forked from volatilityfoundation/volatility
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.txt
689 lines (615 loc) · 23.3 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
Changelog
As of Volatility 2.4, all changes are now tracked on the GitHub site:
https://github.com/volatilityfoundation/volatility
Volatility 2.0-2.3: all changes were tracked on the Google Code site:
http://code.google.com/p/volatility/source/list
04.8.2009 Volatility-1.3.1 moyix
* Update: Introduce BufferAddressSpace and refactor
* Files:
forensics/addrspace.py
forensics/object.py
Description:
Added a new BufferAddressSpace class that acts like a regular
FileAddressSpace, but can be instantiated from a string buffer.
This allows any function that expects an address space to work on
a buffer instead. Also refactored the *_buf functions in object.py
to use this class instead (reduces code duplication). Thanks to
Michael Cohen for the idea.
04.8.2009 Volatility-1.3.1 moyix
* Update: Add support for inactive hiberfiles to hibinfo
* Files:
forensics/win32/hiber_addrspace.py
Description:
Added the ability to convert hibernation files that are in the
"inactive" state (their first page is zeroed) to dd format. It is
still not possible to run Volatility directly on such files, but
they can now be converted for analysis. Thanks to Jon Evans for
the suggestion.
04.8.2009 Volatility-1.3.1 moyix
* Update: Pool scanning enhancements
* Files:
forensics/win32/scan2.py
forensics/object.py
Description:
Incorporated new functions written by Andreas Schuster to allow
more fine-grained checks in pool scanners, and modularize some of
the accessors (get_poolsize, get_poolsize, etc.). The patch also
adds read_unicode_string_buf and read_string_buf, which operate on
string buffers. Thanks to Andreas Schuster for the patch.
04.7.2009 Volatility-1.3 awalters
* Update: Handle table parsing
* Files:
forensics/win32/handles.py
Description:
Updated handle parsing code to fix typo. It was not
adding the correct offset for Level 3 tables. It was also
not traversing all the entries. Thanks to Brendan Dolan-Gavitt.
04.7.2009 Volatility-1.3 awalters
* Update: Network Offsets
* Files:
forensics/win32/network.py
Description:
Added new offset updates. Thanks to Jun Koi.
03.17.2009 Volatility-1.3 awalters
* Update: x86.py robustness
* Files:
forensics/x86.py
Description:
Added more robustness to the x86 address space. This time
it focused on PAE. Certain samples were reading outside of
the physical address space. Thanks to Brendan Dolan-Gavitt for patch.
03.17.2009 Volatility-1.3.1 awalters
* Bug: Hiberfil Address space w
* Files:
forensics\win32\hiber_addrspace.py
Description:
Needed to import the PAE address space. This only meant
that hibinfo was having some issue. It would still process
hiberfil's just fine. Thanks to Andreas Schuster for the bug report.
03.17.2009 Volatility-1.3.1 awalters
* Update: New version of tcp driver needed new offsets in SP3
* Files:
forensics/win32/network.py
forensics/win32/scan2.py
forensics/win32/scan.py
Description:
Added new offsets to network to handle new driver. Updated scan2
and scan as well to support new pool allocation size. Thanks to Brendan
Dolan-Gavitt.
02.22.2009 Volatility-1.3.1 awalters
* Update: procdump check peb
* Files:
vmodules.py
Description:
Added a check to make sure that the PEB is memory resident.
02.05.2009 Volatility-1.3.1 awalters
* Update: Handle parsing
* Files:
forensics/win32/handles.py
vmodules.py
Description:
Updated handle parsing code to correctly handle middle
and upper layer handles in multi-level schemes. Also
changed files to now use the common parsing code.
12.11.2008 Volatility-1.3.1 awalters
* Update: Plugin Generators
* Files:
forensics/commands.py
memory_plugins/example4.py
vutils.py
Description:
Added the ability to use generators in your plugins. This
is extremely powerful and allows us to support arbitrary
output formats. Thanks to Michael Cohen for the patch.
12.11.2008 Volatility-1.3.1 awalters
* Update: Object Inheritance
* Files:
forensics/object2.py
forensics/registry.py
memory_plugins/example3.py
Description:
Plugins creators are now able to express an inheritance order
associated with an object. The default is the Profile objects.
