multivol 0.1.3__py3-none-any.whl → 0.1.4__py3-none-any.whl

multivol/multivol.py

@@ -1,6 +1,8 @@
 # multivol.py
 # Entry point for MultiVolatility: orchestrates running Volatility2 and Volatility3 memory analysis in parallel using multiprocessing.
 import multiprocessing, time, os, argparse, sys
+import docker
+from datetime import datetime
 from rich.console import Console
 from rich.theme import Theme
 from rich.progress import Progress, SpinnerColumn, TextColumn, BarColumn, TaskProgressColumn, TimeElapsedColumn
@@ -9,9 +11,16 @@ from rich.progress import Progress, SpinnerColumn, TextColumn, BarColumn, TaskPr
 try:
     from .multi_volatility2 import multi_volatility2
     from .multi_volatility3 import multi_volatility3
+    from .strings import get_strings
 except ImportError:
     from multi_volatility2 import multi_volatility2
     from multi_volatility3 import multi_volatility3
+    from strings import get_strings
+
+
+
+# Wrapper for Volatility 3 to use with imap
+
 
 # Wrapper for Volatility 3 to use with imap
 def vol3_wrapper(packed_args):
@@ -29,14 +38,17 @@ def runner(arguments):
     if not arguments.light and not arguments.full:
         arguments.light = True
 
+    if hasattr(arguments, "output_dir") and arguments.output_dir:
+        output_dir = arguments.output_dir
+    elif hasattr(arguments, "output") and arguments.output:
+        output_dir = arguments.output
+    else:
+        output_dir = f"output_{datetime.now().strftime('%Y_%m_%d_%H_%M_%S')}"
+    os.makedirs(output_dir, exist_ok=True)
+
     # Handle Volatility2 mode
     if arguments.mode == "vol2":
         volatility2_instance = multi_volatility2()
-        if hasattr(arguments, "output_dir") and arguments.output_dir:
-            output_dir = arguments.output_dir
-        else:
-            output_dir = f"volatility2_{os.path.basename(arguments.dump)}__output"
-        os.makedirs(output_dir, exist_ok=True)
         # Determine commands to run based on arguments
         if arguments.commands:
             commands = arguments.commands.split(",")
@@ -54,11 +66,6 @@ def runner(arguments):
     # Handle Volatility3 mode
     elif arguments.mode == "vol3":
         volatility3_instance = multi_volatility3()
-        if hasattr(arguments, "output_dir") and arguments.output_dir:
-            output_dir = arguments.output_dir
-        else:
-            output_dir = f"volatility3_{os.path.basename(arguments.dump)}__output"
-        os.makedirs(output_dir, exist_ok=True)
         # Determine commands to run based on arguments
         if arguments.commands:
             commands = arguments.commands.split(",")
@@ -68,7 +75,10 @@ def runner(arguments):
             else:
                 commands = volatility3_instance.getCommands("windows.full")
         elif arguments.linux:
-            commands = volatility3_instance.getCommands("linux")
+            if arguments.light:
+                commands = volatility3_instance.getCommands("linux.light")
+            else:
+                commands = volatility3_instance.getCommands("linux.full")
 
     # Limit the number of parallel processes
     # Default to len(commands) (unlimited) if processes arg is not set or None
@@ -85,6 +95,38 @@ def runner(arguments):
     
