# Using notebook to perform memory analysis with volatility.

In [16]:
import copy, StringIO, json
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.plugins.taskmods as taskmods 
import pandas as pd
import volatility.plugins.filescan as filescan

registry.PluginImporter()

<volatility.registry.PluginImporter at 0x7f3e1e301cd0>

In [7]:
# Specify memory image directory 
img_path = '/home/juplab/memdump/APT.img'

# Specify image profile using 'imageinfo'
# Example: python vol.py -f APT.img imageinfo
img_profile = 'WinXPSP3x86'

In [8]:
def get_json(config, plugin_class):
    strio = StringIO.StringIO()
    plugin = plugin_class(copy.deepcopy(config))
    plugin.render_json(strio, plugin.calculate())
    return json.loads(strio.getvalue())

In [20]:
def get_config(profile, target_path):
    config = conf.ConfObject()
    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    config.parse_options()
    config.PROFILE = profile
    config.LOCATION = "file://{0}".format(target_path)
    return config 

In [25]:
config = get_config(img_profile, img_path)
ps_scan = get_json(config, filescan.PSScan)

In [33]:
ps_scan_df = pd.DataFrame(ps_scan['rows'], columns = ps_scan['columns'])

In [34]:
ps_scan_df

Unnamed: 0,Offset(P),Name,PID,PPID,PDB,Time Created,Time Exited
0,32716328,alg.exe,464,704,146801376,2009-04-16 16:10:21 UTC+0000,
1,33179024,svchost.exe,968,704,146800896,2009-04-16 16:10:07 UTC+0000,
2,33190312,explorer.exe,1672,1624,146801152,2009-04-16 16:10:10 UTC+0000,
3,33283488,iexplore.exe,796,884,146801440,2009-05-05 19:28:28 UTC+0000,
4,33299064,VMwareUser.exe,2004,1672,146800992,2009-04-16 16:10:11 UTC+0000,
5,33301872,VMwareService.e,1032,704,146801280,2009-04-16 16:10:16 UTC+0000,
6,33871432,cmd.exe,840,1672,146801344,2009-05-05 15:56:24 UTC+0000,
7,33901984,svchost.exe,884,704,146800864,2009-04-16 16:10:07 UTC+0000,
8,34151840,svchost.exe,1212,704,146801024,2009-04-16 16:10:09 UTC+0000,
9,34711120,ctfmon.exe,2020,1672,146801248,2009-04-16 16:10:11 UTC+0000,


In [30]:
dll_list = get_json(config, taskmods.DllList)

In [31]:
dll_list_df = pd.DataFrame(dll_list['rows'], columns = dll_list['columns'])

In [32]:
dll_list_df

Unnamed: 0,Pid,Base,Size,LoadCount,LoadTime,Path
0,4,0,0,0,,Error reading PEB for pid
1,564,1213726720,61440,65535,,\SystemRoot\System32\smss.exe
2,564,2089811968,716800,65535,,C:\WINDOWS\system32\ntdll.dll
3,636,1248329728,20480,65535,,\??\C:\WINDOWS\system32\csrss.exe
4,636,2089811968,716800,65535,,C:\WINDOWS\system32\ntdll.dll
5,636,1974730752,45056,65535,,C:\WINDOWS\system32\CSRSRV.dll
6,636,1974796288,65536,3,,C:\WINDOWS\system32\basesrv.dll
7,636,1974861824,307200,2,,C:\WINDOWS\system32\winsrv.dll
8,636,2012282880,299008,5,,C:\WINDOWS\system32\GDI32.dll
9,636,2088763392,1007616,16,,C:\WINDOWS\system32\KERNEL32.dll