This fixes a problem associated with collisions. Thanks to
Cameron C Caffee for the bug report and thanks to Brendan
Dolan-Gavitt and Michael Cohen for insightful discussions.
12.10.2008 Volatility-1.3.1 awalters
* Update: lists.py
* Files:
forensics/win32/lists.py
Description:
Added Brendan Dolan-Gavitt lists.py file for traversing kernel
linked lists. Thanks Brendan.
12.06.2008 Volatility-1.3.1 awalters
* Bug: Crashdump base address space
* Files:
forensics/win32/tasks.py
Description:
Changed find_csdversion so that it does not pass in the filename.
Made fname an optional parameter to process_addr_space since it is
no longer being used and only maintained for backward compatibility.
Thanks to Richard Austin for the bug report.
11.25.2008 Volatility-1.3.1 awalters
* Bug: modules_list
* Files:
forensics/win32/modules.py
Description:
Added a check to make sure both PsLoadedModuleList and this
module were defined.
11.25.2008 Volatility-1.3.1 awalters
* Update: Tabs and spaces
* Files:
Too Many
Description:
Spent some quality time with the tab nanny.
11.25.2008 Volatility-1.3.1 awalters
* Bug: Added more checks for registry objects
* Files:
forensics/win32/registry.py
Description:
Added more checks in print_entry_keys for invalid pages.
Some of the key path was crossing page boundaries so more
checks needed to be added. Thanks to Christian Herndler
for the bug report.
11.22.2008 Volatility-1.3.1 awalters
* Update: get_obj_offset no longer modifies passed in list
* Files:
forensics/object.py
Description:
get_obj_offset previously modified the passed-in list used
to represent type information. Now it works on a copy to
prevent unexpected behavior. Thanks to Brendan Dolan-Gavitt
for the update.
11.17.2008 Volatility-1.3.1 awalters
* Bug: Checks to make sure KeyControlBlock is a valid address
* Files:
forensics/win32/registry.py
Description:
print_entry_keys has been updated to check that KeyControlBlock
is a valid address. Thanks to Christian Herndler for the bug
report and Brendan Dolan-Gavitt for the bug fix.
11.15.2008 Volatility-1.3.1 awalters
* Update: removed sha module from crashdump
* Files:
forensics/win32/crashdump.py
Description:
Removed the attempt to import the sha module since it generates
a warning with Python 2.6. Thanks to STC for reporting the issue.
11.14.2008 Volatility-1.3.1 awalters
* Bug: added more checks in object parsing for invalid pages
* Files:
forensics/win32/handles.py
forensics/win32/registry.py
vmodules.py
Description:
Added more checks for invalid pages while processing the
object directory. Thanks to Christian Herndler for the bug
report.
11.03.2008 Volatility-1.3.1 awalters
* Bug: Python 2.5 finally
* Files:
vmodules.py
Description:
Removed the finally clause that is only available in Python 2.5.
Thanks to Cameron Caffee for the bug report and Brendan Dolan-Gavitt
for the bug fix.
10.17.2008 Volatility-1.3.1 awalters
* Bug: Checking for invalid pages
* Files:
forensics/object2.py
Description:
Added more checks to object2 to makes sure the addresses
being accessed are valid. If not, then they now return a None.
Thanks to Jesse Kornblum for submitting a patch.
9.27.2008 Volatility-1.3.1 awalters
* Update: plugin directory now relative to registry
* Files:
forensics/registry.py
Description:
The plugin search is now performed relative to registry.py. Thanks
to Michael Cohen for the patch.
9.4.2008 Volatility-1.3.1 awalters
* Bug: length bug in hiberaddrspace
* Files:
forensics\win32\hiber_addrspace.py
Description:
We were referencing an undefined length variable. Thanks
to Andreas Schuster for sending the patch.
9.4.2008 Volatility-1.3.1 awalters
* Update: Find the plugin modules
* Files:
forensics/registry.py
Description:
Added the absolute path to search for dynamic plugins. This allows
volatility to be called from anywhere on the system. Thanks
to Andreas Schuster for sending the patch.
8.14.2008 Volatility-1.3 awalters
* Update: x86.py robustness
* Files:
forensics/x86.py
Description:
Added more robustness to the x86 address space. Thanks to Brendan
Dolan-Gavitt for sending in a bug report.
