[Vol-dev] question on the code

AAron Walters awalters at 4tphi.net
Mon Oct 6 11:34:33 CDT 2008 

Jesse,

We described a lot of the changes at OMFW during my presentation on 
Volatility 1.3 and during Brendan's presentation on VolShell. If you look 
at the examples provided in memory_plugins, you will also see how the 
usage has changed.  I also believe many of Brendan's plugins use the new 
object model as well.

For example with the new object model it is possible to do this:

image_file_name = eprocess.ImageFileName

as opposed to having to define an explicit accessor function:

image_file_name = process_imagename(addr_space, types, task)

As for vmodules, all of those modules will eventually be converted to the 
new object model.

So if you are working on a new plugin, I would suggest using the new 
object model similar to that found in the plugin examples.

AW


On Mon, 6 Oct 2008, Jesse Kornblum wrote:

> What is the old object model? Can you give an example of how things have 
> changed? Will the scripts in vmodules be changing as well, or are they 
> already using the new model?
>
> -- 
> Jesse
> jessek at speakeasy.net
>
> On Fri Oct  3 18:07 , AAron Walters  sent:
>
>>
>>
>> Jun,
>>
>> I don't know about a trap, but it is something.  By the way, you may want
>> to check out the examples in the memory_plugins directory.  These plugins
>> all use the new object model which everything will be transitioning to in
>> the near future.
>>
>> Thanks,
>>
>> AW
>>
>> On Sat, 4 Oct 2008, Jun Koi wrote:
>>
>>> On Fri, Oct 3, 2008 at 10:36 PM, AAron Walters awalters at 4tphi.net> wrote:
>>>>
>>>> Jun,
>>>>
>>>> The types variable is instantiated from vtypes.py.  This is the part of the
>>>> Profile used to describe the operating system's data types.
>>>
>>> What a trap!
>>>
>>> Thanks,
>>> J
>>>
>>>
>>>
>>>
>>>> On Fri, 3 Oct 2008, Jun Koi wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to read the code, and found this in vmodules.py:
>>>>>
>>>>> def get_connections(cmdname, argv):
>>>>
>>>>>    """
>>>>>
>>>>>   Function prints a list of open connections
>>>>>   """
>>>>>   op = get_standard_parser(cmdname)
>>>>>   opts, args = op.parse_args(argv)
>>>>>
>>>>>   star_line = '*'*72
>>>>>
>>>>>   (addr_space, symtab, types) = load_and_identify_image(op, opts)  #
>>>>> Here
>>>>>
>>>>>   connections = tcb_connections(addr_space, types, symtab)
>>>>> ....
>>>>>
>>>>> I dont understand what the "types" variable above means. Even track
>>>>> back the source, I dont see how it is produced.
>>>>>
>>>>> Anybody could explain a bit, so I can continue to dig? (sorry that my
>>>>> Python skill is still very modest)
>>>>>
>>>>> Thanks,
>>>>> J
>>>>> _______________________________________________
>>>>> Vol-dev mailing list
>>>>> Vol-dev at volatilesystems.com
>>>>> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>>>>>
>>>>
>>>
>> _______________________________________________
>> Vol-dev mailing list
>> Vol-dev at volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>

More information about the Vol-dev mailing list