PyPI - multivol - Versions diffs - 0.1.3__py3-none-any.whl → 0.1.4__py3-none-any.whl - Mend

multivol 0.1.3py3-none-any.whl → 0.1.4py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

multivol/api.py +678 -191
multivol/multi_volatility2.py +27 -173
multivol/multi_volatility3.py +91 -104
multivol/multivol.py +118 -42
multivol/strings.py +71 -0
{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/METADATA +1 -1
multivol-0.1.4.dist-info/RECORD +12 -0
multivol-0.1.3.dist-info/RECORD +0 -11
{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/WHEEL +0 -0
{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/entry_points.txt +0 -0
{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/licenses/LICENSE +0 -0
{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/top_level.txt +0 -0

multivol/api.py CHANGED Viewed

@@ -4,6 +4,7 @@ import os
 import docker
 import threading
 import uuid
+import re
 import time
 import sqlite3
 import json
@@ -13,7 +14,16 @@ from werkzeug.utils import secure_filename
 from flask import Flask, request, jsonify, abort, send_from_directory, send_file
 from flask_cors import CORS
 import zipfile
+import zipfile
 import io
+import textwrap
+try:
+    from .multi_volatility2 import multi_volatility2
+    from .multi_volatility3 import multi_volatility3
+except ImportError:
+    from multi_volatility2 import multi_volatility2
+    from multi_volatility3 import multi_volatility3
 app = Flask(__name__)
 # Increase max upload size to 16GB (or appropriate limit for dumps)
@@ -24,6 +34,12 @@ STORAGE_DIR = os.environ.get("STORAGE_DIR", os.path.join(os.getcwd(), "storage")
 if not os.path.exists(STORAGE_DIR):
     os.makedirs(STORAGE_DIR)
+DB_PATH = os.path.join(STORAGE_DIR, "scans.db")
+SYMBOLS_DIR = os.path.join(os.getcwd(), "volatility3_symbols")
+if not os.path.exists(SYMBOLS_DIR):
+    os.makedirs(SYMBOLS_DIR)
 runner_func = None
 @app.route('/health', methods=['GET'])
@@ -38,11 +54,24 @@ def restrict_to_localhost():
     # Allow 127.0.0.1 and ::1 (IPv6 localhost)
     allowed_ips = ["127.0.0.1", "::1"]
+    # Always allow OPTIONS for CORS preflight
+    if request.method == 'OPTIONS':
+        return
     if request.remote_addr not in allowed_ips:
+        print(f"[WARNING] Access blocked from: {request.remote_addr}")
         abort(403, description="Access forbidden: Only localhost connections allowed, please set DISABLE_LOCALHOST_ONLY=1 to disable this check.")
+def resolve_host_path(path):
+    """Resolves a container path to a host path for DooD."""
+    host_path = os.environ.get("HOST_PATH")
+    if host_path and path.startswith(os.getcwd()):
+        return os.path.join(host_path, os.path.relpath(path, os.getcwd()))
+    return path
 def init_db():
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
     c.execute('''CREATE TABLE IF NOT EXISTS scans
                  (uuid TEXT PRIMARY KEY, status TEXT, mode TEXT, os TEXT, volatility_version TEXT, dump_path TEXT, output_dir TEXT, created_at REAL, error TEXT)''')
@@ -66,9 +95,21 @@ def init_db():
         print("[INFO] Migrating DB: Adding 'image' column to scans table")
         c.execute("ALTER TABLE scans ADD COLUMN image TEXT")
+    # Migration: Check if 'config_json' column exists (For storing scan options like fetch_symbol)
+    try:
+        c.execute("SELECT config_json FROM scans LIMIT 1")
+    except sqlite3.OperationalError:
+        print("[INFO] Migrating DB: Adding 'config_json' column to scans table")
+        c.execute("ALTER TABLE scans ADD COLUMN config_json TEXT")
     # Table for async dump tasks
     c.execute('''CREATE TABLE IF NOT EXISTS dump_tasks
                  (task_id TEXT PRIMARY KEY, scan_id TEXT, status TEXT, output_path TEXT, error TEXT, created_at REAL)''')
+    # Table for module status (Debug/Progress UI)
+    c.execute('''CREATE TABLE IF NOT EXISTS scan_module_status
+                 (id INTEGER PRIMARY KEY AUTOINCREMENT, scan_id TEXT, module TEXT, status TEXT, error_message TEXT, updated_at REAL,
+                 FOREIGN KEY(scan_id) REFERENCES scans(uuid))''')
     conn.commit()
     conn.close()
@@ -82,7 +123,7 @@ def rename_scan(uuid):
     if not new_name:
         return jsonify({"error": "Name is required"}), 400
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
     c.execute("UPDATE scans SET name = ? WHERE uuid = ?", (new_name, uuid))
     conn.commit()
@@ -91,7 +132,7 @@ def rename_scan(uuid):
 @app.route('/scans/<uuid>', methods=['DELETE'])
 def delete_scan(uuid):
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
@@ -114,7 +155,7 @@ def delete_scan(uuid):
 @app.route('/scans/<uuid>/download', methods=['GET'])
 def download_scan_zip(uuid):
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
     c.execute("SELECT output_dir, name FROM scans WHERE uuid = ?", (uuid,))
@@ -203,7 +244,7 @@ def ingest_results_to_db(scan_id, output_dir):
          print(f"[ERROR] Output dir not found: {output_dir}")
          return
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
     json_files = glob.glob(os.path.join(output_dir, "*_output.json"))
@@ -261,11 +302,63 @@ def upload_file():
         except Exception as e:
             print(f"[ERROR] Failed to save file: {e}")
             return jsonify({"error": str(e)}), 500
+            return jsonify({"error": str(e)}), 500
+@app.route('/symbols', methods=['GET'])
+def list_symbols():
+    try:
+        symbols_files = []
+        for root, dirs, files in os.walk(SYMBOLS_DIR):
+            for file in files:
+                # We want relative path from symbols root
+                abs_path = os.path.join(root, file)
+                rel_path = os.path.relpath(abs_path, SYMBOLS_DIR)
+                symbols_files.append({
+                    "name": rel_path,
+                    "size": os.path.getsize(abs_path),
+                    "modified": time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(os.path.getmtime(abs_path)))
+                })
+        return jsonify({"symbols": symbols_files})
+    except Exception as e:
+        return jsonify({"error": str(e)}), 500
+@app.route('/symbols', methods=['POST'])
+def upload_symbol():
+    if 'file' not in request.files:
+        return jsonify({"error": "No file part"}), 400
+    file = request.files['file']
+    if file.filename == '':
+        return jsonify({"error": "No chosen file"}), 400
+    if file:
+        filename = secure_filename(file.filename)
+        save_path = os.path.join(SYMBOLS_DIR, filename)
+        try:
+            print(f"[DEBUG] Saving symbol file to {save_path}")
+            file.save(save_path)
+            # If zip, unzip?