8.14.2008 Volatility-1.3 awalters
* Update: Standardized _LDR_MODULE -> _LDR_DATA_TABLE_ENTRY
* Files:
forensics/win32/modules.py
forensics/win32/scan.py
forensics/win32/scan2.py
Description:
Changed the data type names to make them more standardized across
operating system versions. Thanks Brendan Dolan-Gavitt for
sending in update request.
6.26.2008 Volatility-1.3 awalters
* Bug: regobjkey initialize list
* Files:
vmodules.py
Description:
When specifying a offset for regobjkey the list
had not been initialized yet. Thanks to Brendan Dolan-Gavitt
for sending in a bug report.
6.24.2008 Volatility-1.3 awalters
* Update: 64-bit hosts
* Files:
forensics/object.py
forensics/win32/crashdump.py
forensics/win32/scan2.py
forensics/win32/network.py
forensics/win32/executable.py
Description:
Updated so that modules will work correctly
when run from 64-bit hosts using python 2.5.
Thanks to sham for sending in the bug report.
6.23.2008 Volatility-1.3 awalters
* Bug: Non-resident Vad address
* Files:
forensics/win32/vad.py
vmodules.py
Description:
Updated the vad modules to handle
invalid addresses in low memory situations.
Thanks to Bryan D. Payne for sending in
a bug report.
6.23.2008 Volatility-1.3 awalters
* Bug: Handle count paged
* Files:
forensics/win32/tasks.py
Description:
Received a sample where the ObjectTable
was not a valid address. Added a check to make
sure it is valid. Thanks to Bryan D. Payne
for sending in a bug report.
6.22.2008 Volatility-1.3 awalters
* Update: Ident info
* Files:
forensics/win32/tasks.py
vutils.py
Description:
Updated ident command so that it correctly
finds the version of XP, now that we have
support for SP3. Thanks to jeremie0 for noticing
and to Brendan Dolan-Gavitt for helping with
the fix.
6.11.2008 Volatility-1.3 awalters
* Update: Array Types
* Files:
forensics/object2.py
Description:
Changed arrays so that they now return objects
in cases where they are not native types. Thanks
to Brendan Dolan-Gavitt for the update!
6.8.2008 Volatility-1.3 awalters
* Bug: Invalid page directories
* Files:
vmodules.py
Description:
Added code to catch the cases when we encounter
invalid page directories. Thanks to both Angelo Cavallini
and Brendan Dolan-Gavitt for reporting this bug.
6.8.2008 Volatility-1.3 awalters
* Update: potential bad string characters (unicode escaping)
* Files:
forensics/win32/scan2.py
forensics/object.py
Description:
Attempting to standardize error handling related to unicode
conversions. Thus we are now passing an explicit error
string argument. Thanks to Brendan Dolan-Gavitt.
6.8.2008 Volatility-1.3 awalters
* Update: psscan2 check_dtb
* Files:
forensics/win32/scan2.py
Description:
Added a check from psscan to psscan2 in the
check_dtb constraint to make sure the DTB
had a value. Thanks Andreas Schuster!
6.7.2008 Volatility-1.3 awalters
* Update: SP3 support
* Files:
forensics/win32/network.py
Description:
Made changes to support SP3.
5.21.2008 Volatility-1.3 awalters
* Update: Changed create_addr_space api
* Files:
forensics/win32/tasks.py
memory_objects/Windows/xp_sp2.py
memory_plugins/example2.py
memory_plugins/example3.py
vmodules.py
Description:
Changed the create_addr_space API so that it does
not require types or filname. This was an
artifact of the way the function used to work.
5.17.2008 Volatility-1.3 awalters
* Feature: New Object Model
* Files:
forensics/registry.py
memory_objects/Windows/xp_sp2.py
memory_plugins/example3.py
forensics/object2.py
forensics/win32/meta_info.py
vutils.py
Description:
Added a new object model to make navigating the data
structures more intuitive. All future modules will be
transition to use this new model. Thanks to Brendan
Dolan-Gavitt for all his help!
5.14.2008 Volatility-1.3 awalters
* Feature: Plugin Architecture
* Files:
forensics/commands.py
forensics/registry.py
volatility
memory_plugins/example1.py
memory_plugins/example2.py
Description:
Added an entirely new plugin infrastructure. Now it is
possible to load the commands dynamically just by adding
them to the correct directory. This will allow people
to support their own modules. This work is based on a
similar registry implementation found in PyFlag.
