autovol
Python script to run volatility2 commands and write the output to a text file
import os
import subprocess
import argparse
# Parse command line argumeynts
parser = argparse.ArgumentParser(description='Automate running Volatility with specified plugins.')
parser.add_argument('--volatility', required=True, help='Path to the Volatility 2 executable (vol.py)')
parser.add_argument('--dump', required=True, help='Path to the memory dump file')
parser.add_argument('--output', required=True, help='Output directory')
parser.add_argument('--profile', required=True, help='Profile for the memory dump')
parser.add_argument('--plugins', nargs='+', required=True, help='List of plugins')
args = parser.parse_args()
# Create the output directory if it doesn't exist
if not os.path.exists(args.output):
os.makedirs(args.output)
# Process dump_plugins and the rest of the plugins differently
dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry", "servicediff"]
dump_noDir = ["hashdump"]
# Run Volatility for each plugin
for plugin in args.plugins:
# Create a subdirectory for the plugin's output if it doesn't exist
plugin_dir = os.path.join(args.output, plugin)
if not os.path.exists(plugin_dir):
os.makedirs(plugin_dir)
else:
print("Directory '{0}' already exists. Skipping creation.".format(plugin_dir))
# Construct the command to run Volatility
if plugin in dump_plugins or any(keyword in plugin for keyword in dump_plugins):
command = [
'python2',
args.volatility,
'-f', args.dump,
'--profile', args.profile,
plugin,
'--dump-dir', plugin_dir
]
else:
command = [
'python2',
args.volatility,
'-f', args.dump,
'--profile', args.profile,
plugin
]
# Run the Volatility command
try:
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output, error = process.communicate()
if process.returncode == 0:
print("Plugin '{0}' completed successfully.".format(plugin))
print("'{0}' Output:\n".format(plugin))
print(output.decode())
# Write the output to a file inside the plugin's output directory
output_file = os.path.join(plugin_dir, "output.txt")
with open(output_file, "w") as f:
f.write(output.decode())
print("Output written to:", output_file,"\n")
else:
print("Error running plugin '{0}': {1}".format(plugin, error.decode()))
except OSError as e:
print("Error executing plugin '{0}': {1}".format(plugin, str(e)))
# Run this in the command line
python2 autovol.py --volatility volatility/vol.py --dump cases/btlo/infected.vmem --output autovolout --profile Win7SP1x86 --plugins hashdump dumpregistry pstree malfind
Last updated