Skip to content

Commit 583cffe

Browse files
author
Dave Lassalle
committed
#816 - next console properties for better readability in treegrid
1 parent a515e57 commit 583cffe

File tree

2 files changed

+57
-4
lines changed

2 files changed

+57
-4
lines changed

volatility3/framework/plugins/windows/cmdscan.py

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -175,13 +175,23 @@ def get_command_history(
175175
)
176176
command_history_properties.append(
177177
{
178+
"level": 0,
179+
"name": "_COMMAND_HISTORY",
180+
"address": command_history.vol.offset,
181+
"data": "",
182+
}
183+
)
184+
command_history_properties.append(
185+
{
186+
"level": 1,
178187
"name": f"_COMMAND_HISTORY.Application",
179188
"address": command_history.Application.vol.offset,
180189
"data": command_history.get_application(),
181190
}
182191
)
183192
command_history_properties.append(
184193
{
194+
"level": 1,
185195
"name": f"_COMMAND_HISTORY.ProcessHandle",
186196
"address": command_history.ConsoleProcessHandle.ProcessHandle.vol.offset,
187197
"data": hex(
@@ -191,20 +201,23 @@ def get_command_history(
191201
)
192202
command_history_properties.append(
193203
{
204+
"level": 1,
194205
"name": f"_COMMAND_HISTORY.CommandCount",
195206
"address": None,
196207
"data": command_history.CommandCount,
197208
}
198209
)
199210
command_history_properties.append(
200211
{
212+
"level": 1,
201213
"name": f"_COMMAND_HISTORY.LastDisplayed",
202214
"address": command_history.LastDisplayed.vol.offset,
203215
"data": command_history.LastDisplayed,
204216
}
205217
)
206218
command_history_properties.append(
207219
{
220+
"level": 1,
208221
"name": f"_COMMAND_HISTORY.CommandCountMax",
209222
"address": command_history.CommandCountMax.vol.offset,
210223
"data": command_history.CommandCountMax,
@@ -213,6 +226,7 @@ def get_command_history(
213226

214227
command_history_properties.append(
215228
{
229+
"level": 1,
216230
"name": f"_COMMAND_HISTORY.CommandBucket",
217231
"address": command_history.CommandBucket.vol.offset,
218232
"data": "",
@@ -225,6 +239,7 @@ def get_command_history(
225239
try:
226240
command_history_properties.append(
227241
{
242+
"level": 2,
228243
"name": f"_COMMAND_HISTORY.CommandBucket_Command_{cmd_index}",
229244
"address": bucket_cmd.vol.offset,
230245
"data": bucket_cmd.get_command(),
@@ -281,7 +296,7 @@ def _generator(
281296
if command_history and command_history_properties:
282297
for command_history_property in command_history_properties:
283298
yield (
284-
0,
299+
command_history_property["level"],
285300
(
286301
proc.UniqueProcessId,
287302
process_name,

