├── Skalle-MacOS ├── data │ ├── vol_path.csv │ └── ctf_flag_terms.csv ├── resources │ └── app_icon.icns ├── Skalle.spec └── main.py ├── .github └── FUNDING.yml ├── LICENSE └── README.md /Skalle-MacOS/data/vol_path.csv: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [Abdullah4345] 4 | 5 | -------------------------------------------------------------------------------- /Skalle-MacOS/resources/app_icon.icns: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Abdullah4345/Skalle/HEAD/Skalle-MacOS/resources/app_icon.icns -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 Abdullah Mohamed Badawy 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Skalle-MacOS/Skalle.spec: -------------------------------------------------------------------------------- 1 | # -*- mode: python ; coding: utf-8 -*- 2 | 3 | 4 | a = Analysis( 5 | ['main.py'], 6 | pathex=[], 7 | binaries=[], 8 | datas=[('data/ctf_flag_terms.csv', 'data'), ('data/vol_path.csv', 'data')], 9 | hiddenimports=[], 10 | hookspath=[], 11 | hooksconfig={}, 12 | runtime_hooks=[], 13 | excludes=[], 14 | noarchive=False, 15 | optimize=0, 16 | ) 17 | pyz = PYZ(a.pure) 18 | 19 | exe = EXE( 20 | pyz, 21 | a.scripts, 22 | [], 23 | exclude_binaries=True, 24 | name='Skalle', 25 | debug=False, 26 | bootloader_ignore_signals=False, 27 | strip=False, 28 | upx=True, 29 | console=False, 30 | disable_windowed_traceback=False, 31 | argv_emulation=False, 32 | target_arch=None, 33 | codesign_identity=None, 34 | entitlements_file=None, 35 | icon=['resources/app_icon.icns'], 36 | ) 37 | coll = COLLECT( 38 | exe, 39 | a.binaries, 40 | a.datas, 41 | strip=False, 42 | upx=True, 43 | upx_exclude=[], 44 | name='Skalle', 45 | ) 46 | app = BUNDLE( 47 | coll, 48 | name='Skalle.app', 49 | icon='resources/app_icon.icns', 50 | bundle_identifier=None, 51 | ) 52 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | ### 6 |
7 |

Skalle

8 |

Skalle - Memory Forensic Tool

Overview:
9 | 10 | 11 | Skalle is a handy add-on for Volatility that lets you run it in a graphical user interface. It also adds some cool features like a quick search that highlights matching words, and a new feature called CTF that scans the output for a matching string or a flag from the dataset. 12 | 13 |

Main Menu

14 | Main Menu 15 | 16 |
17 | 
18 | 
19 |   Contributors
20 |   
21 | • Abdullah Mohamed 
22 | 
23 | Supervised by: Dr. Maryam Adel
24 |
25 | 26 | ## **_JINX_** 27 | -------------------------------------------------------------------------------- /Skalle-MacOS/data/ctf_flag_terms.csv: -------------------------------------------------------------------------------- 1 | memory dump,extract_hidden_message_response,extract_encoded_dump,recover_binary_output_val,recover_POW_answer_data,get_hash_response,extract_command_output_val,recover_ctf_str,find_authentication_code_dump,recover_encoded_blob_str,extract_response_string_output,capture_secret_data,recover_solution_dump,extract_artifact_data,extract_dawgctf_text,capture_stack_leak_response,magic token,extract_embedded_string_response,find_nonce_val,response_string_response,get_encoded_blob_str,recover_picoCTF_str,capture_reconstructed_string_val,code_text,get_treasure_str,extract_extracted_string_output,find_csaw_response,capture_flag_part_text,get_HTB_response,capture_artifact_msg,find_environment_variable_output,response string,extract_encoded_blob_data,access_token_output,get_binary_output_val,get_flag_msg,get_HTB_text,dice{,find_key_dump,reverse_engineered_output_output,recover_stack_leak_val,get_ctf_text,extract_deobfuscated_string_msg,recover_registry_key_msg,environment_variable_val,capture_zer0pts_dump,find_magic_token_str,extract_decoded_str,find_output_file_response,extract_hidden_variable_data,revealed_content_val,find_prize_str,XOR_result_data,find_corctf_str,recover_csrf_token_dump,find_registry_key_dump,extract_debug_string_dump,recover_privilege_escalation_proof_msg,capture_environment_variable_data,capture_registry_key_text,capture_RTCTF_str,base64 