Created
February 29, 2024 13:38
-
-
Save byronwai/e01c383259315d90277d4cc275729984 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Usage: ./batch-vol-nix.sh <volatility_directory> <output_format> <memory_images_dir_or_file> <output_dir> <number_of_thread> | |
| ## Example: ./batch-vol-nix.sh "./volatility/" "quick" "./memory-images/" "./vol-log/" "5" | |
| # Custom Volatility 3 location (directory) | |
| volatility_directory="$1" | |
| # Output format (quick, csv, json) | |
| output_format="$2" | |
| # Path to the directory containing the memory image files or a single memory image file | |
| memory_images="$3" | |
| # Path to the output directory | |
| output_directory="$4" | |
| # Maximum number of parallel executions | |
| max_parallel_executions="${5:-5}" | |
| # Array of Volatility 3 plugin names | |
| plugin_commands=( | |
| "banners.Banners" | |
| "linux.bash.Bash" | |
| "linux.check_afinfo.Check_afinfo" | |
| "linux.check_creds.Check_creds" | |
| "linux.check_idt.Check_idt" | |
| "linux.check_modules.Check_modules" | |
| "linux.check_syscall.Check_syscall" | |
| "linux.elfs.Elfs" | |
| "linux.envars.Envars" | |
| "linux.envvars.Envvars" | |
| "linux.iomem.IOMem" | |
| "linux.keyboard_notifiers.Keyboard_notifiers" | |
| "linux.kmsg.Kmsg" | |
| "linux.lsmod.Lsmod" | |
| "linux.lsof.Lsof" | |
| "linux.malfind.Malfind" | |
| "linux.mountinfo.MountInfo" | |
| "linux.proc.Maps" | |
| "linux.psaux.PsAux" | |
| "linux.pslist.PsList" | |
| "linux.psscan.PsScan" | |
| "linux.pstree.PsTree" | |
| "linux.sockstat.Sockstat" | |
| "linux.tty_check.tty_check" | |
| ) | |
| # Function to execute a Volatility 3 plugin on a memory image file | |
| execute_plugin() { | |
| local plugin_name="$1" | |
| local memory_image="$2" | |
| # Get the filename without the directory path or extension | |
| local filename=$(basename "$memory_image") | |
| filename="${filename%.*}" | |
| # Create the subdirectory for the log file based on the memory image name | |
| local subdirectory="$output_directory/$filename" | |
| mkdir -p "$subdirectory" | |
| # Determine the appropriate output file extension based on the output format | |
| case "$output_format" in | |
| "quick") | |
| # Construct the plugin command | |
| local command="python3 $volatility_directory/vol.py -r quick -f $memory_image $plugin_name" | |
| # Construct the log file path by appending the plugin name and .log extension | |
| local log_file="$subdirectory/${plugin_name//./_}.log" | |
| echo "Executing plugin: $plugin_name" | |
| echo "Command: $command" | |
| # Execute the plugin command and redirect the output to the log file | |
| echo "Volatility 3 Plugin: $plugin_name" > "$log_file" | |
| echo "Command: $command" >> "$log_file" | |
| echo "-----" >> "$log_file" | |
| echo "" >> "$log_file" | |
| eval "$command" >> "$log_file" | |
| ;; | |
| "csv") | |
| # Construct the plugin command | |
| local command="python3 $volatility_directory/vol.py -r csv -f $memory_image $plugin_name" | |
| # Construct the log file path by appending the plugin name and .csv extension | |
| local log_file="$subdirectory/${plugin_name//./_}.csv" | |
| echo "Executing plugin: $plugin_name" | |
| echo "Command: $command" | |
| # Execute the plugin command and redirect the output to the log file | |
| eval "$command" > "$log_file" | |
| ;; | |
| "json") | |
| # Construct the plugin command | |
| local command="python3 $volatility_directory/vol.py -r json -f $memory_image $plugin_name" | |
| # Construct the log file path by appending the plugin name and .json extension | |
| local log_file="$subdirectory/${plugin_name//./_}.json" | |
| echo "Executing plugin: $plugin_name" | |
| echo "Command: $command" | |
| # Execute the plugin command and redirect the output to the log file | |
| eval "$command" > "$log_file" | |
| ;; | |
| *) echo "Invalid output format. Please use 'quick', 'csv', or 'json'." >&2; exit 1;; | |
| esac | |
| } | |
| export -f execute_plugin | |
| # If the input is a directory, find all memory image files in the specified directory | |
| # If the input is a single file, use it as the memory image | |
| if [ -d "$memory_images" ]; then | |
| memory_images=$(find "$memory_images" -type f -name "*.lime") | |
| fi | |
| # Iterate through each plugin name | |
| for plugin_name in "${plugin_commands[@]}"; do | |
| # Iterate through each memory image file | |
| for memory_image in $memory_images; do | |
| # Execute the plugin in parallel | |
| execute_plugin "$plugin_name" "$memory_image" & | |
| # Limit the number of parallel executions | |
| if [[ $(jobs -r -p | wc -l) -ge $max_parallel_executions ]]; then | |
| wait -n | |
| fi | |
| done | |
| done | |
| # Wait for all remaining parallel executions to finish | |
| wait |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment