lense 0.1.25 → 0.1.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/lense +2 -0
- data/data/mfwvl1.yaml +55 -52
- data/lib/lense.rb +2 -2
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 93081a4dd98c443306c190459fcd3005e51e8c06
|
4
|
+
data.tar.gz: 9ecceca898731f2abcb7d97292dc3e24399fbc29
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9e71efcc4ad9c150a6095eb554d1dd5a58aa0bcbcb26f4f76f1c2c07264599fcdcad5d3c783361ff0989e1a63f0a75f2cd9661abdc5fb7df0f9a988ae8c11148
|
7
|
+
data.tar.gz: 7eac7d1e887c6c1cbd310ac7a02c88bb1f09aece10096854c79f99ab2ccded0225264b0eb34478d7be433ea3fa7fa300a7377dcff0bcc8135d48d6e17dc6d5ce
|
data/bin/lense
CHANGED
@@ -15,12 +15,14 @@ LENSE_APP = LENSE.new
|
|
15
15
|
|
16
16
|
pre do |global_options,command,options,args|
|
17
17
|
found_docker = system_check('which docker')
|
18
|
+
found_docker_compose = system_check('which docker-compose')
|
18
19
|
docker_running = found_docker && system_check('docker version')
|
19
20
|
found_vagrant = system_check('which vagrant')
|
20
21
|
found_git = system_check('which git')
|
21
22
|
|
22
23
|
be_quiet = global_options[:quiet] || LENSE_APP.config["quiet"]
|
23
24
|
puts "WARNING: Docker not found. Unable to run courses that use Docker!" unless found_docker || be_quiet
|
25
|
+
puts "WARNING: Docker Compose not found. Unable to run courses that use Docker Compose!" unless found_docker || be_quiet
|
24
26
|
puts "WARNING: Docker is not running. Unable to run courses that use Docker!" if (found_docker && !docker_running) && !be_quiet
|
25
27
|
puts "WARNING: Vagrant not found. Unable to run courses that use Vagrant!" unless found_vagrant || be_quiet
|
26
28
|
|
data/data/mfwvl1.yaml
CHANGED
@@ -1,54 +1,57 @@
|
|
1
1
|
---
|
2
2
|
# Name of course. Should match website
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
#
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
3
|
+
course:
|
4
|
+
title: Memory Forensics With Volatility Lesson 1
|
5
|
+
difficulty: 1
|
6
|
+
authors:
|
7
|
+
- name: Lance Lacoste
|
8
|
+
email: lance.lacoste@gmail.com
|
9
|
+
|
10
|
+
# Items to download. Should be placed in ~/.lense/<folder_name>
|
11
|
+
data:
|
12
|
+
# ~/.lense/courses/llacoste/mfwvl1/data/foo
|
13
|
+
- rel: data
|
14
|
+
url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
|
15
|
+
description: "why you need it?"
|
16
|
+
# ~/.lense/courses/llacoste/mfwvl1/data/memdumps/foo
|
17
|
+
- rel: data/memdumps
|
18
|
+
url: https://drive.google.com/file/d/0B50xr4dwmqonNmtpa3pycGM4WXM/view?usp=sharing
|
19
|
+
description: "why you need it?"
|
20
|
+
|
21
|
+
# The final command to open in a new terminal.
|
22
|
+
entry_point: docker run -v ~/.lense/mfwvl1/my_memory_sample.vmem:/data -i -t llacoste/docker_volatility
|
23
|
+
|
24
|
+
# Begin the lesson.
|
25
|
+
lesson_plan:
|
26
|
+
- say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
|
27
|
+
|
28
|
+
- say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
|
29
|
+
question:
|
30
|
+
ask: What do you see?
|
31
|
+
hint: 'Enter: dt("<TYPE>")'
|
32
|
+
expect: '*'
|
33
|
+
|
34
|
+
- say: Exit volshell and run pslist
|
35
|
+
question:
|
36
|
+
ask: What process has PID 296?
|
37
|
+
expect: svchost.exe
|
38
|
+
|
39
|
+
- say: Now run psscan
|
40
|
+
question:
|
41
|
+
ask: What is the offset of the explorer.exe process with PID 236
|
42
|
+
expect: '0x0000000005201a08'
|
43
|
+
|
44
|
+
- say: Now run pstree
|
45
|
+
question:
|
46
|
+
ask: What is the name of the first child process of explorer.exe with PID 236
|
47
|
+
expect: vmtoolsd.exe
|
48
|
+
|
49
|
+
- say: Now run psxview
|
50
|
+
question:
|
51
|
+
ask: What process has PID 296?
|
52
|
+
expect: svchost.exe
|
53
|
+
|
54
|
+
- say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
|
55
|
+
question:
|
56
|
+
ask: What are the privileges for SeImpersonatePrivilege
|
57
|
+
expect: Present,Enabled,Default
|
data/lib/lense.rb
CHANGED
@@ -4,7 +4,7 @@ require 'highline/import'
|
|
4
4
|
class LENSE
|
5
5
|
attr_reader :config, :current_course
|
6
6
|
|
7
|
-
VERSION = '0.1.
|
7
|
+
VERSION = '0.1.26'
|
8
8
|
LENSE_DIR = File.join(ENV['HOME'],'.lense')
|
9
9
|
COURSES_DIR = File.join(LENSE_DIR,'courses')
|
10
10
|
CURRENT_COURSE_FILE = File.join(LENSE_DIR,'current_course')
|
@@ -71,7 +71,7 @@ class LENSE
|
|
71
71
|
test_str = File.file?(test_file) ? File.read(test_file) : ''
|
72
72
|
lense_file = Psych.load(test_str) || {}
|
73
73
|
|
74
|
-
lense_file['lesson_plan'].each do |lesson|
|
74
|
+
lense_file['course']['lesson_plan'].each do |lesson|
|
75
75
|
say question_separator
|
76
76
|
say "#{say_prefix} #{lesson['say']}" if lesson['say']
|
77
77
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: lense
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.26
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Manuel Zubieta
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2015-04-
|
12
|
+
date: 2015-04-23 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rake
|