Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
inforegs.py

README.md

Info Register Plugin

It has been tested on x86 systems running Linux.

It should be quite easy to add the x64 support (Do you agree Dutchy?) :)

Installation

cp inforegs.py volatility/plugins/linux/

Usage:

Run linux_psaux plugin:

...
2179   1000   1000   i3        
3095   1000   1000   -bash                                                           
3220   1000   1000   ./waiter
...

Run the info_regs plugin:

09:58:41 emdel -> python vol.py -f /home/emdel/firewire/waiter_0x02.ram --profile=LinuxLinuxKVM_3_6_0-rc3+x86 info_regs -h
Volatile Systems Volatility Framework 2.3_alpha
Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help            list all available options and their default values.
                    Default values may be set in the configuration file (/etc/volatilityrc)
--conf-file=/home/emdel/.volatilityrc
                    User based configuration file
-d, --debug           Debug volatility
--plugins=PLUGINS     Additional plugin directories to use (colon separated)
--info                Print information about all registered objects
--cache-directory=/home/emdel/.cache/volatility
                    Directory where cache files are stored
--cache               Use caching
--tz=TZ               Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
                    Filename to use when opening an image
--profile=LinuxLinuxKVM_3_6_0-rc3+x86
                    Name of the profile to load
-l file:///home/emdel/firewire/waiter_0x02.ram, --location=file:///home/emdel/firewire/waiter_0x02.ram
                    A URN location from which to load an address space
-w, --write           Enable write support
--use-old-as          Use the legacy address spaces
--dtb=DTB             DTB Address
--cache-dtb           Cache virtual to physical mappings
--output=text         Output in this format (format support is module
                    specific)
--output-file=OUTPUT_FILE
                    write output in this file
-v, --verbose         Verbose information
--shift=SHIFT         Mac KASLR shift address
-g KDBG, --kdbg=KDBG  Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR  Specify a specific KPCR address
-p PID, --pid=PID     Operate on these Process IDs (comma-separated)

---------------------------------
Module info_regs
---------------------------------
It's like 'info registers' in GDB. It prints out all the 
	processor registers involved during the context switch.



09:57:48 emdel -> python vol.py -f /home/emdel/firewire/waiter_0x02.ram --profile=LinuxLinuxKVM_3_6_0-rc3+x86 info_regs -p 2179
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj      : Overlay structure tty_struct not present in vtypes
	>> Name: i3  - PID: 2179
		ebx: 	00000005
		ecx: 	08297930
		edx: 	00000040
		esi: 	0000e95f
		edi: 	00000003
		ebp: 	00000000
		eax: 	00000100
		ds: 	0000007b
		es: 	0000007b
		fs: 	00000000
		gs: 	00000033
		eip: 	b776e424
		cs: 	00000073
		eflags: 	00200246
		esp: 	bfcce644
		ss: 	0000007b


09:58:29 emdel -> python vol.py -f /home/emdel/firewire/waiter_0x02.ram --profile=LinuxLinuxKVM_3_6_0-rc3+x86 info_regs -p 3220
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj      : Overlay structure tty_struct not present in vtypes
	>> Name: ./waiter  - PID: 3220
		ebx: 	00000000
		ecx: 	b7783000
		edx: 	00000400
		esi: 	b7767ac0
		edi: 	b7767a20
		ebp: 	b75c0900
		eax: 	fffffe00
		ds: 	0000007b
		es: 	0000007b
		fs: 	00000000
		gs: 	00000033
		eip: 	b7787424
		cs: 	00000073
		eflags: 	00200246
		esp: 	bffc1208
		ss: 	0000007b

Happy hacking!

/emdel

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.