+            if filename.endswith(".zip"):
+                 # Optional: Unzip if user uploads a full pack
+                 # For now, let's just save it. User usually uploads .json or .zip for profiles.
+                 # Actually, Vol3 can use zip files directly if placed correctly, or we might want to unzip.
+                 # Let's verify what the user likely wants. Usually it's a JSON/ISF.
+                 pass
+            return jsonify({"status": "success", "path": save_path})
+        except Exception as e:
+             return jsonify({"error": str(e)}), 500
 @app.route('/scan', methods=['POST'])
 def scan():
     data = request.json
+    # Determine default image based on mode from request
+    req_mode = data.get('mode', 'vol3') # Default to vol3 if not specified (though validation requires it)
+    default_image = "sp00kyskelet0n/volatility3"
+    if req_mode == "vol2":
+        default_image = "sp00kyskelet0n/volatility2"
     # Define default arguments matching CLI defaults and requirements
     default_args = {
         "profiles_path": os.path.join(os.getcwd(), "volatility2_profiles"),
@@ -281,15 +374,20 @@ def scan():
         "mode": None,
         "profile": None,
         "processes": None,
-        "host_path": os.environ.get("HOST_PATH") # Added for DooD support via Env
+        "host_path": os.environ.get("HOST_PATH"), # Added for DooD support via Env
+        "debug": True, # Enable command logging for API
+        "fetch_symbol": False,
+        "custom_symbol": None,
+        "image": default_image
     }
     args_dict = default_args.copy()
     args_dict.update(data)
     # Basic Validation
-    if "dump" not in data or "image" not in data or "mode" not in data:
-         return jsonify({"error": "Missing required fields: dump, image, mode"}), 400
+    # Basic Validation
+    if "dump" not in data or "mode" not in data:
+         return jsonify({"error": "Missing required fields: dump, mode"}), 400
     # Ensure mutual exclusion for OS flags
     is_linux = bool(data.get("linux"))
@@ -298,9 +396,14 @@ def scan():
     if is_linux == is_windows:
         return jsonify({"error": "You must specify either 'linux': true or 'windows': true, but not both or neither."}), 400
+    # Default fetch_symbol to True for Linux if not explicitly provided
+    if is_linux and "fetch_symbol" not in data:
+        args_dict["fetch_symbol"] = True
     args_obj = argparse.Namespace(**args_dict)
     scan_id = str(uuid.uuid4())
+    args_obj.scan_id = scan_id # Pass scan_id to runner for status updates
     # Construct output directory with UUID
     base_name = f"volatility2_{scan_id}" if args_obj.mode == "vol2" else f"volatility3_{scan_id}"
     # Use absolute path for output_dir to avoid CWD ambiguity and ensure persistence
@@ -327,18 +430,51 @@ def scan():
     if not os.path.exists(args_obj.dump):
         return jsonify({"error": f"Dump file not found at {args_obj.dump}"}), 400
-    args_obj.image = data.get("image") # Ensure image is passed
     case_name = data.get("name") # Optional custom case name
-    conn = sqlite3.connect('scans.db')
+    # Determine command list for pre-population
+    try:
+        command_list = []
+        if args_obj.mode == "vol2":
+            vol_instance = multi_volatility2()
+            if args_obj.commands:
+                command_list = args_obj.commands.split(",")
+            elif args_obj.windows:
+                command_list = vol_instance.getCommands("windows.light" if args_obj.light else "windows.full")
+            elif args_obj.linux:
+                command_list = vol_instance.getCommands("linux.light" if args_obj.light else "linux.full")
+        else: # vol3
+            vol_instance = multi_volatility3()
+            if args_obj.commands:
+                 command_list = args_obj.commands.split(",")
+            elif args_obj.windows:
+                command_list = vol_instance.getCommands("windows.light" if args_obj.light else "windows.full")
+            elif args_obj.linux:
+                command_list = vol_instance.getCommands("linux.light" if args_obj.light else "linux.full")
+        # Inject explicit commands into args for CLI
+        if command_list:
+            args_obj.commands = ",".join(command_list)
+    except Exception as e:
+        print(f"[ERROR] Failed to determine commands: {e}")
+        command_list = []
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
-    c.execute("INSERT INTO scans (uuid, status, mode, os, volatility_version, dump_path, output_dir, created_at, image, name) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
-              (scan_id, "pending", "light" if args_obj.light else "full", target_os, vol_version, args_obj.dump, final_output_dir, time.time(), args_obj.image, case_name))
+    c.execute("INSERT INTO scans (uuid, status, mode, os, volatility_version, dump_path, output_dir, created_at, image, name, config_json) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+              (scan_id, "pending", "light" if args_obj.light else "full", target_os, vol_version, args_obj.dump, final_output_dir, time.time(), args_obj.image, case_name, json.dumps(data)))
+    # Pre-populate module status
+    if command_list:
+        for cmd in command_list:
+             c.execute("INSERT INTO scan_module_status (scan_id, module, status, updated_at) VALUES (?, ?, 'PENDING', ?)", (scan_id, cmd, time.time()))
     conn.commit()
     conn.close()
     def background_scan(s_id, args):
-        conn = sqlite3.connect('scans.db')
+        conn = sqlite3.connect(DB_PATH)
         c = conn.cursor()
         try:
@@ -352,6 +488,11 @@ def scan():
             # Ingest results to DB
             ingest_results_to_db(s_id, args.output_dir)
+            # Sweep Logic: Mark any still-pending modules as FAILED
+            # This handles cases where containers crashed or produced no output
+            c.execute("UPDATE scan_module_status SET status = 'FAILED', error_message = 'Module failed to produce output', updated_at = ? WHERE scan_id = ? AND status IN ('PENDING', 'RUNNING')", (time.time(), s_id))
+            conn.commit()
             c.execute("UPDATE scans SET status = 'completed' WHERE uuid = ?", (s_id,))
             conn.commit()
         except Exception as e:
@@ -369,7 +510,7 @@ def scan():
 @app.route('/status/<scan_id>', methods=['GET'])
 def get_status(scan_id):
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