volatility3/framework/plugins/windows/consoles.py

Lines changed: 41 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -445,48 +445,63 @@ def get_console_info(
445445
)
446446
console_properties.append(
447447
{
448+
"level": 0,
449+
"name": "_CONSOLE_INFORMATION",
450+
"address": console_info.vol.offset,
451+
"data": "",
452+
}
453+
)
454+
console_properties.append(
455+
{
456+
"level": 1,
448457
"name": "_CONSOLE_INFORMATION.ScreenX",
449458
"address": console_info.ScreenX.vol.offset,
450459
"data": console_info.ScreenX,
451460
}
452461
)
453462
console_properties.append(
454463
{
464+
"level": 1,
455465
"name": "_CONSOLE_INFORMATION.ScreenY",
456466
"address": console_info.ScreenY.vol.offset,
457467
"data": console_info.ScreenY,
458468
}
459469
)
460470
console_properties.append(
461471
{
472+
"level": 1,
462473
"name": "_CONSOLE_INFORMATION.CommandHistorySize",
463474
"address": console_info.CommandHistorySize.vol.offset,
464475
"data": console_info.CommandHistorySize,
465476
}
466477
)
467478
console_properties.append(
468479
{
480+
"level": 1,
469481
"name": "_CONSOLE_INFORMATION.HistoryBufferCount",
470482
"address": console_info.HistoryBufferCount.vol.offset,
471483
"data": console_info.HistoryBufferCount,
472484
}
473485
)
474486
console_properties.append(
475487
{
488+
"level": 1,
476489
"name": "_CONSOLE_INFORMATION.HistoryBufferMax",
477490
"address": console_info.HistoryBufferMax.vol.offset,
478491
"data": console_info.HistoryBufferMax,
479492
}
480493
)
481494
console_properties.append(
482495
{
496+
"level": 1,
483497
"name": "_CONSOLE_INFORMATION.Title",
484498
"address": console_info.Title.vol.offset,
485499
"data": console_info.get_title(),
486500
}
487501
)
488502
console_properties.append(
489503
{
504+
"level": 1,
490505
"name": "_CONSOLE_INFORMATION.OriginalTitle",
491506
"address": console_info.OriginalTitle.vol.offset,
492507
"data": console_info.get_original_title(),
@@ -498,13 +513,15 @@ def get_console_info(
498513
)
499514
console_properties.append(
500515
{
516+
"level": 1,
501517
"name": "_CONSOLE_INFORMATION.ProcessCount",
502518
"address": console_info.ProcessCount.vol.offset,
503519
"data": console_info.ProcessCount,
504520
}
505521
)
506522
console_properties.append(
507523
{
524+
"level": 1,
508525
"name": "_CONSOLE_INFORMATION.ConsoleProcessList",
509526
"address": console_info.ConsoleProcessList.vol.offset,
510527
"data": "",
@@ -515,20 +532,23 @@ def get_console_info(
515532
):
516533
console_properties.append(
517534
{
535+
"level": 2,
518536
"name": f"_CONSOLE_INFORMATION.ConsoleProcessList.ConsoleProcess_{index}",
519537
"address": attached_proc.ConsoleProcess.dereference().vol.offset,
520538
"data": "",
521539
}
522540
)
523541
console_properties.append(
524542
{
543+
"level": 2,
525544
"name": f"_CONSOLE_INFORMATION.ConsoleProcessList.ConsoleProcess_{index}_ProcessId",
526545
"address": attached_proc.ConsoleProcess.ProcessId.vol.offset,
527546
"data": attached_proc.ConsoleProcess.ProcessId,
528547
}
529548
)
530549
console_properties.append(
531550
{
551+
"level": 2,
532552
"name": f"_CONSOLE_INFORMATION.ConsoleProcessList.ConsoleProcess_{index}_ProcessHandle",
533553
"address": attached_proc.ConsoleProcess.ProcessHandle.vol.offset,
534554
"data": hex(
@@ -542,6 +562,7 @@ def get_console_info(
542562
)
543563
console_properties.append(
544564
{
565+
"level": 1,
545566
"name": "_CONSOLE_INFORMATION.HistoryList",
546567
"address": console_info.HistoryList.vol.offset,
547568
"data": "",
@@ -553,20 +574,23 @@ def get_console_info(
553574
try:
554575
console_properties.append(
555576
{
577+
"level": 2,
556578
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}",
557579
"address": command_history.vol.offset,
558580
"data": "",
559581
}
560582
)
561583
console_properties.append(
562584
{
585+
"level": 2,
563586
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_Application",
564587
"address": command_history.Application.vol.offset,
565588
"data": command_history.get_application(),
566589
}
567590
)
568591
console_properties.append(
569592
{
593+
"level": 2,
570594
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_ProcessHandle",
571595
"address": command_history.ConsoleProcessHandle.ProcessHandle.vol.offset,
572596
"data": hex(
@@ -576,13 +600,15 @@ def get_console_info(
576600
)
577601
console_properties.append(
578602
{
603+
"level": 2,
579604
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_CommandCount",
580605
"address": None,
581606
"data": command_history.CommandCount,
582607
}
583608
)
584609
console_properties.append(
585610
{
611+
"level": 2,
586612
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_LastDisplayed",
587613
"address": command_history.LastDisplayed.vol.offset,
588614
"data": command_history.LastDisplayed,
@@ -593,8 +619,8 @@ def get_console_info(
593619
bucket_cmd,
594620
) in command_history.get_commands():
595621
try:
596-
console_properties.append(
597-
{
622+
console_properties.append({
623+
"level": 3,
598624
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_Command_{cmd_index}",
599625
"address": bucket_cmd.vol.offset,
600626
"data": bucket_cmd.get_command(),
@@ -610,33 +636,45 @@ def get_console_info(
610636
)
611637

612638
vollog.debug(f"Getting ScreenBuffer entries for {console_info}")
639+
console_properties.append(
640+
{
641+
"level": 1,
642+
"name": "_CONSOLE_INFORMATION.CurrentScreenBuffer",
643+
"address": console_info.CurrentScreenBuffer.vol.offset,
644+
"data": "",
645+
}
646+
)
613647
for screen_index, screen_info in enumerate(
614648
console_info.get_screens()
615649
):
616650
try:
617651
console_properties.append(
618652
{
653+
"level": 2,
619654
"name": f"_CONSOLE_INFORMATION.ScreenBuffer_{screen_index}",
620655
"address": screen_info,
621656
"data": "",
622657
}
623658
)
624659
console_properties.append(
625660
{
661+
"level": 2,
626662
"name": f"_CONSOLE_INFORMATION.ScreenBuffer_{screen_index}.ScreenX",
627663
"address": None,
628664
"data": screen_info.ScreenX,
629665
}
630666
)
631667
console_properties.append(
632668
{
669+
"level": 2,
633670
"name": f"_CONSOLE_INFORMATION.ScreenBuffer_{screen_index}.ScreenY",
634671
"address": None,
635672
"data": screen_info.ScreenY,
636673
}
637674
)
638675
console_properties.append(
639676
{
677+
"level": 2,
640678
"name": f"_CONSOLE_INFORMATION.ScreenBuffer_{screen_index}.Dump",
641679
"address": None,
642680
"data": "\n".join(screen_info.get_buffer()),
@@ -748,7 +786,7 @@ def _generator(
748786
if console_info and console_properties:
749787
for console_property in console_properties:
750788
yield (
751-
0,
789+
console_property["level"],
752790
(
753791
proc.UniqueProcessId,
754792
process_name,

0 commit comments

Comments
 (0)