decoded string,find_flag_part_output,hidden message,get_deobfuscated_string_data,capture_reverse_engineered_output_msg,extract_memory_dump_data,admin cookie,recover_JWT_text,recover_extracted_string_data,recover_debug_string_output,capture_csaw_val,extract_stack_leak_response,recover_stack_leak_text,get_capture_output,recover_code_text,capture_leak_str,get_dice_msg,recover_response_string_output,flag part,brute force result,disassembled_output_dump,recover_token_msg,find_disassembled_output_dump,capture_access_token_str,get_ftp_leak_str,recover_HTB_val,server_response_response,capture_token_data,get_environment_variable_dump,find_deobfuscated_string_output,find_n00bz_text,get_server_response_text,get_command_output_msg,csrf_token_text,extract_csaw_msg,recover_memory_dump_response,find_csaw_output,registry key,extract_ROP_result_data,extract_leak_dump,get_data_dump_text,extract_magic_string_dump,get_flag_part_msg,find_csaw_data,find_encoded_blob_val,extract_string_in_RAM_text,recover_ALLES!_dump,extract_answer_dump,recover_nonce_output,recover_file_carve_result_str,recover_flag_output,get_ctf_data,debug string,capture_csaw_msg,find_access_token_val,find_zer0pts_data,capture_ftp_leak_str,recover_JWT_dump,find_deobfuscated_string_str,find_decryption_result_response,string_in_RAM_text,recover_hexdump_string_msg,get_picoCTF_data,get_flag_part_str,recover_picoCTF_val,treasure,get_reconstructed_string_data,get_buffer_overflow_result_text,get_decrypted_text,recover_authentication_code_text,extract_decoded_dump,find_hexdump_string_response,capture_reconstructed_string_data,get_proof_response,get_secret_data,find_command_output_output,JWT_val,capture_SQL_injection_output_msg,secret,recover_session_ID_dump,session ID,extract_response_string_data,XOR result,recover_stack_leak_str,find_dawgctf_data,get_log_output_data,data dump,reconstructed_string_output,get_code_text,get_string_in_RAM_text,hash_str,extract_flag_part_text,capture_embedded_string_msg,recover_privilege_escalation_proof_dump,recover_decryption_result_data,find_reconstructed_string_str,get_proof_str,get_decoded_str,embedded string,capture_plaintext_msg,magic_token_output,reconstructed_string_response,find_XOR_result_text,command_output_msg,find_embedded_string_data,get_access_token_msg,capture_key_response,extract_code_output,find_picoCTF_val,get_combined_flag_output,find_prize_dump,recover_steganographic_message_dump,get_hidden_file_val,corctf_output,brute_force_result_str,capture_UMDCTF_data,capture_corctf_msg,get_steganographic_message_str,recover_brute_force_result_text,get_environment_variable_str,base64_decoded_string_dump,capture_stack_leak_data,recover_JWT_token_val,recover_answer_response,capture_code_data,capture_combined_flag_str,JWT token,find_debug_string_data,capture_output_file_output,capture_log_output_str,recover_proof_str,find_RTCTF_data,capture_output_file_dump,recover_command_output_val,capture_zer0pts_output,hexdump string,inctf_output,steganographic_message_text,UMDCTF_msg,ROP_result_msg,get_encoded_dump,recover_decryption_result_output,capture_encoded_dump,get_dawgctf_dump,get_stack_leak_text,find_brute_force_result_text,capture_JWT_token_msg,extract_string_in_RAM_dump,extracted_string_text,find_SQL_injection_output_str,find_proof_str,nonce_data,extract_concatenated_flag_val,capture_reverse_output_str,magic_string_dump,find_privilege_escalation_proof_output,capture_authentication_code_dump,capture_hex_string_msg,get_csaw_response,extract_recovered_password_response,embedded_string_msg,get_DUCTF_msg,get_captured_payload_str,capture_decoded_response,recover_buffer_overflow_result_response,get_ftp_leak_dump,extract_disassembled_output_text,encoded,capture_deobfuscated_string_data,extract_UMDCTF_str,hash_text,find_hexdump_string_msg,recover_dice_dump,get_server_response_data,concatenated_flag_str,get_XOR_result_response,extract_hash_text,capture_command_output_dump,disassembled