     c.execute("SELECT * FROM scans WHERE uuid = ?", (scan_id,))
@@ -395,57 +536,218 @@ def list_images():
     except Exception as e:
         return jsonify({"error": str(e)}), 500
-@app.route('/results/<uuid>/modules', methods=['GET'])
-def get_scan_modules(uuid):
-    conn = sqlite3.connect('scans.db')
-    conn.row_factory = sqlite3.Row
-    c = conn.cursor()
-    # Check if we have results in DB
-    c.execute("SELECT module, content FROM scan_results WHERE scan_id = ?", (uuid,))
-    rows = c.fetchall()
-    if rows:
-        modules = []
-        for row in rows:
+@app.route('/volatility3/plugins', methods=['GET'])
+def list_volatility_plugins():
+    image = request.args.get('image')
+    if not image:
+         return jsonify({"error": "Missing 'image' query parameter"}), 400
+    try:
+        script_content = """
+            from volatility3 import framework
+            import volatility3.plugins
+            import json
+            import sys
             try:
-                # content is stored as JSON string
-                # We do a quick check to see if it's our known error structure
-                # Parsing huge JSONs just to check error might be slow, but safe
-                data = json.loads(row['content'])
-                if isinstance(data, dict) and data.get("error") == "Invalid JSON output":
-                    continue
-                modules.append(row['module'])
-            except:
-                continue
-        conn.close()
-        return jsonify({"modules": modules})
-    # Fallback to filesystem if DB empty
-    c.execute("SELECT output_dir FROM scans WHERE uuid = ?", (uuid,))
-    scan = c.fetchone()
-    conn.close()
+                failures = framework.import_files(volatility3.plugins, ignore_errors=True)
+                plugins = framework.list_plugins()  # dict: {"windows.pslist.PsList": <class ...>, ...}
+                output = {
+                    "count": len(plugins),
+                    "plugins": sorted(list(plugins.keys())),
+                    "failures": sorted([str(f) for f in failures]) if failures else []
+                }
+                print(json.dumps(output))
+            except Exception as e:
+                print(json.dumps({"error": str(e)}))
+        """
+        script_content = textwrap.dedent(script_content)
+        # Write script to outputs dir so we can mount it
+        output_dir = os.path.join(os.getcwd(), "outputs")
+        if not os.path.exists(output_dir):
+            os.makedirs(output_dir)
+        script_path = os.path.join(output_dir, "list_plugins_script.py")
+        with open(script_path, "w") as f:
+            f.write(script_content)
+        # Resolve host path for Docker volume
+        host_script_path = resolve_host_path(script_path)
+        client = docker.from_env()
+        # Run container
+        print(f"[DEBUG] running list_plugins on image {image}")
+        container = client.containers.run(
+            image=image,
+            command="python3 /list_plugins.py",
+            volumes={
+                host_script_path: {'bind': '/list_plugins.py', 'mode': 'ro'}
+            },
+            stderr=True,
+            remove=True
+        )
+        # Parse output
+        raw_output = container.decode('utf-8')
+        try:
+            # Output should be mainly JSON
+            lines = raw_output.splitlines()
+            # It might have stderr logs, so look for JSON
+            json_line = None
+            for line in reversed(lines):
+                if line.strip().startswith('{'):
+                    json_line = line
+                    break
+            if json_line:
+                data = json.loads(json_line)
+                return jsonify(data)
+            else:
+                 return jsonify({"error": "No JSON output found", "raw": raw_output}), 500
+        except:
+             return jsonify({"error": "Failed to parse script output", "raw": raw_output}), 500
+    except Exception as e:
+        print(f"[ERROR] List plugins failed: {e}")
+        return jsonify({"error": str(e)}), 500
+@app.route('/scan/<uuid>/log', methods=['POST'])
+def log_scan_module_status(uuid):
+    data = request.json
+    if not data:
+        return jsonify({"error": "Missing JSON body"}), 400
+    module = data.get('module')
+    status = data.get('status')
+    error = data.get('error')
-    if not scan:
-         return jsonify({"error": "Scan not found"}), 404
+    if not module or not status:
+        return jsonify({"error": "Missing module or status"}), 400
+    conn = sqlite3.connect(DB_PATH)
+    c = conn.cursor()
+    try:
+        # Upsert status
+        # Check if exists
+        c.execute("SELECT 1 FROM scan_module_status WHERE scan_id = ? AND module = ?", (uuid, module))
+        exists = c.fetchone()
+        if exists:
+            c.execute("UPDATE scan_module_status SET status = ?, error_message = ?, updated_at = ? WHERE scan_id = ? AND module = ?",
+                      (status, error, time.time(), uuid, module))
+        else:
+             c.execute("INSERT INTO scan_module_status (scan_id, module, status, error_message, updated_at) VALUES (?, ?, ?, ?, ?)",
+                       (uuid, module, status, error, time.time()))
+        conn.commit()
+        return jsonify({"success": True})
+    except Exception as e:
+        print(f"[ERROR] Failed to log status: {e}")
+        return jsonify({"error": str(e)}), 500
+    finally:
+        conn.close()
+@app.route('/scan/<uuid>/modules', methods=['GET'])
+def get_scan_modules_status(uuid):
+    conn = sqlite3.connect(DB_PATH)
+    conn.row_factory = sqlite3.Row
+    c = conn.cursor()
-    output_dir = scan['output_dir']
-    if output_dir and os.path.exists(output_dir):
-        json_files = glob.glob(os.path.join(output_dir, "*_output.json"))
-        modules = []
-        for f in json_files:
-            filename = os.path.basename(f)
-            if filename.endswith("_output.json"):
-                # Validate content
-                parsed_data = clean_and_parse_json(f)
-                if parsed_data and isinstance(parsed_data, dict) and parsed_data.get("error") == "Invalid JSON output":
-                    continue
-                module_name = filename[:-12]
-                modules.append(module_name)
-        return jsonify({"modules": modules})
+    try:
+        # Get scan output directory
