lense 0.1.26 → 0.1.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/data/mfwvl1.yaml +51 -56
- data/lib/lense.rb +2 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 54de025704648557ef47653d51dd11713e0858ff
|
|
4
|
+
data.tar.gz: 209f2ab433994e0f0c980e6a46aa100404e0763f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ecbbd3c9213572404a875a4e468d135709dc862193ae183d88d0808bfd75b9a8bcb919dca9633a91c97f95820d940b7bfd47ea26fa796eaa5b00d38805f00cc1
|
|
7
|
+
data.tar.gz: f6bc4e7681f767aea8bf84678f54b693cf9f01d8e6e58cbaa6a51455efc4b9ca5bb10a3f42a318cbe9cd2d2e3f54285f51f20d32e9d788be88c9a89e068163ca
|
data/data/mfwvl1.yaml
CHANGED
|
@@ -1,57 +1,52 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
- say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
|
|
55
|
-
question:
|
|
56
|
-
ask: What are the privileges for SeImpersonatePrivilege
|
|
57
|
-
expect: Present,Enabled,Default
|
|
2
|
+
title: Memory Forensics With Volatility Lesson 1
|
|
3
|
+
difficulty: 1
|
|
4
|
+
authors:
|
|
5
|
+
- name: Lance Lacoste
|
|
6
|
+
email: lance.lacoste@gmail.com
|
|
7
|
+
|
|
8
|
+
dependancies:
|
|
9
|
+
- data/my_memory_sample.vmem
|
|
10
|
+
|
|
11
|
+
# The final command to open in a new terminal.
|
|
12
|
+
up:
|
|
13
|
+
- docker run --name=%LENSE_NAME%_main -v $PWD/data:/data -i -t llacoste/docker_volatility
|
|
14
|
+
|
|
15
|
+
down:
|
|
16
|
+
- docker stop %LENSE_NAME%_main
|
|
17
|
+
- docker rm %LENSE_NAME%_main
|
|
18
|
+
|
|
19
|
+
# Begin the lesson.
|
|
20
|
+
lesson_plan:
|
|
21
|
+
- say: Load up volshell on the windows_xp.vmem image (volatility -f windows_xp.vmem volshell)
|
|
22
|
+
|
|
23
|
+
- say: 'We are going to take a look at some TYPEs in volshell. Using the dt command inspect: _EPROCESS _ETHREAD _TOKEN'
|
|
24
|
+
question:
|
|
25
|
+
ask: What do you see?
|
|
26
|
+
hint: 'Enter: dt("<TYPE>")'
|
|
27
|
+
expect: '*'
|
|
28
|
+
|
|
29
|
+
- say: Exit volshell and run pslist
|
|
30
|
+
question:
|
|
31
|
+
ask: What process has PID 296?
|
|
32
|
+
expect: svchost.exe
|
|
33
|
+
|
|
34
|
+
- say: Now run psscan
|
|
35
|
+
question:
|
|
36
|
+
ask: What is the offset of the explorer.exe process with PID 236
|
|
37
|
+
expect: '0x0000000005201a08'
|
|
38
|
+
|
|
39
|
+
- say: Now run pstree
|
|
40
|
+
question:
|
|
41
|
+
ask: What is the name of the first child process of explorer.exe with PID 236
|
|
42
|
+
expect: vmtoolsd.exe
|
|
43
|
+
|
|
44
|
+
- say: Now run psxview
|
|
45
|
+
question:
|
|
46
|
+
ask: What process has PID 296?
|
|
47
|
+
expect: svchost.exe
|
|
48
|
+
|
|
49
|
+
- say: You can look at the privileges of a process by using the privs plugin along with the -p flag. Use the -p flag on various plugins to focus on a particular process with the given PID i.e. -p 236 for explorer.exe. Run privs on explorer.exe
|
|
50
|
+
question:
|
|
51
|
+
ask: What are the privileges for SeImpersonatePrivilege
|
|
52
|
+
expect: Present,Enabled,Default
|
data/lib/lense.rb
CHANGED
|
@@ -4,7 +4,7 @@ require 'highline/import'
|
|
|
4
4
|
class LENSE
|
|
5
5
|
attr_reader :config, :current_course
|
|
6
6
|
|
|
7
|
-
VERSION = '0.1.
|
|
7
|
+
VERSION = '0.1.27'
|
|
8
8
|
LENSE_DIR = File.join(ENV['HOME'],'.lense')
|
|
9
9
|
COURSES_DIR = File.join(LENSE_DIR,'courses')
|
|
10
10
|
CURRENT_COURSE_FILE = File.join(LENSE_DIR,'current_course')
|
|
@@ -71,7 +71,7 @@ class LENSE
|
|
|
71
71
|
test_str = File.file?(test_file) ? File.read(test_file) : ''
|
|
72
72
|
lense_file = Psych.load(test_str) || {}
|
|
73
73
|
|
|
74
|
-
lense_file['
|
|
74
|
+
lense_file['lesson_plan'].each do |lesson|
|
|
75
75
|
say question_separator
|
|
76
76
|
say "#{say_prefix} #{lesson['say']}" if lesson['say']
|
|
77
77
|
|
|
@@ -84,7 +84,6 @@ class LENSE
|
|
|
84
84
|
hint = lesson['question'] && lesson['question']['hint']
|
|
85
85
|
|
|
86
86
|
show_hint = ''
|
|
87
|
-
|
|
88
87
|
if hint && asked > hint_limit
|
|
89
88
|
show_hint = "\n#{hint_prefix} #{hint}"
|
|
90
89
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: lense
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.27
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manuel Zubieta
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-04-
|
|
12
|
+
date: 2015-04-24 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|