output,csrf_token_data,recover_ctf_text,extract_treasure_output,extract_log_output_response,recover_ROP_result_text,command output,inctf{,RTCTF_output,extract_secret_output,DUCTF_data,recover_flag_segment_output,capture_command_output_str,recover_buffer_overflow_result_dump,extract_inctf_msg,find_artifact_str,key_text,get_flag_output,get_reverse_engineered_output_str,get_DUCTF_val,get_extracted_string_output,extract_magic_string_text,capture_environment_variable_output,find_reverse_output_val,get_secret_text,extract_n00bz_val,ALLES!{,encoded_blob_str,recover_authentication_code_data,get_buffer_overflow_result_data,key_str,flag_segment_data,recover_reverse_engineered_output_output,get_csrf_token_text,get_JWT_data,capture_concatenated_flag_data,RTCTF_val,capture_key_dump,find_magic_token_data,brute_force_result_msg,extract_magic_string_response,capture_concatenated_flag_text,recover_ftp_leak_str,extract_concatenated_flag_response,ftp_leak_output,get_command_output_text,get_ROP_result_response,string in RAM,admin_cookie_data,capture_revealed_content_data,find_response_string_output,extract_RTCTF_text,recover_concatenated_flag_response,extract_secret_msg,base64_decoded_string_text,get_zer0pts_output,recover_hex_string_str,get_csrf_token_data,recover_flag_response,find_flag_str,find_hidden_message_output,extract_plaintext_val,extract_admin_cookie_dump,recover_SQL_injection_output_text,find_POW_answer_output,hash,find_authentication_code_str,decrypted,decoded_text,recover_picoCTF_msg,solution,extract_recovered_password_str,capture_token_dump,recover_captured_payload_dump,prize,server response,capture_brute_force_result_str,concatenated flag,capture_RTCTF_val,encoded_blob_data,capture_flag_val,recover_UMDCTF_msg,combined flag,extract_admin_password_str,extract_disassembled_output_response,hidden_message_data,capture_registry_key_data,artifact,get_admin_password_val,ftp leak,recover_DUCTF_msg,flag_response,captured payload,find_revealed_header_data,get_disassembled_output_val,extract_POW_answer_str,find_log_output_str,decoded_val,find_hex_string_str,get_deobfuscated_string_str,capture_revealed_header_val,find_magic_string_dump,plaintext_output,extract_embedded_string_msg,capture_proof_msg,find_stack_leak_output,find_embedded_string_output,recover_treasure_msg,recover_environment_variable_val,flag_msg,get_inctf_msg,find_output_file_output,captured_payload_msg,find_token_data,shellcode_val,find_privilege_escalation_proof_data,extract_output_file_str,extract_admin_cookie_data,SQL injection output,recover_recovered_password_val,recover_file_carve_result_data,find_zer0pts_dump,extract_decrypted_val,get_access_token_output,special character string,recover_privilege_escalation_proof_text,registry_key_text,recover_DUCTF_output,extract_shellcode_str,encoded blob,magic_token_msg,find_flag_dump,find_file_carve_result_data,get_file_carve_result_val,extracted_string_dump,get_concatenated_flag_data,get_dice_data,recover_string_in_RAM_dump,find_captured_payload_val,ctf_text,find_artifact_val,treasure_val,extract_admin_cookie_text,recover_HTB_msg,encoded_dump,extract_reverse_engineered_output_dump,ROP_result_output,capture_token_response,find_hexdump_string_text,POW answer,reverse_engineered_output_val,find_base64_decoded_string_response,get_server_response_val,session_ID_response,get_inctf_text,extract_shellcode_text,recover_RTCTF_output,extract_HTB_str,inctf_text,capture_POW_answer_output,recover_reverse_engineered_output_response,recover_combined_flag_output,get_server_response_dump,capture_shellcode_dump,corctf{,recover_dice_response,recover_proof_data,extract_ciphertext_str,capture_zer0pts_str,recover_ALLES!