+        c.execute("SELECT output_dir FROM scans WHERE uuid = ?", (uuid,))
+        scan_row = c.fetchone()
+        output_dir = scan_row['output_dir'] if scan_row else None
-    return jsonify({"modules": []})
+        # Try to get status from the status table
+        c.execute("SELECT module, status, error_message FROM scan_module_status WHERE scan_id = ?", (uuid,))
+        rows = c.fetchall()
+        status_list = []
+        docker_client = None
+        if rows:
+            for row in rows:
+                mod_dict = dict(row)
+                module_name = mod_dict['module']
+                # For PENDING/RUNNING modules, check Docker container status
+                if mod_dict['status'] in ['PENDING', 'RUNNING']:
+                    # Predictable container name: vol3_{scan_id[:8]}_{sanitized_module}
+                    # Must match CLI: re.sub(r'[^a-zA-Z0-9_.-]', '', command)
+                    import re as re_module
+                    sanitized_name = re_module.sub(r'[^a-zA-Z0-9_.-]', '', module_name)
+                    container_name = f"vol3_{uuid[:8]}_{sanitized_name}"
+                    print(f"[DEBUG] Looking for container: {container_name}")
+                    try:
+                        if docker_client is None:
+                            import docker
+                            docker_client = docker.from_env()
+                        container = docker_client.containers.get(container_name)
+                        container_status = container.status  # 'running', 'exited', 'created', etc.
+                        if container_status == 'running':
+                            mod_dict['status'] = 'RUNNING'
+                            c.execute("UPDATE scan_module_status SET status = 'RUNNING', updated_at = ? WHERE scan_id = ? AND module = ?",
+                                      (time.time(), uuid, module_name))
+                        elif container_status == 'exited':
+                            # Container finished - file should be ready now
+                            # Read and ingest JSON
+                            if output_dir:
+                                output_file = os.path.join(output_dir, f"{module_name}_output.json")
+                                if os.path.exists(output_file):
+                                    try:
+                                        parsed_data = clean_and_parse_json(output_file)
+                                        content_str = json.dumps(parsed_data) if parsed_data else "{}"
+                                        # Check if result already exists
+                                        c.execute("SELECT id FROM scan_results WHERE scan_id = ? AND module = ?", (uuid, module_name))
+                                        if not c.fetchone():
+                                            c.execute("INSERT INTO scan_results (scan_id, module, content, created_at) VALUES (?, ?, ?, ?)",
+                                                      (uuid, module_name, content_str, time.time()))
+                                    except Exception as e:
+                                        print(f"[ERROR] Failed to ingest {module_name}: {e}")
+                            mod_dict['status'] = 'COMPLETED'
+                            c.execute("UPDATE scan_module_status SET status = 'COMPLETED', updated_at = ? WHERE scan_id = ? AND module = ?",
+                                      (time.time(), uuid, module_name))
+                            # Clean up container
+                            try:
+                                container.remove()
+                            except Exception as rm_err:
+                                print(f"[WARN] Failed to remove container {container_name}: {rm_err}")
+                    except Exception as e:
+                        # Container not found or docker error - leave status as-is
+                        pass
+                status_list.append(mod_dict)
+            conn.commit()
+        else:
+            # Fallback: check scan_results table for completed modules
+            c.execute("SELECT module FROM scan_results WHERE scan_id = ?", (uuid,))
+            result_rows = c.fetchall()
+            for r in result_rows:
+                status_list.append({
+                    "module": r['module'],
+                    "status": "COMPLETED",
+                    "error_message": None
+                })
+        return jsonify(status_list)
+    except Exception as e:
+        print(f"[ERROR] Fetching module status: {e}")
+        return jsonify({"error": str(e)}), 500
+    finally:
+        conn.close()
 @app.route('/results/<uuid>', methods=['GET'])
 def get_scan_results(uuid):
@@ -453,7 +755,7 @@ def get_scan_results(uuid):
     if not module_param:
         return jsonify({"error": "Missing 'module' query parameter"}), 400
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
@@ -503,7 +805,7 @@ def get_scan_results(uuid):
 @app.route('/scans', methods=['GET'])
 def list_scans():
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
     c.execute("SELECT * FROM scans ORDER BY created_at DESC")
@@ -537,9 +839,79 @@ def list_scans():
     conn.close()
     return jsonify(scans_list)
+@app.route('/scans/<uuid>/execute', methods=['POST'])
+def execute_plugin(uuid):
+    data = request.json
+    module = data.get('module')
+    if not module:
+        return jsonify({"error": "Missing 'module' parameter"}), 400
+    conn = sqlite3.connect(DB_PATH)
+    conn.row_factory = sqlite3.Row
+    c = conn.cursor()
+    c.execute("SELECT * FROM scans WHERE uuid = ?", (uuid,))
+    scan = c.fetchone()
+    conn.close()
+    if not scan:
+        return jsonify({"error": "Scan not found"}), 404
+    # Reconstruct arguments for runner
+    # We use default paths as they are standard in the container
+    default_args = {
+        "profiles_path": os.path.join(os.getcwd(), "volatility2_profiles"),
+        "symbols_path": os.path.join(os.getcwd(), "volatility3_symbols"),
+        "cache_path": os.path.join(os.getcwd(), "volatility3_cache"),
+        "plugins_dir": os.path.join(os.getcwd(), "volatility3_plugins"),
+        "format": "json",
+        "commands": module, # Execute only this module
+        "light": False,
+        "full": False,
+        "linux": False,
+        "windows": False,
+        "mode": scan['volatility_version'], # vol2 or vol3
+        "profile": None, # TODO: Store profile in DB for vol2?
