tomchop / volatility-autoruns Goto Github PK

Autoruns plugin for the Volatility framework

License: GNU General Public License v2.0

Python 100.00%

volatility-autoruns's Introduction

Hi there 👋

I'm Tom (he/him), a Digital Forensics and Incident Response (a.k.a. DFIR) engineer based in Zurich, Switzerland. Most of my focus is around tools that aid in incident response, forensics, threat intelligence, malware analysis, automation, and API interaction.

📯 Where to find me

Keybase - https://keybase.io/tomchop
Mastodon - @[email protected]
Twitter - @tomchop_ (don't check this much anymore)
tomchop.me - Personal website, let's see if I ever start writing something there...

⚡️ Core projects

dfTimewolf - a digital forensics pipeline orchestrator. Think CyberChef for APIs! Actively maintained.
Yeti platform - a lightweight Threat Intelligence platform. Ramping up the time I'm spending on this.
Timesketch - a forensics timeline analysis platform.

📦 Projects I've worked on in the past

volatility-autoruns - A plugin for the excellent memory analysis framework Volatility that enumerates auto-start extensibility points (i.e. "persistence") on a system.
FIR - Fast incident response - a lightweight incident response platform. Like a ticketing system, but for security incidents.
unxor - A fun experiment attacking weaknesses in XOR-based ciphers. Allows you to recover plaintext from any fixed-key XOR ciphertext, as long as you know a chunk of plaintext that is 2x as long as the key! (e.g. This program cannot be run in DOS mode)
malcom - Malcom - Malware Communications Analyzer - network traffic analysis and threat intelligence in the browser.

volatility-autoruns's People

Contributors

Stargazers

Watchers

Forkers

hiddenillusion milaiko jipegit th4nat0s jayaramcs hl0rey mnrkbys amohanta meni0n bentau threathive finderskeepers n4rr34n6 sukesh-ak chixxx 5l1v3r1 chthulhur relwen l0ann nejibnbm

volatility-autoruns's Issues

Migrate to volatility3

Catch NoneType within parse_service_key check

Traceback:

Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "/opt/tools/volatility/vol.py", line 192, in <module>
    main()
  File "/opt/tools/volatility/vol.py", line 183, in main
    command.execute()
  File "/opt/tools/volatility/volatility/commands.py", line 119, in execute
    data = self.calculate()
  File "/other_plugins/community/ThomasChopitea/autoruns.py", line 519, in calculate
    self.services = self.get_services()
  File "/other_plugins/community/ThomasChopitea/autoruns.py", line 309, in get_services
    service = self.parse_service_key(service)
  File "/other_plugins/community/ThomasChopitea/autoruns.py", line 287, in parse_service_key
    entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace

In this instance, entry was empty.

Add COM hijacking

https://attack.mitre.org/techniques/T1122/

'Autoruns' object has no attribute 'sdb'

Trying to run the plugin, but i get the following error:

File ".../volatility/plugins/autoruns.py", line 654, in render_text if self.sdb: AttributeError: 'Autoruns' object has no attribute 'sdb'

UnicodeDecodeError due to truncated data when running autoruns

Getting a Unicode error on this image; stack trace below. Results in no output given. Can this error be caught so some output is given?

Volatility Foundation Volatility Framework 2.5

Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in
pkg_resources.run_script('volatility==2.5', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 531, in calculate
self.tasks = self.get_tasks()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 450, in get_tasks
parsed = self.parse_task_xml(task_xml)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 466, in parse_task_xml
xml = xml.decode('utf-16')
File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
return codecs.utf_16_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data

Autoruns issue

I've received this error when attempting to run the autoruns plugin for a Win7SP1x64 system...

File "/usr/bin/vol.py", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 492, in calculate
self.winlogon = self.get_winlogon()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 227, in get_winlogon
valdict = self.dict_for_key(winlogon_key)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 182, in dict_for_key
for v in rawreg.values(key):
File "/usr/lib/python2.7/dist-packages/volatility/win32/rawreg.py", line 128, in values
return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'

autoruns.py error

File "/usr/local/bin/vol.py", line 192, in
main()
File "/usr/local/bin/vol.py", line 183, in main
command.execute()

Below you'll find the error output...I've done a fresh clone and attempted to run against a variety of supported images with no luck.

File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/commands.py", line 120, in execute
data = self.calculate()
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 523, in calculate
self.winlogon = self.get_winlogon()
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 236, in get_winlogon
valdict = self.dict_for_key(winlogon_key)
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 191, in dict_for_key
for v in rawreg.values(key):
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/win32/rawreg.py", line 128, in values
return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'

Error

Traceback (most recent call last):
File "/usr/bin/vol.py", line 192, in
main()
File "/usr/bin/vol.py", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 120, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 519, in calculate
self.services = self.get_services()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 309, in get_services
service = self.parse_service_key(service)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 287, in parse_service_key
entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace'

Autoruns is not working

Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.5', 'vol.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
    execfile(script_filename, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
    main()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 120, in execute
    data = self.calculate()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 525, in calculate
    self.winlogon = self.get_winlogon()
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 236, in get_winlogon
    valdict = self.dict_for_key(winlogon_key)
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 191, in dict_for_key
    for v in rawreg.values(key):
  File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/win32/rawreg.py", line 128, in values
    return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'

Error for profile 19041

Hi,

I get an error when running this plugin with profile 19041 (Volatility 2.6.1).
Nothing more is shown when adding -v

ERROR : volatility.debug : Unable to find registry hives.