_msg,capture_treasure_output,recover_steganographic_message_data,capture_POW_answer_msg,find_dawgctf_output,extract_stack_leak_text,find_encoded_dump,recover_combined_flag_data,admin password,extract_string_in_RAM_response,find_answer_dump,find_ALLES!_val,find_memory_dump_text,find_captured_payload_response,extract_prize_response,capture_capture_response,get_admin_cookie_msg,get_answer_data,recover_authentication_code_response,capture_debug_string_dump,key_data,recover_binary_output_data,recover_reconstructed_string_dump,recover_access_token_data,find_reverse_output_msg,find_ftp_leak_dump,capture_disassembled_output_dump,capture_RTCTF_response,disassembled_output_response,hidden string,recover_RTCTF_str,memory_dump_data,recover_ftp_leak_msg,find_SQL_injection_output_text,capture_decoded_val,extract_combined_flag_response,capture_decrypted_dump,capture_JWT_token_response,extract_solution_dump,recover_output_file_response,hidden_variable_data,find_ALLES!_text,find_JWT_dump,capture_artifact_text,DUCTF_msg,get_artifact_output,recover_special_character_string_msg,recover_solution_text,recover_UMDCTF_response,capture_treasure_text,capture,recover_log_output_str,extract_XOR_result_data,extract_SQL_injection_output_text,capture_shellcode_msg,get_answer_dump,find_dice_dump,proof,n00bz{,recover_secret_val,recover_ciphertext_response,recover_prize_val,find_leak_dump,deobfuscated string,get_reverse_output_dump,capture_malware_string_str,capture_encoded_blob_data,captured_payload_output,recover_buffer_overflow_result_msg,environment_variable_output,extract_csaw_val,recover_leak_response,extract_magic_string_data,find_hidden_message_data,recover_ciphertext_output,ciphertext,get_capture_data,capture_magic_string_str,get_captured_payload_data,recover_proof_response,extract_flag_text,get_base64_decoded_string_msg,get_recovered_password_text,recover_prize_text,get_decoded_msg,prize_dump,get_memory_dump_data,get_prize_response,concatenated_flag_output,capture_embedded_string_output,extract_dawgctf_output,decryption_result_str,recover_flag_part_val,picoCTF_text,recover_concatenated_flag_str,malware_string_text,hidden_message_str,extract_hidden_file_str,decoded_response,capture_string_in_RAM_response,capture_RTCTF_output,capture_base64_decoded_string_msg,capture_deobfuscated_string_str,decoded,extract_inctf_response,get_ctf_response,recover_hash_val,find_solution_output,recover_ftp_leak_dump,get_flag_part_dump,ctf{,log output,capture_environment_variable_text,capture_revealed_header_dump,extract_secret_dump,recover_leak_msg,capture_key_str,get_encoded_blob_dump,extract_reverse_engineered_output_text,answer,find_admin_password_val,get_SQL_injection_output_str,hidden_string_output,get_debug_string_msg,shellcode,prize_str,recover_key_str,recover_ftp_leak_val,capture_secret_dump,extracted string,flag_part_data,capture_inctf_response,find_csrf_token_str,get_brute_force_result_response,get_prize_output,extracted_string_str,authentication code,recover_answer_str,capture_hex_string_dump,recover_captured_payload_output,JWT_data,get_flag_dump,POW_answer_response,find_string_in_RAM_output,output_file_dump,get_encoded_output,leak_data,capture_hidden_string_response,capture_registry_key_msg,deobfuscated_string_response,find_ciphertext_str,find_DUCTF_response,get_hidden_file_response,get_dawgctf_output,find_session_ID_data,get_string_in_RAM_dump,find_deobfuscated_string_data,extract_key_val,recover_csrf_token_str,extract_registry_key_dump,get_hex_string_msg,artifact_val,recover_prize_response,find_JWT_str,find_solution_val,leak,get_extracted_string_val,privilege