+        "processes": 1,
+        "host_path": os.environ.get("HOST_PATH"),
+        "debug": True,
+        "fetch_symbol": False,
+        "custom_symbol": None, # TODO: Store custom symbol in DB?
+        "dump": scan['dump_path'],
+        "image": scan['image'],
+        "output_dir": scan['output_dir']
+    }
+    # Set OS flags based on DB
+    if scan['os'] == 'linux':
+        default_args['linux'] = True
+        default_args['fetch_symbol'] = True # Default for Linux
+    elif scan['os'] == 'windows':
+        default_args['windows'] = True
+    args_obj = argparse.Namespace(**default_args)
+    args_obj.scan_id = uuid # Add scan_id for tracking
+    def background_single_run(s_id, args):
+        try:
+             # Just run it
+             if runner_func:
+                 print(f"[DEBUG] Executing manual plugin {args.commands} on {s_id}")
+                 runner_func(args)
+             # Ingest
+             ingest_results_to_db(s_id, args.output_dir)
+        except Exception as e:
+            print(f"[ERROR] Manual plugin execution failed: {e}")
+    thread = threading.Thread(target=background_single_run, args=(uuid, args_obj))
+    thread.daemon = True
+    thread.start()
+    return jsonify({"status": "started", "module": module})
 @app.route('/stats', methods=['GET'])
 def get_stats():
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     c = conn.cursor()
     c.execute("SELECT COUNT(*) FROM scans")
     total_cases = c.fetchone()[0]
@@ -579,6 +951,9 @@ def list_evidences():
     try:
         items = os.listdir(STORAGE_DIR)
+        # Robustly filter system files immediately
+        items = [i for i in items if not (i.startswith("scans.db") or i.endswith(".sha256"))]
         print(f"[DEBUG] list_evidences found {len(items)} items in {STORAGE_DIR}")
         print(f"[DEBUG] Items: {items}")
     except FileNotFoundError:
@@ -588,10 +963,10 @@ def list_evidences():
     # Pre-load Case Name map from DB
     case_map = {} # filename -> case name
     try:
-        conn = sqlite3.connect('scans.db')
+        conn = sqlite3.connect(DB_PATH)
         conn.row_factory = sqlite3.Row
         c = conn.cursor()
-        c.execute("SELECT name, dump_path FROM scans")
+        c.execute("SELECT name, dump_path FROM scans ORDER BY created_at ASC")
         rows = c.fetchall()
         for r in rows:
             if r['name'] and r['dump_path']:
@@ -609,6 +984,10 @@ def list_evidences():
     for item in items:
+        # Filter out system files
+        if item.startswith("scans.db") or item.endswith(".sha256"):
+            continue
         path = os.path.join(STORAGE_DIR, item)
         if os.path.isdir(path) and item.endswith("_extracted"):
              # This is an extracted folder
@@ -640,7 +1019,7 @@ def list_evidences():
              # Case Name match attempt
              matched_case_name = dump_base
              try:
-                 conn = sqlite3.connect('scans.db')
+                 conn = sqlite3.connect(DB_PATH)
                  conn.row_factory = sqlite3.Row
                  c = conn.cursor()
                  c.execute("SELECT dump_path FROM scans WHERE name = ? ORDER BY created_at DESC LIMIT 1", (dump_base,))
@@ -687,7 +1066,7 @@ def list_evidences():
                 continue
             # Resolve Display Name (Case Name)
-            display_name = case_map.get(item, item)
+            display_name = case_map.get(item, "Unassigned Evidence")
             # WRAP IN GROUP to ensure Folder Style
             child_file = {
@@ -745,6 +1124,10 @@ def get_file_hash(filepath):
 @app.route('/evidence/<filename>', methods=['DELETE'])
 def delete_evidence(filename):
+    # Strip virtual group prefix if present
+    if filename.startswith("group_"):
+        filename = filename[6:]
     filename = secure_filename(filename)
     path = os.path.join(STORAGE_DIR, filename)
     if os.path.exists(path):
@@ -756,7 +1139,7 @@ def delete_evidence(filename):
                 os.remove(path)
                 # Remove sidecar hash if exists
                 if os.path.exists(path + ".sha256"):
-                     os.remove(path + ".sha256")
+                    os.remove(path + ".sha256")
                 # Also remove extracted directory (if this was a dump file)
                 # Checks for standard <filename>_extracted pattern
@@ -780,7 +1163,7 @@ def download_evidence(filename):
 def cleanup_timeouts():
     """Marks scans running for > 1 hour as failed (timeout)."""
     try:
-        conn = sqlite3.connect('scans.db')
+        conn = sqlite3.connect(DB_PATH)
         c = conn.cursor()
         one_hour_ago = time.time() - 3600
@@ -797,148 +1180,248 @@ def cleanup_timeouts():
     except Exception as e:
         print(f"Error cleaning up timeouts: {e}")
-def background_dump_task(task_id, scan_id, virt_addr, docker_image):
-    """Background worker for extracting files from memory dump."""
