Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Alllow for Specifying the KDBG Address #19

Open
jpoling-dswrx opened this issue May 19, 2016 · 5 comments
Open

Feature Request: Alllow for Specifying the KDBG Address #19

jpoling-dswrx opened this issue May 19, 2016 · 5 comments
Labels
enhancement

Comments

@jpoling-dswrx
Copy link

Being able to specify this parameter for/when running each module would greatly reduce processing time.

https://github.com/volatilityfoundation/volatility/wiki/Volatility%20Usage#setting-the-kdbg-address
@JamesHabben
Copy link
Owner

Thanks again for the request. I will think through how to collect this info. Again, open to any thoughts you have had.

@jpoling-dswrx
Copy link
Author

So, there are two tracks here, the first being how to acquire the proper kdbg address and the second being how to incorporate that into the plugins run against the image.

Addressing the latter first, I think the best option is to somehow provide the capability for the end-user to set the kdbg address as an option somewhere on the page, perhaps in a drop-down menu like you use for the profiles (via parsing the kdbgscan output looking for the suggested possible addresses). Or, it can be a separate field/text box somewhere that requires user-input of the specific address.

Addressing the former, I can think of a few options off the top of my head:

  1. Suggest the kdbgscan plugin to be run upon initial import of an image (via popup or alert text somewhere), parsing the output with some logic in finding the "most appropriate address(es)" and providing suggestions to the end user for which address to utilize moving forward. (Best option, as this will also create awareness for those who don't know about this feature and speed improvement)
  2. Same as above, but don't parse output and leave it to the end-user to figure out where to look and what to use. (I'd be OK with this, but it would be great if it could be parsed with the logic above to provide address suggestions)
  3. Require the kdbgscan plugin to be run upon initial import of an image. (Not my favorite option as the user should have choices)
  4. Require the analyst find out the kdbg address before running evolve, specifying it on the command line when starting Evolve. (Least favorite option, but prob easiest to get up and running to at least provide the capability until it's incorporated into the GUI)

I'm sure there are other options, but this is all I got at the moment. Hopefully that helps, and thanks in advance for all your work on this!

@JamesHabben
Copy link
Owner

Great thoughts! What makes this even tougher is trying to incorporate your other request to allow for each memory dump to have a KDBG value stored and used. Will take some creativity for sure!

@jpoling-dswrx
Copy link
Author

jpoling-dswrx commented May 20, 2016
edited
Loading

Should be able to be tied to the image the same way the profile is/would be. Easiest way is probably full file path or memory hash. Or just assign a unique ID upon load.

@Beercow
Copy link

Beercow commented May 11, 2018

This could also be achieved if evole created a volatilityrc config file for the image. This would also segnificantly speed up Win 8-10 images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JamesHabben @jpoling-dswrx @Beercow