escalation proof,hidden_variable_output,capture_ftp_leak_text,extract_base64_decoded_string_str,find_reverse_engineered_output_val,extract_environment_variable_text,token_output,recover_JWT_token_output,command_output_str,get_password_dump_data,answer_text,recover_hidden_string_data,recover_reverse_output_data,capture_debug_string_msg,SQL_injection_output_output,encoded_blob_msg,capture_special_character_string_msg,answer_data,find_zer0pts_msg,get_solution_dump,capture_revealed_header_str,capture_XOR_result_val,find_JWT_token_response,key_val,picoCTF_val,extracted_string_msg,get_nonce_data,find_authentication_code_data,recover_flag_segment_response,admin_password_text,find_special_character_string_str,brute_force_result_dump,find_capture_response,get_admin_password_msg,get_magic_string_response,UMDCTF{,extract_n00bz_str,get_ROP_result_output,get_brute_force_result_msg,hidden file,find_ROP_result_dump,recover_ciphertext_dump,find_data_dump_str,extract_stack_leak_msg,capture_csrf_token_data,nonce_str,find_hidden_message_text,reverse output,extract_picoCTF_data,get_binary_output_output,HTB_data,reverse_output_output,capture_ROP_result_str,recover_server_response_response,extract_treasure_data,extract_hexdump_string_text,recover_privilege_escalation_proof_val,extract_magic_token_data,find_reverse_engineered_output_output,session_ID_str,extract_ftp_leak_dump,get_hidden_message_output,magic_string_msg,find_encoded_blob_dump,find_token_text,get_key_msg,capture_password_dump_text,extract_file_carve_result_str,combined_flag_msg,capture_n00bz_msg,password dump,find_key_response,get_output_file_text,extract_captured_payload_text,recover_leak_val,capture_JWT_str,get_RTCTF_data,find_reconstructed_string_output,capture_response_string_str,extract_environment_variable_str,file carve result,reverse_engineered_output_data,decrypted_response,capture_privilege_escalation_proof_data,get_embedded_string_msg,flag segment,get_decoded_data,recover_data_dump_str,extract_answer_msg,magic string,find_admin_cookie_response,buffer_overflow_result_val,find_picoCTF_response,find_answer_response,extract_artifact_response,capture_ciphertext_val,extract_POW_answer_output,n00bz_output,extract_revealed_content_val,get_POW_answer_data,get_malware_string_str,get_hidden_file_msg,capture_XOR_result_data,zer0pts{,get_hidden_string_dump,find_password_dump_dump,extract_hidden_string_data,ROP result,capture_password_dump_str,capture_ctf_msg,recover_admin_password_data,recover_admin_cookie_str,extract_dawgctf_val,extract_malware_string_dump,session_ID_dump,environment variable,get_special_character_string_data,extract_privilege_escalation_proof_response,extract_DUCTF_str,server_response_data,get_privilege_escalation_proof_val,stack leak,get_ALLES!_dump,recover_JWT_token_dump,find_authentication_code_text,capture_hidden_variable_msg,recover_inctf_data,csaw_text,proof_text,shellcode_response,proof_val,recover_inctf_output,find_password_dump_response,recover_special_character_string_dump,find_decryption_result_dump,JWT_msg,RTCTF_text,flag{,find_encoded_val,extract_secret_text,zer0pts_data,capture_hex_string_response,get_inctf_val,find_inctf_dump,recover_n00bz_str,find_SQL_injection_output_response,JWT,capture_ctf_str,secret_response,extract_encoded_output,capture_data_dump_response,find_SQL_injection_output_data,find_csaw_val,extract_server_response_response,get_plaintext_val,hidden