-    conn = sqlite3.connect('scans.db')
-    c = conn.cursor()
-    c.row_factory = sqlite3.Row
+# In-memory dictionary to store dump task statuses
+# NOTE: This is a temporary solution for the provided diff.
+# A more robust solution would persist this in the database.
+dump_tasks = {}
+def background_dump_task(task_id, scan, virt_addr, image_tag, file_path=None):
+    """
+    Executes a Volatility3 dump command.
+    Windows: uses windows.dumpfiles.DumpFiles --virtaddr
+    Linux: uses linux.pagecache.Files --find <path> --dump
+    """
+    print(f"[{task_id}] DEBUG: Starting background dump task for scan: {scan['uuid']}")
+    dump_tasks[task_id] = {'status': 'running'}
     try:
-        c.execute("UPDATE dump_tasks SET status = 'running' WHERE task_id = ?", (task_id,))
-        conn.commit()
-        # 1. Get Scan Details
-        c.execute("SELECT * FROM scans WHERE uuid = ?", (scan_id,))
-        scan = c.fetchone()
+        # We need the memory dump file name on host
+        # The 'scan' row has 'filepath'.
+        # But wait, that filepath is the UPLOADED path (e.g. /app/storage/uploads/...)
+        # We need the filename to point to /dump_dir inside container.
+        uploaded_path = scan['dump_path'] # Changed from 'filepath' to 'dump_path' to match original scan structure
-        if not scan:
-             raise Exception("Scan not found")
-        dump_path = scan['dump_path']
-        if not os.path.isabs(dump_path) and not dump_path.startswith('/'):
-            dump_path = os.path.join(STORAGE_DIR, dump_path)
+        print(f"[{task_id}] DEBUG: Raw uploaded_path: {uploaded_path}")
+        if not os.path.isabs(uploaded_path) and not uploaded_path.startswith('/'):
+            uploaded_path = os.path.join(STORAGE_DIR, uploaded_path)
-        # 2. Setup Output Paths
-        scan_output_dir = scan['output_dir']
-        # Ensure scan output dir exists
-        if not scan_output_dir or not os.path.exists(scan_output_dir):
-             scan_output_dir = os.path.join(os.getcwd(), "outputs", f"volatility3_{scan_id}")
-             os.makedirs(scan_output_dir, exist_ok=True)
-        target_output_dir = os.path.join(scan_output_dir, "downloads", task_id)
-        os.makedirs(target_output_dir, exist_ok=True)
-        # 3. Resolve Paths & Volumes
-        host_path = os.environ.get("HOST_PATH")
-        def resolve(p):
-            if host_path:
-                if p.startswith(os.getcwd()):
-                    rel = os.path.relpath(p, os.getcwd())
-                    return os.path.join(host_path, rel)
-                if p.startswith("/storage"):
-                     return os.path.join(host_path, "storage", "data", os.path.relpath(p, "/storage"))
-            return p
-        abs_dump_path = os.path.abspath(dump_path)
-        abs_dump_dir = os.path.dirname(abs_dump_path)
-        dump_filename = os.path.basename(abs_dump_path)
-        symbols_path = os.path.join(os.getcwd(), "volatility3_symbols")
-        cache_path = os.path.join(os.getcwd(), "volatility3_cache")
-        plugins_path = os.path.join(os.getcwd(), "volatility3_plugins")
+        print(f"[{task_id}] DEBUG: Resolved uploaded_path: {uploaded_path}")
+        dump_filename = os.path.basename(uploaded_path)
-        volumes = {
-            resolve(abs_dump_dir): {'bind': '/dump_dir', 'mode': 'ro'},
-            resolve(target_output_dir): {'bind': '/output', 'mode': 'rw'},
-            resolve(symbols_path): {'bind': '/symbols', 'mode': 'rw'},
-            resolve(cache_path): {'bind': '/root/.cache/volatility3', 'mode': 'rw'},
-            resolve(plugins_path): {'bind': '/plugins', 'mode': 'ro'}
-        }
+        # Construct basic command
+        cmd = ["vol", "-q", "-f", f"/dump_dir/{dump_filename}", "-o", "/output"]
-        # 4. Run Docker Command
-        client = docker.from_env()
-        cmd = [
-            "vol", "-q",
-            "-f", f"/dump_dir/{dump_filename}",
-            "-o", "/output",
-            "windows.dumpfiles.DumpFiles",
-            "--virtaddr", str(virt_addr)
-        ]
-        print(f"[DEBUG] [Task {task_id}] Running: {cmd}")
-        client.containers.run(
-            image=docker_image,
-            command=cmd,
-            volumes=volumes,
-            remove=True,
-            stderr=True,
-            stdout=True
-        ) # This blocks until completion
+        # Parse Config
+        config = {}
+        # scan is sqlite3.Row, supports key access
+        if 'config_json' in scan.keys() and scan['config_json']:
+             try:
+                 config = json.loads(scan['config_json'])
+             except:
+                 print(f"[{task_id}] WARN: Failed to parse config_json")
-        # 5. Identify Result File
-        files = os.listdir(target_output_dir)
-        target_file = None
+        # ISF Handling (Must be generally available or before plugin)
+        # multi_volatility3.py puts it before command.
+        if scan['os'] == 'linux' and config.get('fetch_symbol'):
+             print(f"[{task_id}] DEBUG: Enabling remote ISF URL based on scan config")
+             cmd.extend(["--remote-isf-url", "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"])
+        # Explicitly set symbols path if not using ISF?