Thanks to Michael Cohen and David Collett for the great
work they have done and help getting this code integrated.
5.13.2008 Volatility-1.3 awalters
* Feature: Hiberfil support
* Files:
vmodules.py
volatility
forensics/win32/hiber_addrspace.py
forensics/win32/xpress.py
forensics/win32/scan.py
forensics/win32/network.py
forensics/win32/datetime.py
Description:
Added native hiberfil support. Also added the ability
to convert from hiberfil to linear format. Now all the
commands can be run against hiberfils natively. This
is accomplished through the new hiberfil address space.
Thanks to Matthieu Suiche and Brendan Dolan-Gavitt for
all the great work they have done with hiberfil parsing
and the xpress compression algorithm.
5.13.2008 Volatility-1.3 awalters
* Feature: New scanning infrastructure
* Files:
vmodules.py
volatility
forensics/win32/scan2.py
forensics/win32/globals.py
forensics/win32/crash_addrspace.py
forensics/win32/datetime.py
Description:
Added an entirely new OO scanning infrastructure. This allows
for extremely fast scanning and easier scanning across the
logical address spaces. As part of this we also ported the
scanning modules over to the new infrastructure. Thanks to
Michael Cohen and Andreas Schuster for the help and ideas
to get this working!
5.7.2008 Volatility-1.3 awalters
* Bug: get_available_addresses
* Files:
forensics/x86.py
vmodules.py
volatility
Description:
Fixed an off by 1 error in get_available_address for
non-pae machines that seemed to have crept back in. Also
changed the name of usrdmp to memdmp since it is really
dumping a processes addressable memory. Thanks Eoghan Casey!
4.30.2008 Volatility-1.3 awalters
* New Module: procdump
* Files:
forensics/win32/executable.py
vtypes.py
vmodules.py
Description:
Added a new module that will allow the analyst to extract
the executable from memory for further analysis. Thanks to
Brendan Dolan-Gavitt for all your hard work!
4.28.2008 Volatility-1.3 awalters
* Bug: open registry keys
* Files:
forensics/win32/handles.py
Description:
During testing Brendan found a bug when processing object types.
It would have been possible to enumerate KeyedEvents. Thanks
Brendan Dolan-Gavitt!
4.28.2008 Volatility-1.3 awalters
* New Module: regobjkey
* Files:
vmodules.py
forensics/win32/registry.py
forensics/win32/handles.py
vtypes.py
Description:
Added a new module that will allow an analyst to dump the open
registry keys found in the object table. Thanks to
Brendan Dolan-Gavitt for his contributions!
4.27.2008 Volatility-1.3 awalters
* Feature: psscan dot format
* Files:
vmodules.py
forensics/win32/scan.py
Description:
Added the ability to print the output of psscan in dot format.
Similar to that available by ptfinder by Andreas Schuster. This
was requested by Eoghan Casey.
4.23.2008 Volatility-1.3 awalters
* Useability: Pass pid or EPROCESS offset
Files:
vmodules.py
forensics/win32/handles.py
Description:
Added the ability to dump files and dlllist by pid or EPROCESS
offset. One reason this was asked for was to deal with data
only attacks which may remove the process from process list.
Thanks to Eoghan Casey for the feedback!
4.23.2008 Volatility-1.3 awalters
* New Modules: dmp2raw, raw2dmp
Files:
vtypes.py
vmodules.py
forensics/win32/crashdump.py
forensics/win32/info.py
forensics/win32/tasks.py
Description:
Added modules to convert from raw dumps to crash dumps and vice
versa. Thanks to Andreas Schuster for helping to get this started
and thanks to Brendan Dolan-Gavitt for helping get it perfected!
4.23.2008 Volatility-1.3 awalters
* Optimization: KUSER_SHARED_DATA
Files:
vmodules.py
Description:
Changed KUSER_SHARED_DATA in get_image_info and get_datetime to
point to 0xFFDF0000 instead of 0x7ffe0000. Thanks Brendan
Dolan-Gavitt!