variable,find_revealed_content_val,find_privilege_escalation_proof_response,magic_string_val,recover_artifact_str,get_revealed_header_data,get_hex_string_output,flag_segment_dump,capture_dawgctf_output,extract_encoded_response,recover_zer0pts_val,get_reconstructed_string_val,nonce,recover_stack_leak_dump,find_hidden_file_data,special_character_string_val,file_carve_result_text,prize_val,authentication_code_val,get_DUCTF_output,recover_flag_val,recover_ciphertext_val,get_plaintext_data,capture_hidden_message_output,capture_binary_output_msg,capture_dawgctf_msg,find_dice_data,find_plaintext_output,capture_embedded_string_response,recover_decryption_result_response,get_ftp_leak_output,reverse engineered output,recover_encoded_blob_text,registry_key_response,recover_plaintext_msg,find_admin_password_dump,find_hidden_string_dump,capture_leak_msg,recover_reconstructed_string_val,recover_plaintext_str,recover_magic_token_output,recover_hex_string_msg,find_artifact_dump,recover_shellcode_response,extract_steganographic_message_dump,extract_malware_string_msg,get_csrf_token_val,shellcode_text,extract_session_ID_val,brute_force_result_val,recover_JWT_data,csaw{,solution_text,capture_n00bz_dump,extract_magic_string_val,recover_ALLES!_str,recover_stack_leak_data,recover_POW_answer_str,treasure_data,find_encoded_output,recover_RTCTF_response,revealed_content_str,get_revealed_content_output,buffer overflow result,extract_leak_response,flag,get_encoded_blob_msg,find_nonce_data,corctf_msg,extract_log_output_str,get_UMDCTF_msg,find_answer_text,get_UMDCTF_dump,extract_file_carve_result_dump,find_XOR_result_msg,recovered password,reconstructed string,recover_DUCTF_response,extract_RTCTF_msg,find_access_token_msg,extract_privilege_escalation_proof_dump,capture_flag_segment_val,plaintext,capture_captured_payload_text,get_treasure_data,recover_embedded_string_str,find_authentication_code_response,combined_flag_text,capture_JWT_token_val,find_hex_string_output,capture_answer_text,find_inctf_msg,recover_memory_dump_str,recover_magic_token_text,recover_decryption_result_text,get_extracted_string_data,dawgctf_val,get_decrypted_msg,recover_treasure_output,find_UMDCTF_data,find_debug_string_output,get_prize_str,capture_recovered_password_str,get_combined_flag_text,POW_answer_data,magic_token_data,get_ciphertext_dump,find_hidden_message_msg,find_magic_token_output,extract_stack_leak_data,extract_zer0pts_data,recover_leak_text,recover_debug_string_text,ALLES!_data,get_solution_str,secret_dump,get_hexdump_string_output,recover_flag_segment_val,recover_hexdump_string_text,capture_hidden_file_response,capture_revealed_content_msg,get_hash_msg,recover_encoded_blob_dump,get_treasure_msg,recover_hidden_string_val,find_log_output_response,recover_answer_dump,find_stack_leak_data,get_embedded_string_text,capture_flag_text,extract_flag_msg,get_reverse_engineered_output_output,extract_solution_data,recover_proof_output,capture_hash_output,HTB{,hidden_variable_dump,capture_encoded_blob_text,get_JWT_token_msg,recover_server_response_dump,extract_decoded_response,get_reconstructed_string_msg,recover_revealed_header_val,find_SQL_injection_output_output,find_shellcode_output,find_steganographic_message_dump,capture_flag_segment_response,extract_proof_text,privilege_escalation_proof_val,get_corctf_val,capture_special_character_string_response,extract_special_character_string_output,find_hidden_variable_response,capture_debug_string_output,extract_response_string_response,find_flag_msg,find_admin_cookie_data,extract_environment_variable_response,capture_capture_dump,picoCTF{,recover_encoded_blob_msg,revealed