lense 0.1.20 → 0.1.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +1 -0
- data/bin/lense +1 -2
- data/data/mfwvl1.yaml +54 -0
- data/lib/lense.rb +45 -1
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e0a7ee6941c8b35eb8bcf4e4e0c6fc73aa1b3e48
|
|
4
|
+
data.tar.gz: 29f9d6f898f4d3fa101374f34de654de2d692366
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 795bc589851d6630bcfe27ce3806474a192276620aa31ec8046b55920b6777983eef4ee179d1cd8bba32aef80f27df02229be56d42cc822fe68505711124b7cd
|
|
7
|
+
data.tar.gz: 2604c7aebd3db4caf242dbb220bef70e5800ceaf589a8f8aa6ce8bdb97806d5911060a12112f11b04832ca091180ee2c5e0b44dcb77cd016c61b5b8e35024031
|
data/Gemfile
CHANGED
data/bin/lense
CHANGED
data/data/mfwvl1.yaml
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
---
|
|
2
|
+
# Name of course. Should match website
|
|
3
|
+
course_name: Memory Forensics With Volatility Lesson 1
|
|
4
|
+
|
|
5
|
+
# Folder in ~/.lense directory
|
|
6
|
+
folder_name: mfwvl1
|
|
7
|
+
|
|
8
|
+
# Eh why not?
|
|
9
|
+
course_difficulty: 1
|
|
10
|
+
|
|
11
|
+
# Items to download. Should be placed in ~/.lense/<folder_name>
|
|
12
|
+
downloads:
|
|
13
|
+
- https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
|
|
14
|
+
|
|
15
|
+
# Any docker containers to pull.
|
|
16
|
+
docker: llacoste/docker_volatility
|
|
17
|
+
|
|
18
|
+
# The final command to open in a new terminal.
|
|
19
|
+
entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t
|
|
20
|
+
|
|
21
|
+
# Begin the lesson.
|
|
22
|
+
lesson_plan:
|
|
23
|
+
- say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
|
|
24
|
+
|
|
25
|
+
- say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
|
|
26
|
+
question:
|
|
27
|
+
ask: What do you see?
|
|
28
|
+
hint: 'Enter: dt("<TYPE>")'
|
|
29
|
+
expect: '*'
|
|
30
|
+
|
|
31
|
+
- say: Exit volshell and run pslist
|
|
32
|
+
question:
|
|
33
|
+
ask: What process has PID 296?
|
|
34
|
+
expect: svchost.exe
|
|
35
|
+
|
|
36
|
+
- say: Now run psscan
|
|
37
|
+
question:
|
|
38
|
+
ask: What is the offset of the explorer.exe process with PID 236
|
|
39
|
+
expect: '0x0000000005201a08'
|
|
40
|
+
|
|
41
|
+
- say: Now run pstree
|
|
42
|
+
question:
|
|
43
|
+
ask: What is the name of the first child process of explorer.exe with PID 236
|
|
44
|
+
expect: vmtoolsd.ex
|
|
45
|
+
|
|
46
|
+
- say: Now run psxview
|
|
47
|
+
question:
|
|
48
|
+
ask: What process has PID 296?
|
|
49
|
+
expect: svchost.exe
|
|
50
|
+
|
|
51
|
+
- say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
|
|
52
|
+
question:
|
|
53
|
+
ask: What are the privileges for SeImpersonatePrivilege
|
|
54
|
+
expect: Present,Enabled,Default
|
data/lib/lense.rb
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
require 'rest-client'
|
|
2
|
+
require 'highline/import'
|
|
3
|
+
|
|
2
4
|
class LENSE
|
|
3
5
|
attr_reader :config, :current_course
|
|
4
6
|
|
|
5
|
-
VERSION = '0.1.
|
|
7
|
+
VERSION = '0.1.22'
|
|
6
8
|
LENSE_DIR = File.join(ENV['HOME'],'.lense')
|
|
7
9
|
COURSES_DIR = File.join(LENSE_DIR,'courses')
|
|
8
10
|
CURRENT_COURSE_FILE = File.join(LENSE_DIR,'current_course')
|
|
@@ -57,4 +59,46 @@ class LENSE
|
|
|
57
59
|
puts ""
|
|
58
60
|
end
|
|
59
61
|
end
|
|
62
|
+
|
|
63
|
+
def run()
|
|
64
|
+
q_prefix = '<%= color("Q? ",:red) %>'
|
|
65
|
+
hint_prefix = '<%= color("Hint: ",:yellow) %>'
|
|
66
|
+
say_prefix = '<%= color("% ",:blue) %>'
|
|
67
|
+
answer_prefix = '<%= color("Ans: ",:red) %>'
|
|
68
|
+
question_separator = '<%= color("---",:green) %>'
|
|
69
|
+
|
|
70
|
+
test_file = 'data/mfwvl1.yaml'
|
|
71
|
+
test_str = File.file?(test_file) ? File.read(test_file) : ''
|
|
72
|
+
lense_file = Psych.load(test_str) || {}
|
|
73
|
+
|
|
74
|
+
lense_file['lesson_plan'].each do |lesson|
|
|
75
|
+
say question_separator
|
|
76
|
+
say "#{say_prefix} #{lesson['say']}" if lesson['say']
|
|
77
|
+
|
|
78
|
+
if lesson['question'] && lesson['question']['ask']
|
|
79
|
+
asked, hint_limit, max_asked, correct = 0, 3, 5, false
|
|
80
|
+
|
|
81
|
+
until correct || asked >= max_asked do
|
|
82
|
+
asked += 1
|
|
83
|
+
question = lesson['question']['ask']
|
|
84
|
+
hint = lesson['question'] && lesson['question']['hint']
|
|
85
|
+
|
|
86
|
+
show_hint = ''
|
|
87
|
+
|
|
88
|
+
if hint && asked > hint_limit
|
|
89
|
+
show_hint = "\n#{hint_prefix} #{hint}"
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
response = ask "#{q_prefix} #{question}#{show_hint}"
|
|
93
|
+
correct = response == lesson['question']['expect']
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
if correct
|
|
97
|
+
say "<%= color('Correct!',:green) %>"
|
|
98
|
+
else
|
|
99
|
+
say "#{answer_prefix} #{lesson['question']['expect']}"
|
|
100
|
+
end
|
|
101
|
+
end
|
|
102
|
+
end
|
|
103
|
+
end
|
|
60
104
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: lense
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.22
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manuel Zubieta
|
|
@@ -54,6 +54,7 @@ files:
|
|
|
54
54
|
- README.md
|
|
55
55
|
- Rakefile
|
|
56
56
|
- bin/lense
|
|
57
|
+
- data/mfwvl1.yaml
|
|
57
58
|
- lense.gemspec
|
|
58
59
|
- lib/lense.rb
|
|
59
60
|
- lib/lense/helpers.rb
|