+        # Actually vol defaults to checking standard paths, and we mount /symbols.
+        # But we should probably add -s /symbols for clarity/correctness if not using ISF?
+        # Actually, multi_volatility3 DOES add -s /symbols ALWAYS.
+        cmd.extend(["-s", "/symbols"])
+        # Determine plugin based on OS
+        print(f"[{task_id}] DEBUG: Scan OS: {scan['os']}")
+        if scan['os'] == 'linux':
+             # Linux dump logic: vol -f ... linux.pagecache.Files --find {path_name} --dump
+             if not file_path:
+                 raise Exception("File Path is required for Linux dumps")
+             print(f"[{task_id}] DEBUG: Linux Dump - FilePath: {file_path}")
+             cmd.append("linux.pagecache.Files")
+             cmd.append("--find")
+             cmd.append(file_path)
+             cmd.append("--dump")
+             # Symbols / ISF Handling
+             # We assume if it's Linux we might need the ISF URL if local symbols aren't enough.
+             # Per user request: "use the /symbols folder ... OR the ISF link".
+             # The docker container has /symbols
-        for f in files:
-            if not f.endswith(".json") and f != "." and f != "..":
-                target_file = f
-                break
-        if not target_file:
-             raise Exception("No file extracted (DumpFiles returned no candidate)")
-        # Organize downloads in STORAGE_DIR / <CaseName_or_DumpName>_extracted / <target_file>
-        # Use Case Name if available, otherwise dump filename
-        case_name = scan['name']
-        if case_name:
-             # Sanitize case name for folder usage
-             safe_case_name = secure_filename(case_name)
-             extracted_dir_name = f"{safe_case_name}_extracted"
         else:
-             extracted_dir_name = f"{dump_filename}_extracted"
-        storage_extracted_dir = os.path.join(STORAGE_DIR, extracted_dir_name)
-        os.makedirs(storage_extracted_dir, exist_ok=True)
+            # Windows dump logic (default)
+            cmd.append("windows.dumpfiles.DumpFiles")
+            cmd.append("--virtaddr")
+            cmd.append(str(virt_addr))
+        print(f"[{task_id}] Running dump command inside container: {cmd}")
+        # Run Docker
+        # We must mount:
+        #   STORAGE_DIR/uploads -> /dump_dir
+        #   STORAGE_DIR/<ScanID>_extracted (or temp) -> /output
+        #   STORAGE_DIR/symbols -> /symbols
+        #   STORAGE_DIR/cache -> /root/.cache/volatility3
-        final_path = os.path.join(storage_extracted_dir, target_file)
+        # Output dir:
+        # We'll create a specific folder for this extraction or just use the common one.
+        # Let's use a temp dir for the dump, then move the file.
+        case_name = scan['name'] # Changed from 'case_name' to 'name' to match original scan structure
+        case_extract_dir = os.path.join(STORAGE_DIR, f"{case_name}_extracted")
+        if not os.path.exists(case_extract_dir):
+            os.makedirs(case_extract_dir)
+        # We'll map the HOST path to /output.
+        # Actually, simpler to map case_extract_dir to /output.
+        # BUT, volatility output filenames usually include virtaddr or pid.
+        # We want to identify the file we just dumped.
-        # Move from temp output to final storage
-        import shutil
-        shutil.move(os.path.join(target_output_dir, target_file), final_path)
+        # Let's use a temporary directory for THIS task
+        task_out_dir = os.path.join(STORAGE_DIR, f"task_{task_id}")
+        if not os.path.exists(task_out_dir):
+           os.makedirs(task_out_dir)
+        # Retrieve Docker Image
+        # If image_tag is provided, use it. Else use default
+        # Check if local build?
+        # The frontend sends 'image' from caseDetails.
-        # 6. Mark Completed
-        c.execute("UPDATE dump_tasks SET status = 'completed', output_path = ? WHERE task_id = ?", (final_path, task_id))
-        conn.commit()
-        print(f"[DEBUG] [Task {task_id}] Completed. Moved to: {final_path}")
+        # Prepare Volumes using STORAGE_DIR
+        symbols_path = os.path.join(STORAGE_DIR, 'symbols')
+        cache_path = os.path.join(STORAGE_DIR, 'cache')
+        # Ensure directories exist
+        os.makedirs(symbols_path, exist_ok=True)
+        os.makedirs(cache_path, exist_ok=True)
+        # Docker Volumes Mapping
+        volumes = {
+            os.path.dirname(uploaded_path): {'bind': '/dump_dir', 'mode': 'ro'},
+            task_out_dir: {'bind': '/output', 'mode': 'rw'},
+            symbols_path: {'bind': '/symbols', 'mode': 'ro'},
+            cache_path: {'bind': '/root/.cache/volatility3', 'mode': 'rw'}
+        }
+        print(f"[{task_id}] Launching Docker container: {image_tag}")
+        print(f"[{task_id}] Volumes config: {volumes}")
+        # Consistent naming for debug
+        # Format: vol3_dump_<short_scan_uuid>_<task_id>
+        # Scan UUID is text, sanitize just in case
+        safe_scan_id = re.sub(r'[^a-zA-Z0-9]', '', scan['uuid'])[:8]
+        container_name = f"vol3_dump_{safe_scan_id}_{task_id}"
+        try:
+            client = docker.from_env()
+            container = client.containers.run(
+                image=image_tag,
+                name=container_name,
+                command=cmd,
+                volumes=volumes,
+                remove=True,
+                detach=False, # Wait for completion
+                stderr=True,
+                stdout=True
+            )
+            print(f"[{task_id}] Docker finished. Output bytes: {len(container) if container else 0}")
+            # print(f"[{task_id}] Container output (first 200 chars): {container[:200] if container else ''}")
+        except docker.errors.ImageNotFound:
+             print(f"[{task_id}] Pulling image {image_tag}...")