content,recover_csrf_token_response,token,find_concatenated_flag_val,get_recovered_password_data,extract_admin_password_output,SQL_injection_output_str,capture_password_dump_msg,get_nonce_dump,recover_JWT_token_str,recover_disassembled_output_dump,extract_UMDCTF_response,recover_leak_data,get_access_token_response,find_deobfuscated_string_dump,capture_reconstructed_string_str,capture_malware_string_val,find_answer_str,extract_dawgctf_str,embedded_string_str,capture_reconstructed_string_response,DUCTF{,get_reconstructed_string_str,extract_hash_data,extract_environment_variable_dump,decrypted_output,get_combined_flag_data,get_flag_part_response,find_deobfuscated_string_response,hidden_variable_msg,capture_shellcode_response,extract_string_in_RAM_str,output_file_str,get_plaintext_dump,extract_admin_cookie_str,recover_session_ID_msg,extract_revealed_header_data,extract_proof_data,extract_DUCTF_response,capture_recovered_password_text,capture_dice_data,capture_JWT_token_dump,extract_deobfuscated_string_data,find_privilege_escalation_proof_str,key,capture_flag_dump,capture_ciphertext_data,reverse_output_response,find_picoCTF_dump,extract_reverse_output_str,get_ALLES!_msg,find_hidden_file_val,extract_HTB_output,find_environment_variable_data,capture_DUCTF_val,capture_file_carve_result_dump,csrf token,extract_decrypted_dump,capture_encoded_str,revealed header,recover_revealed_header_str,get_concatenated_flag_output,password_dump_msg,extract_hidden_file_text,code_val,reverse_engineered_output_dump,recover_magic_token_response,get_hexdump_string_str,recovered_password_dump,get_malware_string_data,find_environment_variable_str,get_hidden_message_str,find_debug_string_text,capture_nonce_str,decryption result,recover_session_ID_data,capture_secret_val,recover_access_token_str,capture_flag_part_response,capture_session_ID_val,recover_proof_dump,capture_file_carve_result_output,code,extract_session_ID_text,treasure_text,capture_capture_text,find_reverse_output_response,capture_flag_part_str,recover_JWT_token_msg,RTCTF{,recover_corctf_data,encoded_blob_text,recover_admin_cookie_text,recover_ctf_output,find_JWT_token_text,get_flag_part_output,recover_server_response_val,find_disassembled_output_str,dice_str,extract_plaintext_dump,capture_artifact_response,capture_file_carve_result_response,capture_corctf_data,extract_reconstructed_string_val,recover_flag_str,access token,recover_revealed_content_msg,capture_decoded_data,token_data -------------------------------------------------------------------------------- /Skalle-MacOS/main.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | import sys 4 | import tkinter as tk 5 | from tkinter import filedialog, messagebox, scrolledtext 6 | from threading import Thread 7 | from tkinter import ttk 8 | import csv 9 | import itertools 10 | import random 11 | 12 | 13 | def resource_path(relative_path): 14 | """Get absolute path to resource, works for dev and PyInstaller bundle.""" 15 | if getattr(sys, 'frozen', False): 16 | base_path = sys._MEIPASS 17 | else: 18 | base_path = os.path.abspath(".") 19 | return os.path.join(base_path, relative_path) 20 | 21 | 22 | class MemoryCaptureTab(tk.Frame): 23 | def __init__(self, parent, set_dump_callback): 24 | super().__init__(parent, bg="#000") 25 | self.set_dump_callback = set_dump_callback 26 | 27 | self.tips = [ 28 | "Tip: Always verify your memory dump hash!", 29 | "Tip: Run Volatility with the right profile.", 30 | "Tip: Use 'pslist' to see running processes.", 31 | "Tip: Save your work frequently.", 32 | "Tip: Use CTF search for quick flag hunting.", 33 | "Tip: Analyze suspicious network connections.", 34 | "Tip: Try 'malfind' for malware detection.", 35 | "Tip: Use 'yara' rules for custom scans.", 36 | "Tip: Don't forget to check clipboard artifacts!", 37 | "Tip: Use the search box to find keywords fast.", 38 | "Joke :What do skeletons say before eating? Bone appétit!.", 39 | "Because you know, in a moment, it could all… poow!", 40 | "What's you favorite singer? mine is Dua Lipa", 41 | "what's your favorite song? mine is 'Don't Start Now'", 42 | "what's your favorite Show? Mine is Arcane", 43 | "JINX JINX JINX JINX JINX JINX JINX ", 44 | ] 45 | 46 | self.cloud_label = tk.Label( 47 | self, 48 | text="", 49 | font=("Courier", 17, "bold"), 50 | fg="#ff4444", 51 | bg="#000", 52 | justify="left" 53 | ) 54 | 55 | self.cloud_label.pack(pady=(5, 0)) 56 | 57 | self.skull_frames = [ 58 | r""" 59 | .