     custom_theme = Theme({"info": "dim cyan", "warning": "magenta", "danger": "bold red"})
     console = Console(theme=custom_theme)
+
+    # Docker Image Check & Pull
+    try:
+        client = docker.from_env()
+        image_name = arguments.image
+        # Check if --image was passed in args. rudimentary check.
+        user_provided_image = "--image" in sys.argv
+        
+        try:
+            client.images.get(image_name)
+            if not user_provided_image:
+                 console.print(f"[dim cyan][*] No --image provided, using default image: {image_name}[/dim cyan]")
+        except docker.errors.ImageNotFound:
+            msg = f"[*] No --image provided, pulling default image: {image_name}" if not user_provided_image else f"[*] Pulling image: {image_name}"
+            
+            # Use Progress with custom columns to put spinner at the end
+            with Progress(
+                TextColumn("{task.description}"),
+                SpinnerColumn("dots"),
+                transient=True,
+                console=console
+            ) as progress:
+                progress.add_task(f"[bold green]{msg}[/bold green]", total=None)
+                client.images.pull(image_name)
+            
+            # Re-print the message so it persists in the log
+            console.print(f"[bold green]{msg}[/bold green]")
+            console.print(f"[bold green][*] Image {image_name} ready.[/bold green]")
+    except Exception as e:
+        console.print(f"[bold red]Warning: Docker check failed: {e}[/bold red]")
+        # We don't exit here, we let the individual/pool commands fail if they must, or maybe user has local setup issues.
+
     console.print("\n[bold green][+] Launching all commands...[/bold green]\n")
 
     # Use multiprocessing Manager for Lock
@@ -106,35 +148,47 @@ def runner(arguments):
                 arguments.format,
                 False, # quiet
                 lock,  # lock
-                arguments.host_path
+                arguments.host_path,
+                getattr(arguments, "debug", False)
                 ) for cmd in commands]
             )
+            # Vol2 Starmap doesn't use wrapper, so we can't easily report running/completed per module unless we wrap it too.
+            # For now we focus on Vol3
+            # But we should probably fix Vol2 too.
+            # TODO: Add wrapper for Vol2 or update vol2 logic.
         else:
+
             # Enforce priority execution for Info module to ensure symbols are downloaded/cached
             if arguments.windows:
                 info_module = "windows.info.Info"
             else:
                 info_module = "linux.bash.Bash"
-            if arguments.windows or (arguments.linux and arguments.fetch_symbol):
-                commands.remove(info_module)
-                volatility3_instance.execute_command_volatility3(info_module, 
-                                                                os.path.basename(arguments.dump), 
-                                                                os.path.abspath(arguments.dump), 
-                                                                arguments.symbols_path, 
-                                                                arguments.image,
-                                                                os.path.abspath(arguments.cache_path),
-                                                                os.path.abspath(arguments.plugins_dir),
-                                                                output_dir,
-                                                                arguments.format,
-                                                                False, # quiet
-                                                                lock,  # lock
-                                                                arguments.host_path,
-                                                                True if arguments.fetch_symbol else False
-                                                            )
+            if arguments.windows or arguments.linux:
+                if info_module in commands:
+                    commands.remove(info_module)
+                    volatility3_instance.execute_command_volatility3(info_module, 
+                                                                    os.path.basename(arguments.dump), 
+                                                                    os.path.abspath(arguments.dump), 
+                                                                    arguments.symbols_path, 
+                                                                    arguments.image,
+                                                                    os.path.abspath(arguments.cache_path),
+                                                                    os.path.abspath(arguments.plugins_dir),
+                                                                    output_dir,
+                                                                    arguments.format,
+                                                                    False, # quiet
+                                                                    lock,  # lock
+                                                                    arguments.host_path,
+                                                                    True if getattr(arguments, "fetch_symbol", False) else False,
+                                                                    getattr(arguments, "debug", False),
+                                                                    getattr(arguments, "custom_symbol", None),
+                                                                    getattr(arguments, "scan_id", None)
+                                                                )
 
             
             # Prepare arguments for imap
             # We must pass the instance because wrapper is global and doesn't see local variable
+            # Signature: command, dump, dump_dir, symbols_path, docker_image, cache_dir, plugin_dir, output_dir, format, 
+            #            quiet=False, lock=None, host_path=None, fetch_symbols=False, show_commands=False, custom_symbol=None, scan_id=None
             tasks_args = [(volatility3_instance, (cmd, 
                 os.path.basename(arguments.dump), 
                 os.path.abspath(arguments.dump), 
@@ -144,10 +198,13 @@ def runner(arguments):
                 os.path.abspath(arguments.plugins_dir), 
                 output_dir,
                 arguments.format,
-                False, # quiet=False so we see the output as it happens
-                lock, # lock
+                False,  # quiet=False so we see the output as it happens
+                lock,   # lock
                 arguments.host_path,
-                True if arguments.fetch_symbol else False
+                getattr(arguments, "fetch_symbol", False),  # fetch_symbols
+                getattr(arguments, "debug", False),         # show_commands
+                getattr(arguments, "custom_symbol", None),  # custom_symbol
+                getattr(arguments, "scan_id", None)         # scan_id
                 )) for cmd in commands]
             
