from cStringIO import StringIO # Imports following example from # https://code.google.com/p/volatility/wiki/BasicUsage21#Using_Volatility_as_a_Library import volatility.conf as conf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace import volatility.utils as utils import volatility.win32.network as network import volatility.plugins.taskmods as taskmods import volatility.plugins.vadinfo as vadinfo registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) # You can print the cmds dictionary to see list of available plugins # These are the same commands you would specify to the command line vol.py script cmds = registry.get_plugin_classes(commands.Command, lower = True) # These parameters simulate the command line settings "--profile" and "-f" respectively config.PROFILE = "WinXPSP2x86" config.LOCATION = "file:///c:/ds_fuzz_hidden_proc.img" from volatility.plugins.filescan import PSScan import pandas as pd ps = PSScan(config) pstable = StringIO() psdata = ps.calculate() ps.render_text(pstable, psdata) print pstable.getvalue() taskinfo = [] for task in ps.calculate(): info = {} info['Name'] ='%s' % task.ImageFileName info['PID'] = '%i' % task.UniqueProcessId info['PPID'] = '%i' % task.InheritedFromUniqueProcessId info['Threads'] = '%s' % task.ActiveThreads info['HandleCount'] = '%s' % task.ObjectTable.HandleCount info['SessionID'] = '%s' % task.SessionId info['Wow64'] = '%s' % task.IsWow64 info['Start'] = str(task.CreateTime or '') info['Exit'] = str(task.ExitTime or '') taskinfo.append(info) psscandf = pd.DataFrame(taskinfo, columns=['Name', 'PID', 'PPID', 'Threads', 'HandleCount', 'SessionID', 'Wow64', 'Start', 'Exit']) psscandf.index = psscandf.PID psscandf['Start'] = pd.to_datetime(psscandf['Start']) psscandf['Exit'] = pd.to_datetime(psscandf['Exit']) psscandf.sort(['Start']) svchostpids = psscandf.ix[psscandf['Name'] == 'svchost.exe']['PID'].unique() svchostpids psscandf.ix[psscandf['PPID'].isin(svchostpids)] psscandf.ix[psscandf['Name'] == 'svchost.exe'].merge(psscandf, left_on=['PID'], right_on=['PPID'], suffixes=('_parent', '_child')) from volatility.plugins.taskmods import PSList psl = PSList(config) taskinfo = [] for task in psl.calculate(): info = {} info['Name'] ='%s' % task.ImageFileName info['PID'] = '%i' % task.UniqueProcessId info['PPID'] = '%i' % task.InheritedFromUniqueProcessId info['Threads'] = '%s' % task.ActiveThreads info['HandleCount'] = '%s' % task.ObjectTable.HandleCount info['SessionID'] = '%s' % task.SessionId info['Wow64'] = '%s' % task.IsWow64 info['Start'] = str(task.CreateTime or '') info['Exit'] = str(task.ExitTime or '') taskinfo.append(info) pslistdf = pd.DataFrame(taskinfo, columns=['Name', 'PID', 'PPID', 'Threads', 'HandleCount', 'SessionID', 'Wow64', 'Start', 'Exit']) pslistdf.index = pslistdf.PID pslistdf['Start'] = pd.to_datetime(pslistdf['Start']) pslistdf['Exit'] = pd.to_datetime(pslistdf['Exit']) pslistdf psscandf.ix[~psscandf.PID.isin(pslistdf.PID.tolist())].sort(['Start']) %load_ext hierarchymagic import hierarchymagic #to put the library explicitly in the namespace from IPython.display import SVG psdot = StringIO() psdata = ps.calculate() ps.render_dot(psdot, psdata) SVG(hierarchymagic.run_dot(psdot.getvalue(), format='svg'))