Merge branch 'develop' into issue_985

Author: ikelos

.github/workflows/install.yml

@@ -0,0 +1,31 @@
+name: Install Volatility3 test
+on: [push, pull_request]
+jobs:
+
+  install_test:
+    runs-on: ${{ matrix.host }}
+    strategy:
+      fail-fast: false
+      matrix:
+        host: [ ubuntu-latest, windows-latest ]
+        python-version: [ "3.7", "3.8", "3.9", "3.10", "3.11" ]
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Setup python-pip
+      run: python -m pip install --upgrade pip
+
+    - name: Install dependencies
+      run: |
+        pip install -r requirements.txt
+
+    - name: Install volatility3
+      run: pip install .
+
+    - name: Run volatility3
+      run: vol --help

CITATION.cff

@@ -0,0 +1,37 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: Volatility 3
+message: >-
+  If you reference this software, please feel free to cite
+  it using the information below.
+type: software
+authors:
+  - name: Volatility Foundation
+    country: US
+    website: 'https://www.volatilityfoundation.org/'
+identifiers:
+  - type: url
+    value: 'https://github.com/volatilityfoundation/volatility3'
+    description: Volatility 3 source code respository
+repository-code: 'https://github.com/volatilityfoundation/volatility3'
+url: 'https://github.com/volatilityfoundation/volatility3'
+abstract: >-
+  Volatility is the world's most widely used framework for
+  extracting digital artifacts from volatile memory (RAM)
+  samples. The extraction techniques are performed
+  completely independent of the system being investigated
+  but offer visibility into the runtime state of the system.
+  The framework is intended to introduce people to the
+  techniques and complexities associated with extracting
+  digital artifacts from volatile memory samples and provide
+  a platform for further work into this exciting area of
+  research.
+keywords:
+  - malware
+  - forensics
+  - memory
+  - python
+  - ram
+  - volatility

doc/source/conf.py

@@ -27,7 +27,7 @@ def setup(app):
 
     source_dir = os.path.abspath(os.path.dirname(__file__))
     sphinx.ext.apidoc.main(
-        argv=["-e", "-M", "-f", "-T", "-o", source_dir, volatility_directory]
+        ["-e", "-M", "-f", "-T", "-o", source_dir, volatility_directory]
     )
 
     # Go through the volatility3.framework.plugins files and change them to volatility3.plugins

doc/source/using-as-a-library.rst

@@ -54,6 +54,12 @@ also be included, which can be found in `volatility3.constants.PLUGINS_PATH`.
         volatility3.plugins.__path__ = <new_plugin_path> + constants.PLUGINS_PATH
         failures = framework.import_files(volatility3.plugins, True)
 
+.. note::
+
+    Volatility uses the `volatility3.plugins` namespace for all plugins (including those in `volatility3.framework.plugins`).
+    Please ensure you only use `volatility3.plugins` and only ever import plugins from this namespace.
+    This ensures the ability of users to override core plugins without needing write access to the framework directory.
+
 Once the plugins have been imported, we can interrogate which plugins are available.  The
 :py:func:`~volatility3.framework.list_plugins` call will
 return a dictionary of plugin names and the plugin classes.

requirements-dev.txt

@@ -1,5 +1,5 @@
 # The following packages are required for core functionality.
-pefile>=2017.8.1
+pefile>=2023.2.7
 
 # The following packages are optional.
 # If certain packages are not necessary, place a comment (#) at the start of the line.

requirements-minimal.txt

@@ -1,2 +1,2 @@
 # These packages are required for core functionality.
-pefile>=2017.8.1 #foo
+pefile>=2023.2.7 #foo

requirements.txt

@@ -1,5 +1,5 @@
 # The following packages are required for core functionality.
-pefile>=2017.8.1
+pefile>=2023.2.7
 
 # The following packages are optional.
 # If certain packages are not necessary, place a comment (#) at the start of the line.
@@ -16,3 +16,7 @@ pycryptodome
 
 # This is required for memory acquisition via leechcore/pcileech.
 leechcorepyc>=2.4.0
+
+# This is required for memory analysis on a Amazon/MinIO S3 and Google Cloud object storage
+gcsfs>=2023.1.0
+s3fs>=2023.1.0

setup.py

@@ -12,14 +12,15 @@
 
 def get_install_requires():
     requirements = []
-    with open("requirements-minimal.txt", "r", encoding = "utf-8") as fh:
+    with open("requirements-minimal.txt", "r", encoding="utf-8") as fh:
         for line in fh.readlines():
             stripped_line = line.strip()
             if stripped_line == "" or stripped_line.startswith("#"):
                 continue
             requirements.append(stripped_line)
     return requirements
 
+
 setuptools.setup(
     name="volatility3",
     description="Memory forensics framework",
@@ -36,12 +37,12 @@ def get_install_requires():
         "Documentation": "https://volatility3.readthedocs.io/",
         "Source Code": "https://github.com/volatilityfoundation/volatility3",
     },
-    python_requires=">=3.7.0",
-    include_package_data=True,
-    exclude_package_data={"": ["development", "development.*"], "development": ["*"]},
     packages=setuptools.find_namespace_packages(
-        exclude=["development", "development.*"]
+        include=["volatility3", "volatility3.*"]
     ),
+    package_dir={"volatility3": "volatility3"},
+    python_requires=">=3.7.0",
+    include_package_data=True,
     entry_points={
         "console_scripts": [
             "vol = volatility3.cli:main",

volatility3/cli/__init__.py

@@ -662,7 +662,7 @@ def __init__(self, filename: str):
             def close(self):
                 # Don't overcommit
                 if self.closed:
-                    return
+                    return None
 
                 self.seek(0)
 
@@ -712,7 +712,7 @@ def close(self):
                 """Closes and commits the file (by moving the temporary file to the correct name"""
                 # Don't overcommit
                 if self._file.closed:
-                    return
+                    return None
 
                 self._file.close()
                 output_filename = self._get_final_filename()

volatility3/cli/volshell/generic.py

@@ -108,7 +108,7 @@ def help(self, *args):
         """Describes the available commands"""
         if args:
             help(*args)
-            return
+            return None
 
         variables = []
         print("\nMethods:")
@@ -325,7 +325,7 @@ def display_type(
             (str, interfaces.objects.ObjectInterface, interfaces.objects.Template),
         ):
             print("Cannot display information about non-type object")
-            return
+            return None
 
         if not isinstance(object, str):
             # Mypy requires us to order things this way
@@ -453,7 +453,7 @@ def display_symbols(self, symbol_table: str = None):
         """Prints an alphabetical list of symbols for a symbol table"""
         if symbol_table is None:
             print("No symbol table provided")
-            return
+            return None
         longest_offset = longest_name = 0
 
         table = self.context.symbol_space[symbol_table]