             # Progress counters
@@ -168,6 +225,19 @@ def runner(arguments):
                     failed_modules.append(command_name)
                     if arguments.format == "json":
                          console.print(f"[red][!] Failed to validate JSON for {command_name}[/red]")
+
+            console.print("\n[+] Starting strings...")
+
+            get_strings(
+                os.path.basename(arguments.dump),
+                os.path.abspath(arguments.dump),
+                output_dir,
+                arguments.image,
+                lock,
+                arguments.host_path
+            )
+
+            console.print("\n[+] Strings complete !")
             
             console.print(f"\n[bold green]Scan Complete![/bold green] Success: {success_count}, Failed: {failed_count}")
             
@@ -187,7 +257,7 @@ def runner(arguments):
 
 def main():
     # Argument parsing for CLI usage
-    parser = argparse.ArgumentParser("MultiVolatility")
+    parser = argparse.ArgumentParser("multivol")
     parser.add_argument("--api", action="store_true", help="Start API server")
     parser.add_argument("--dev", action="store_true", help="Enable developer mode (hot reload)")
     parser.add_argument("--host-path", type=str, required=False, default=None, help="Root path of the project on the Host machine (required for Docker-in-Docker)")
@@ -198,7 +268,7 @@ def main():
     vol2_parser.add_argument("--profiles-path", help="Path to the directory with the profiles.", default=os.path.join(os.getcwd(), "volatility2_profiles"))
     vol2_parser.add_argument("--profile", help="Profile to use.", required=True)
     vol2_parser.add_argument("--dump", help="Dump to parse.", required=True)
-    vol2_parser.add_argument("--image", help="Docker image to use.", required=True)
+    vol2_parser.add_argument("--image", help="Docker image to use.", required=False, default="sp00kyskelet0n/volatility2")
     vol2_parser.add_argument("--commands", help="Commands to run : command1,command2,command3", required=False)
     vol2_os_group = vol2_parser.add_mutually_exclusive_group(required=True)
     vol2_os_group.add_argument("--linux", action="store_true", help="For a Linux memory dump")
@@ -206,24 +276,31 @@ def main():
     vol2_parser.add_argument("--light", action="store_true", help="Use the main modules.")
     vol2_parser.add_argument("--full", action="store_true", help="Use all modules.")
     vol2_parser.add_argument("--format", help="Format of the outputs: json, text", required=False, default="text")
-    vol2_parser.add_argument("--processes", type=int, required=False, default=None, help="Max number of concurrent processes")
+    vol2_parser.add_argument("--processes", type=int, required=False, default=None, help="Max number of concurrent processes.")
+    vol2_parser.add_argument("--output", required=False, help="Directory where outputs will be written (Default: output_YYYY_MM_DD_HH_MM_SS).")
 
     # Volatility3 argument group
     vol3_parser = subparser.add_parser("vol3", help="Use volatility3.")
     vol3_parser.add_argument("--dump", help="Dump to parse.", required=True)
-    vol3_parser.add_argument("--image", help="Docker image to use.", required=True)
+    vol3_parser.add_argument("--image", help="Docker image to use.", required=False, default="sp00kyskelet0n/volatility3")
     vol3_parser.add_argument("--symbols-path", help="Path to the directory with the symbols.", required=False, default=os.path.join(os.getcwd(), "volatility3_symbols"))
     vol3_parser.add_argument("--cache-path", help="Path to directory with the cache for volatility3.", required=False, default=os.path.join(os.getcwd(), "volatility3_cache"))
     vol3_parser.add_argument("--plugins-dir", help="Path to directory with the plugins", required=False, default=os.path.join(os.getcwd(), "volatility3_plugins"))
     vol3_parser.add_argument("--commands", help="Commands to run : command1,command2,command3", required=False)
     vol3_os_group = vol3_parser.add_mutually_exclusive_group(required=True)
-    vol3_os_group.add_argument("--linux", action="store_true", help="It's a Linux memory dump")
-    vol3_os_group.add_argument("--windows", action="store_true", help="It's a Windows memory dump")
+    vol3_os_group.add_argument("--linux", action="store_true", help="It's a Linux memory dump.")
+    vol3_os_group.add_argument("--windows", action="store_true", help="It's a Windows memory dump.")
     vol3_parser.add_argument("--light", action="store_true", help="Use the principal modules.")
     vol3_parser.add_argument("--fetch-symbol", action="store_true", help="Fetch automatically symbol from github.com/Abyss-W4tcher/volatility3-symbols", required=False)
     vol3_parser.add_argument("--full", action="store_true", help="Use all modules.")
     vol3_parser.add_argument("--format", help="Format of the outputs: json, text", required=False, default="text")
     vol3_parser.add_argument("--processes", type=int, required=False, default=None, help="Max number of concurrent processes")
+    vol3_parser.add_argument("--output", required=False, help="Directory where outputs will be written (Default: output_YYYY_MM_DD_HH_MM_SS).")
+    
+    # Global arguments
+    parser.add_argument("--debug", action="store_true", help="Show executed Docker commands")
+    parser.add_argument("--scan-id", help="Scan UUID for API status updates", required=False)
+
     args = parser.parse_args()
 
     if args.api:
@@ -243,13 +320,12 @@ def main():
         print("[-] --linux or --windows required.")
         sys.exit(1)
 
-    # Prevent unsupported combinations for Volatility3 Linux
-    if (args.mode == "vol3" and args.linux and args.light) or (args.mode == "vol3" and args.linux and args.full):
-        print("[-] --linux not available with --full or --light")
+    if getattr(args, "fetch_symbol", False) and not args.linux:
+        print("[-] --fetch-symbol only available with --linux")
         sys.exit(1)
 
-    if args.fetch_symbol and not args.linux:
-        print("[-] --fetch-symbol only available with --linux")
+    if args.mode == "vol2" and getattr(args, "fetch_symbol", False):
+        print("[-] --fetch-symbol only available with vol3")
         sys.exit(1)
 
     # Validate output format

multivol/strings.py

@@ -0,0 +1,71 @@
+import docker
+import time
+import os
+from rich import print as rprint
+
+def resolve_path(path, host_path):
+        # If host_path is set, replacing the current working directory prefix with host_path
+        if host_path: 
+            if path.startswith("/storage"):
+                 # Handle special storage mapping for Docker
+                 # Map /storage -> {host_path}/storage/data
+                 rel_path = os.path.relpath(path, "/storage")
+                 return os.path.join(host_path, "storage", "data", rel_path)
+
+            if path.startswith(os.getcwd()):
+                rel_path = os.path.relpath(path, os.getcwd())
+                return os.path.join(host_path, rel_path)
+        return path
+
+def safe_print(message, lock):
+    if lock:
+        with lock:
+            rprint(message)
+    else:
+        rprint(message)
+
+def get_strings(dump, dump_dir, output_dir, docker_image, lock=False, host_path=None):
+    output_file = os.path.join(output_dir, f"strings_output.txt")
+    host_output_dir = resolve_path(os.path.abspath(output_dir), host_path)
+        
+    host_dump_path = resolve_path(os.path.abspath(dump_dir), host_path)
+    host_dump_dir = os.path.dirname(host_dump_path)
+
+    volumes = {
+        host_dump_dir: {'bind': '/dump_dir', 'mode': 'ro'},
+        host_output_dir: {'bind': '/output', 'mode': 'rw'}
+    }
+
+    dump_filename = os.path.basename(dump)
+    cmd_args = f"strings /dump_dir/{dump_filename}"
+    
+    client = docker.from_env()
+    
+    try:
+        container = client.containers.run(
+            image=docker_image,
+            command=cmd_args,
+            volumes=volumes,
+            tty=True, 
+            detach=True,
+            remove=False
+        )
+            
+        with open(output_file, "wb") as file:
+            try:
+                for chunk in container.logs(stream=True):
+                    file.write(chunk)
+            except Exception as log_err:
+                # Handle Docker log rotation errors
+                safe_print(f"[!] Log streaming interrupted: {log_err}, fetching remaining logs...", lock)
+                try:
+                    remaining_logs = container.logs(stream=False)
+                    file.write(remaining_logs)
+                except:
+                    pass
+            
+        container.wait()
+        container.remove()
+
+    except Exception as e:
+        safe_print(f"[!] Error running strings: {e}", lock)