It works for older profiles.
Any ideas?

TypeError when analyzing memory

Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in
pkg_resources.run_script('volatility==2.5', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 529, in calculate
self.services = self.get_services()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 315, in get_services
service = self.parse_service_key(service)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 275, in parse_service_key
startup = int(values.get("Start"))
TypeError: int() argument must be a string or a number, not 'NoneType'

Unicode Encode Error: 'ascii' codec can't encode character u'\u1720'

Hey Tom,

I'm getting a Unicode error when using Autoruns (latest build from yesterday) with Vol 2.4 (I tried both python and precompiled versions). Image is a WinXPSP2x86 sample.

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 192, in <module>
    main()
  File "/usr/local/bin/vol.py", line 183, in main
    command.execute()
  File "/home/gmucfrs/vol/volatility-2.4/volatility/commands.py", line 103, in execute
    data = self.calculate()
  File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 521, in calculate
    self.services = self.get_services()
  File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 311, in get_services
    service = self.parse_service_key(service)
  File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 265, in parse_service_key
    values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}
  File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 265, in <dictcomp>
    values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}
UnicodeEncodeError: 'ascii' codec can't encode character u'\u1720' in position 0: ordinal not in range(128)

Thanks,
Jared

Extract services from memory

Compare memory services vs. registry services, à la psxview

Add shim extraction

https://attack.mitre.org/techniques/T1138/

UnboundLocalError: local variable 'dllname' referenced before assignment

Hello,

I ran the autoruns plugin against a windows XP memory dump and had the following error message :

Volatility Foundation Volatility Framework 2.3.1
WARNING : volatility.obj : NoneObject as string: Value data is unreadable
Traceback (most recent call last):
File "/usr/bin/volatility", line 184, in
main()
File "/usr/bin/volatility", line 175, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 98, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 461, in calculate
self.winlogon_registrations = self.get_winlogon_registrations()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 207, in get_winlogon_registrations
reg = self.parse_winlogon_registration_key(subkey)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 237, in parse_winlogon_registration_key
pids = self.find_pids_for_imagepath(dllname)
UnboundLocalError: local variable 'dllname' referenced before assignment

Is the plugin supposed to work only on volatility 2.4 and superior ?

Autoruns problems with Volatility 2.5

Hi Tom,

I'm having a problem with autoruns (your latest build) and a Win7SP1x86 memory image. The error I'm getting is:

Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "vol1.py", line 192, in <module>
    main()
  File "vol1.py", line 183, in main
    command.execute()
  File "/home//Desktop/vol-2.5_clean/volatility/commands.py", line 119, in execute
    data = self.calculate()
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 527, in calculate
    self.tasks = self.get_tasks()
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 446, in get_tasks
    parsed = self.parse_task_xml(task_xml)
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 462, in parse_task_xml
    xml = xml.decode('utf-16')
  File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
    return codecs.utf_16_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data

Autoruns.py error

I just downloaded autoruns.py and installed it in the contrib/plugins folder. I specify the --plugins=/contrib/plugins option but I"m getting the error: *** Failed to import volatility.plugins.autoruns (SyntaxError: invalid syntax (autoruns.py, line 265)) What is wrong with the syntax of that line?

    values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}

autoruns.py not working

I put autoruns in the contrib/plugins directory (where I have other working plugins, such as mimikatz,) but when I try to run autoruns, I get the following output

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/share/volatility/vol.py", line 192, in
main()
File "/usr/share/volatility/vol.py", line 174, in main
command = cmdsmodule
File "/usr/share/volatility/contrib/plugins/autoruns.py", line 133, in init
hivelist.HiveList.init(self, config, _args, *_kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/common.py", line 50, in init
help = "Skip unallocated objects (e.g. 0xbad0b0b0)")
File "/usr/lib/python2.7/dist-packages/volatility/conf.py", line 363, in add_option
self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--show-unallocated: conflicting option string(s): -W

crash

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 103, in execute
data = self.calculate()
File "/root/ch2/volatility-autoruns/autoruns.py", line 519, in calculate
self.services = self.get_services()
File "/root/ch2/volatility-autoruns/autoruns.py", line 309, in get_services
service = self.parse_service_key(service)
File "/root/ch2/volatility-autoruns/autoruns.py", line 287, in parse_service_key
entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace'