autovol

Python script to run volatility2 commands and write the output to a text file

import os
import subprocess
import argparse

# Parse command line argumeynts
parser = argparse.ArgumentParser(description='Automate running Volatility with specified plugins.')
parser.add_argument('--volatility', required=True, help='Path to the Volatility 2 executable (vol.py)')
parser.add_argument('--dump', required=True, help='Path to the memory dump file')
parser.add_argument('--output', required=True, help='Output directory')
parser.add_argument('--profile', required=True, help='Profile for the memory dump')
parser.add_argument('--plugins', nargs='+', required=True, help='List of plugins')
args = parser.parse_args()

# Create the output directory if it doesn't exist
if not os.path.exists(args.output):
    os.makedirs(args.output)

# Process dump_plugins and the rest of the plugins differently
dump_plugins = ["dumpcerts", "dumpregistry", "dumpfiles", "dumpregistry", "servicediff"]
dump_noDir = ["hashdump"]

# Run Volatility for each plugin
for plugin in args.plugins:
    # Create a subdirectory for the plugin's output if it doesn't exist
    plugin_dir = os.path.join(args.output, plugin)
    if not os.path.exists(plugin_dir):
        os.makedirs(plugin_dir)
    else:
        print("Directory '{0}' already exists. Skipping creation.".format(plugin_dir))

    # Construct the command to run Volatility
    if plugin in dump_plugins or any(keyword in plugin for keyword in dump_plugins):
        command = [
            'python2',
            args.volatility,
            '-f', args.dump,
            '--profile', args.profile,
            plugin,
            '--dump-dir', plugin_dir
        ]
    else:
        command = [
            'python2',
            args.volatility,
            '-f', args.dump,
            '--profile', args.profile,
            plugin
        ]

    # Run the Volatility command
    try:
        process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output, error = process.communicate()

        if process.returncode == 0:
            print("Plugin '{0}' completed successfully.".format(plugin))
            print("'{0}' Output:\n".format(plugin))
            print(output.decode())

            # Write the output to a file inside the plugin's output directory
            output_file = os.path.join(plugin_dir, "output.txt")
            with open(output_file, "w") as f:
                f.write(output.decode())
            
            print("Output written to:", output_file,"\n")
        else:
            print("Error running plugin '{0}': {1}".format(plugin, error.decode()))
    except OSError as e:
        print("Error executing plugin '{0}': {1}".format(plugin, str(e)))

# Run this in the command line

python2 autovol.py --volatility volatility/vol.py --dump cases/btlo/infected.vmem --output autovolout --profile Win7SP1x86 --plugins hashdump dumpregistry pstree malfind