{multivol-0.1.3.dist-info → multivol-0.1.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: multivol
-Version: 0.1.3
+Version: 0.1.4
 Summary: MultiVolatility: Analyze memory dumps faster than ever with Volatility2 and Volatility3 in parallel using Docker
 Home-page: https://github.com/BoBNewz/MultiVolatility
 Classifier: Programming Language :: Python :: 3

multivol-0.1.4.dist-info/RECORD

@@ -0,0 +1,12 @@
+multivol/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+multivol/api.py,sha256=vk-v4yNxS0KF0FEegGixZxExtXXgouZNn_l_zxxyGB8,58903
+multivol/multi_volatility2.py,sha256=rLM3RLzIf_b7EZiMKd1_8v2Q5K5WEJhmxwZVS74FMsE,4668
+multivol/multi_volatility3.py,sha256=Pd20_d_9USVpT7pnu0cimGUOd1vx8A4PH9EiYceiR4I,9187
+multivol/multivol.py,sha256=iIqklfEtPQbVMo21dS5PwUdT83Qoj8tSRYuH__Py02A,17176
+multivol/strings.py,sha256=zh-oxtuhWkq_Qz-dh2Cp8nB1wCUWDv-LNaqKkftYFgo,2409
+multivol-0.1.4.dist-info/licenses/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+multivol-0.1.4.dist-info/METADATA,sha256=Qx4_etq0dM737SlZI64C9adunOvn1JwqbKttSrEL51I,4292
+multivol-0.1.4.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+multivol-0.1.4.dist-info/entry_points.txt,sha256=FM4lUHzrKUmV37U6IemQkRGXEJdgyB7-dwtw1jgwTQc,52
+multivol-0.1.4.dist-info/top_level.txt,sha256=DcxSP883XnM_ad5TXyCIZkzDcYSoI1bPTie_AzHlN0A,9
+multivol-0.1.4.dist-info/RECORD,,

multivol-0.1.3.dist-info/RECORD

@@ -1,11 +0,0 @@
-multivol/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-multivol/api.py,sha256=N_7Sm8Ys_rjRI9MLm-ThTMcDXe6JJU1G11p6zljvQUs,37503
-multivol/multi_volatility2.py,sha256=_Z2yxF05xLjzJSZBBisUEMT6WKy1YahbH4E-l41XvnI,9789
-multivol/multi_volatility3.py,sha256=9jSfw5ti9TKTGO_tbeM4IaCJfufpNQoR_wILHF4Rmbs,9608
-multivol/multivol.py,sha256=TI3y7jcC39XK3zxgwlKiOmTfOT69jzNDgbqf44p11Qc,13435
-multivol-0.1.3.dist-info/licenses/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-multivol-0.1.3.dist-info/METADATA,sha256=P_825nIZyAAIZlo-gXzPdjNpwdV-vK1UOXbybwQq_IY,4292
-multivol-0.1.3.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-multivol-0.1.3.dist-info/entry_points.txt,sha256=FM4lUHzrKUmV37U6IemQkRGXEJdgyB7-dwtw1jgwTQc,52
-multivol-0.1.3.dist-info/top_level.txt,sha256=DcxSP883XnM_ad5TXyCIZkzDcYSoI1bPTie_AzHlN0A,9
-multivol-0.1.3.dist-info/RECORD,,