+             client.images.pull(image_tag)
+             container = client.containers.run(
+                image=image_tag,
+                name=container_name,
+                command=cmd,
+                volumes=volumes,
+                remove=True,
+                detach=False
+            )
+        except Exception as e:
+            print(f"[{task_id}] CRITICAL DOCKER ERROR: {e}")
+            raise Exception(f"Docker execution failed: {e}")
+        # After run, check files in task_out_dir
+        files = os.listdir(task_out_dir)
+        print(f"[{task_id}] Files in output dir: {files}")
+        if not files:
+            raise Exception("No file extracted by Volatility plugin.")
+        # Move files to final destination (case_extract_dir)
+        # And maybe rename?
+        created_files = []
+        for f in files:
+            src = os.path.join(task_out_dir, f)
+            dst = os.path.join(case_extract_dir, f)
+            shutil.move(src, dst)
+            created_files.append(f)
+        # Cleanup
+        os.rmdir(task_out_dir)
+        # Update DB/Task status
+        # Since we use simple dict for now:
+        dump_tasks[task_id]['status'] = 'completed'
+        dump_tasks[task_id]['output_path'] = f"/evidence/{created_files[0]}/download" # Basic assumption
+        print(f"[{task_id}] Task completed successfully. Output: {dump_tasks[task_id]['output_path']}")
+        # Ideally, update DB if we were using it for dump_tasks (we only insert PENDING, but never update status in DB in this code?)
+        # Ah, the previous code had DB update logic but I removed it/it's not in this snippet.
+        # Let's add basic DB update so status persists if backend restarts?
+        # For now, memory dict is what endpoint checks.
     except Exception as e:
-        print(f"[ERROR] [Task {task_id}] Failed: {e}")
-        c.execute("UPDATE dump_tasks SET status = 'failed', error = ? WHERE task_id = ?", (str(e), task_id))
-        conn.commit()
+        print(f"[{task_id}] TASK FAILED: {str(e)}")
+        import traceback
+        traceback.print_exc()
+        dump_tasks[task_id]['status'] = 'failed'
+        dump_tasks[task_id]['error'] = str(e)
     finally:
+        # The original code updated the database, but the provided diff removes this.
+        # Keeping the database update for consistency with other functions.
+        conn = sqlite3.connect(DB_PATH)
+        c = conn.cursor()
+        if dump_tasks[task_id]['status'] == 'completed':
+            output_path = os.path.join(case_extract_dir, created_files[0]) if created_files else None
+            c.execute("UPDATE dump_tasks SET status = 'completed', output_path = ? WHERE task_id = ?", (output_path, task_id))
+        else:
+            error_msg = dump_tasks[task_id].get('error', 'Unknown error')
+            c.execute("UPDATE dump_tasks SET status = 'failed', error = ? WHERE task_id = ?", (error_msg, task_id))
+        conn.commit()
         conn.close()
 @app.route('/scan/<scan_id>/dump-file', methods=['POST'])
 def dump_file_from_memory(scan_id):
-    data = request.json
-    virt_addr = data.get('virt_addr')
-    docker_image = data.get('image')
-    if not virt_addr:
-        return jsonify({"error": "Missing 'virt_addr'"}), 400
-    if not docker_image:
-        return jsonify({"error": "Missing 'image'"}), 400
-    conn = sqlite3.connect('scans.db')
+    # Use standard connection method
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
-    c.execute("SELECT * FROM scans WHERE uuid = ?", (scan_id,))
-    scan = c.fetchone()
+    c.execute('SELECT * FROM scans WHERE uuid = ?', (scan_id,))
+    scan = c.fetchone()
     if not scan:
         conn.close()
-        return jsonify({"error": "Scan not found"}), 404
+        return jsonify({'error': 'Scan not found'}), 404
+    data = request.json
+    # Determine default image fallback based on Volatility version
+    default_image = "sp00kyskelet0n/volatility3"
+    if scan['volatility_version'] == "2":
+        default_image = "sp00kyskelet0n/volatility2"
+    virt_addr = data.get('virt_addr')
+    image = data.get('image') or scan['image'] or default_image
+    file_path = data.get('file_path')
+    if not virt_addr and not file_path:
+        conn.close()
+        return jsonify({'error': 'Virtual address or File Path required'}), 400
     # Create Task
     task_id = str(uuid.uuid4())
@@ -947,8 +1430,12 @@ def dump_file_from_memory(scan_id):
     conn.commit()
     conn.close()
+    # Convert scan row to dict to pass to thread safely
+    scan_dict = dict(scan)
     # Start Background Thread
-    thread = threading.Thread(target=background_dump_task, args=(task_id, scan_id, virt_addr, docker_image))
+    # Signature: background_dump_task(task_id, scan, virt_addr, image_tag, file_path=None)
+    thread = threading.Thread(target=background_dump_task, args=(task_id, scan_dict, virt_addr, image, file_path))
     thread.daemon = True
     thread.start()
@@ -956,7 +1443,7 @@ def dump_file_from_memory(scan_id):
 @app.route('/dump-task/<task_id>', methods=['GET'])
 def get_dump_status(task_id):
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
     c.execute("SELECT * FROM dump_tasks WHERE task_id = ?", (task_id,))
@@ -970,7 +1457,7 @@ def get_dump_status(task_id):
 @app.route('/dump-task/<task_id>/download', methods=['GET'])
 def download_dump_result(task_id):
-    conn = sqlite3.connect('scans.db')
+    conn = sqlite3.connect(DB_PATH)
     conn.row_factory = sqlite3.Row
     c = conn.cursor()
     c.execute("SELECT * FROM dump_tasks WHERE task_id = ?", (task_id,))

multivol 0.1.3__py3-none-any.whl → 0.1.4__py3-none-any.whl

multivol 0.1.3py3-none-any.whl → 0.1.4py3-none-any.whl