._config).calculate():
-            if not seen_threads.has_key(thread.obj_offset):
-                seen_threads[thread.obj_offset] = (True, thread)
+        if not self.light_mode:
+            # Now scan for threads and save any that haven't been seen
+            for thread in modscan.ThrdScan(self._config).calculate():
+                if not seen_threads.has_key(thread.obj_offset):
+                    seen_threads[thread.obj_offset] = (True, thread)
 
         # Keep a record of processes whose DLLs we've already enumerated
         process_dll_info = {}