VolShell For The Web!
Disclaimer: The code in this article is for demonstrational purposes only and should not be used in a production environment. The website lacks essential sanity checks that could lead to abuse of your system if other people than yourself have access to it. If you understand this, feel free to use this code in any way you like.
So we're up for the second blogpost, it took me almost a year to get another one out. But as always, I try to focus on quality over quantity ;-). Again, the object of my affection is Volatilty, an amazingly flexible tool to perform memory analysis. For this sample I've used Volatility 2.2, but this will probably work on other versions as well.
VolShell is a plugin for Volatility that will let you do memory analysis from a Python command prompt. This offers you more flexibility than the standard plugins and the possibility to automate stuff using the Python language. Although powerful, you'll get lost quite easily when navigating through the data structures. I must admit that I've ignored this plugin, until somebody showed it to me a couple of months ago. Ever since it has been in the back of my mind to build a little website on top of this to make it easier to move around through the objects.
If you haven't used VolShell, then this document written by Brendan Dolan-Gavitt will get you started. The starting point of VolShell is the context, the process from which perspective the memory and structures can be analysed. You can set the context by name, pid or offset using the cc() comand, for instance like this: cc(name="dd.exe"). After this you can use the dt() command to analyse the structures like this: dt(self.eproc). The result of this is shown in the image below.
If you want to see the data structure of the Process Control Block (Pcb), you can do this by chaning the attributes in the dt() command. Although the value of the Pcb attribute is a pointer, VolShell automaticaly dereferences it for you:
Although working directly from the shell is nice and flexible, this is not a good way to build my website. For this, I've created a Python file called volweb.py that can be loaded from the shell using the execfile("volweb.py") Python command. Because I'm lazy by default, I use a pipe construction to enter this command directly from the commandline. This way I can start the webserver without typing any extra commands:
The website starts by setting the context to the dd.exe process and a reference to this in a global variable. I've also added an aditional writer to stdout. The results of the dt() command are not returned as an object, but only written directly to stdout. The stdoutBuffer stores all lines written to stdout for later use.
After this I start the Python built-in http-server (BaseHTTPServer) using a custom http handler called volHandler. The server listens on port 31337 ;-)
The volHandler class has a method to handle http GET requests. First we parse the arguments that have been passed from the url. After this the necessary response headers are added. Then we get to the meat of the system, the call to the VolShell dt() command in the callVol method:
The parsearguments method parses the arguments from the query string. The website starts with self.eproc, everytime we click on a attribute of the data structure it's name is passed as a value in the query string. This value is added to a list of attributes, which essentialy is the path to datastructure we're looking for. If the received value is "back", the value on top is the list is popped. This way we can go a level up (or back) in the path. If no value is supplied, all items are popped of the list and we return to the root, self.eproc.
In the callVol method we first clean the buffer we added to stdout. This way all lines that are written to stdout by the dt() command are captured in the buffer. After this we start walking through the list of attributes starting with self.eproc (self is referenced by "context"). At the end of this, we have the reference to the object we're looking for and we can use the dt() function to get to it's data structure. Apart from this we also build a string call "callpath", this string is shown to the user as a reference to the location of the object he is looking at.
The last piece of the puzzle is getting the results from the dt() comand from the bufferd stdout output. Every line is processed by splitting it in 3 pieces (offset, name and value) that are put in a container object and added to a list.
The result of this is processed in the next part of the http GET handler. The offset, name and value of the attribute are added to an HTML table. If the value looks like something that could be an address in kernel space an anchor is created. The name of the attribute is added as an argument to the url. When clicked this argument will be handled by the parsearuguments method as described above.
In the end, all is written to the response and send to the browser.
When we navigate to the webserver on port 31337 we get the following result:
Now we can click on the Pcb attribute to navigate to that data structure:
Using the website we can easily navigate through the structures by clicking on the attributes or using the "back" or "root" hyperlinks. Although it's a basic site, this works pretty nice this way.
There is a little more code to this website than shown above, the complete source of volweb.py can be downloaded here. This may help to get an even better picture of what's happening here. The web site can also be improved on many points, for instance by starting with a process list to select from. The code can also be simplified and improved by changing the function of VolShell to not only write results to stdout, but to also return them in the form of an object. For this demo I chose to leave the plugin intact, but if you have serious plans for this, changing it may be viable.
I think this website is a nice start and also a good showcase of what you can accomplish using Volatility, Python and a little imagination. Have fun with it!