4.1.2008 Volatility-1.2.3pre awalters
* Bug: socket crash
Files:
forensics/win32/network.py
Description:
In get_open_sockets, we needed to make sure that the AddrObjAddr
and AddrTableSize were not none and if they were fail gracefully.
Thanks to Eoghan Casey for the bug report.
3.3.2008 Volatility-1.2.3pre awalters
* Bug: get_obj_offset() non-builtin
Files:
forensics/object.py
Description:
Modified get_obj_offset to support arrays of non-builtin types.
Thanks Brendan Dolan-Gavitt!
2.27.2008 Volatility-1.2.3pre awalters
* Bug: Not traversing complete module list
Files:
forensics/win32/modules.py
Description:
Traversing the module list should not stop when it reaches a None but
continue to the next module
2.27.2008 Volatility-1.2.3pre awalters
* Bug: is_valid_address(addr)
Files:
forensics/addrspace.py
forensics/x86.py
Description:
is_valid_address was failing to check if addr was None. This was found
by analyzing hiberfile images. Thanks to Brendan Dolan-Gavitt and
Andreas Schuster for helping me find the problem!
2.25.2008 Volatility-1.2.3pre awalters
* Bug: hidden processes
Files:
vmodules.py
Description:
Both usrdmp and memmap were unable to handle hidden processes. They
can now be passed the offset to an EPROCESS object. Thanks to Eoghan
Casey for the bug report.
12.28.2007 Volatility-1.2.3pre awalters
* Bug: 64 bit
Files:
forensics/addrspace.py
forensics/object.py
forensics/win32/scan.py
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Fixed a bug that occurs when people are running Python 2.5 on
a 64 bit OS. Python 2.5 changed the way that Python native types
are stored and thus changed the unpack usage. Thanks to Jamie Levy
and students!
11.28.2007 Volatility-1.2.2pre awalters
* Bug: memmap
Files:
vmodules.py
Description:
mem_map fixed so that you can specifiy a particular process.
11.28.2007 Volatility-1.2.2pre awalters
* Bug: dtb_aligned
Files:
forensics/win32/scan.py
Description:
On systems using PAE, EPROCESS.DirectoryTableBase actually
points to the base of the page directory pointer array.
Thanks Andreas Schuster.
11.27.2007 Volatility-1.2.2pre awalters
* Optimization: find_dtb
Files:
forensics/win32/tasks.py
Description:
Dramatically reduced the time for find_dtb. Thanks Michael Cohen.
09.21.2007 Volatility-1.2.1pre awalters
* New Module: usrdmp
Files:
vmodules.py
Description:
Dumps a processes address space. Thanks Eoghan Casey.
09.20.2007 Volatility-1.2pre awalters
* New Module: modscan
Files:
vmodules.py
forensics/win32/scan.py
forensics/win32/globals.py
Description:
Performs a linear scan for memory resident Windows modules. Contributed by Andreas Schuster.
* New Module: memmap
Files:
vmodules.py
forensics/x86.py
Description:
Provides a map of the virtual to physical address translations within
a particular address space. Based on similar tools by Andreas
Schuster (memdump.pl) and Brendan Dolan-Gavitt (memdump.py).
* New Module: dmpchk
Files:
vmodules.py
forensics/win32/crash_addrspace.py
Description:
Prints auxiliary information about the crash dump file.
* New Module: WindowsCrashDumpSpace32
Files:
forensics/x86.py
forensics/win32/crash_addrspace.py
Description:
Provides the ability to use crash dumps as input to Volatility. This is
accomplished through the use of stackable address spaces. Contributions
from Andreas Schuster.
* New Feature: get_available_pages()
Files:
forensics/x86.py
Description:
This functions allows an investigator to find all available pages within a particular address space. Thanks Brendan Dolan-Gavitt.
* New Feature: zread()
Files:
forensics/x86.py
forensics/addrspace.py
forensics/win32/crash_addrspace.py
Description:
Added the ability to continuing reading even if pages are unavailable.
Invalid pages are replaced with zeros. Thanks Brendan Dolan-Gavitt.
07.31.2007 Volatility-1.1.1 awalters
* Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007
* Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster.
* Completely open source. No third-party closed source dependencies.
* Auto-identification speed enhancements
* Bug fixes in network and socket modules
* Removed symbol dependencies
* Multiprocessor support