# # Author: # Tamas Jos (@skelsec) # # import logging from typing import List from volatility3.framework import interfaces, renderers, constants from volatility3.framework.configuration import requirements from volatility3.plugins.windows import pslist from pypykatz.pypykatz import pypykatz as pparser vollog = logging.getLogger(__name__) framework_version = constants.VERSION_MAJOR class pypykatz(interfaces.plugins.PluginInterface): _required_framework_version = (framework_version, 0, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: reqs = [] if framework_version == 1: kernel_layer_name = "primary" reqs = [ requirements.TranslationLayerRequirement( name=kernel_layer_name, description="Memory layer for the kernel", architectures=["Intel32", "Intel64"], ), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols" ), requirements.PluginRequirement( name="pslist", plugin=pslist.PsList, version=(2, 0, 0) ), ] elif framework_version == 2: kernel_layer_name = "kernel" reqs = [ requirements.ModuleRequirement( name=kernel_layer_name, description="Windows kernel", architectures=["Intel32", "Intel64"], ), requirements.VersionRequirement( name="pslist", component=pslist.PsList, version=(3, 0, 0) ), ] else: # The highest major version we currently support is 2. raise RuntimeError( f"Framework interface version {framework_version} is currently not supported." ) return reqs def run(self): return pparser.go_volatility3(self, framework_version)