-. 60 | (o o) 61 | | O \ 62 | \ \ 63 | `~~~' 64 | """, 65 | r""" 66 | .-. 67 | (o o) 68 | / O | 69 | / / 70 | '~~~' 71 | """, 72 | r""" 73 | .-. 74 | (o o) 75 | / O | 76 | / / 77 | '~~~' 78 | """, 79 | r""" 80 | .-. 81 | (o o) 82 | | O \ 83 | \ \ 84 | `~~~' 85 | """ 86 | ] 87 | self.current_frame = 0 88 | 89 | self.skull_label = tk.Label( 90 | self, 91 | text=self.skull_frames[0], 92 | font=("Courier", 28, "bold"), 93 | fg="#ff4444", 94 | bg="#000", 95 | justify="left" 96 | ) 97 | 98 | self.skull_label.pack(expand=True, fill=tk.BOTH, pady=(0, 0)) 99 | 100 | self.animate_skull() 101 | 102 | def animate_skull(self): 103 | self.current_frame = (self.current_frame + 1) % len(self.skull_frames) 104 | self.skull_label.config(text=self.skull_frames[self.current_frame]) 105 | self.after(200, self.animate_skull) 106 | 107 | def capture_memory(self): 108 | 109 | path = filedialog.asksaveasfilename( 110 | title="Save Memory Dump As", 111 | defaultextension=".raw", 112 | filetypes=[("Raw Memory Dump", "*.raw"), ("All files", "*.*")] 113 | ) 114 | if not path: 115 | return 116 | self.status_var.set( 117 | "Starting memory capture. This may require admin privileges and may take a while...") 118 | self.progress.start(10) 119 | self.capture_btn.config(state='disabled') 120 | Thread(target=self._capture_thread, args=(path,), daemon=True).start() 121 | 122 | def _capture_thread(self, path): 123 | try: 124 | 125 | script = f''' 126 | do shell script "echo 'Simulated memory dump' > '{path}'" with administrator privileges 127 | ''' 128 | osa_cmd = ['osascript', '-e', script] 129 | result = subprocess.run(osa_cmd, capture_output=True, text=True) 130 | if result.returncode == 0: 131 | self.set_dump_callback(path) 132 | self._update_status(f"Memory dump saved to: {path}", done=True) 133 | else: 134 | self._update_status( 135 | f"Error: {result.stderr.strip()}", done=True) 136 | except Exception as e: 137 | self._update_status(f"Error: {e}", done=True) 138 | 139 | def _update_status(self, msg, done=False): 140 | def update(): 141 | self.status_var.set(msg) 142 | if done: 143 | self.progress.stop() 144 | self.capture_btn.config(state='normal') 145 | self.after(0, update) 146 | 147 | def log(self, msg): 148 | self.log_text.config(state='normal') 149 | self.log_text.insert(tk.END, msg + "\n") 150 | self.log_text.see(tk.END) 151 | self.log_text.config(state='disabled') 152 | 153 | def show_random_tip(self): 154 | tip = random.choice(self.tips) 155 | 156 | cloud = f""" 157 | .------------------------. 158 | .--( )--. 159 | .--( )--. 160 | .--({tip.center(28)})--. 161 | .-( )-. 162 | (_____________________________________________) 163 | ‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾ 164 | \ 165 | \\ 166 | \\ 167 | \\ 168 | \\ 169 | \\ 170 | \\ 171 | \\ 172 | \\ 173 | v 174 | """ 175 | self.cloud_label.config(text=cloud) 176 | 177 | self.cloud_label.update_idletasks() 178 | 179 | 180 | class VolatilityAnalyzer: 181 | def __init__(self, root): 182 | self.root = root 183 | self.volatility_path = self.load_volatility_path() 184 | self.memory_dump = "" 185 | 186 | self.create_widgets() 187 | 188 | self.search_matches = [] 189 | self.current_match = -1 190 | 191 | def load_volatility_path(self): 192 | csv_path = resource_path(os.path.join("data", "vol_path.csv")) 193 | if os.path.exists(csv_path): 194 | try: 195 | with open(csv_path, "r") as f: 196 | reader = csv.reader(f) 197 | for row in reader: 198 | if row: 199 | return row[0] 200 | except Exception: 201 | pass 202 | return self.find_volatility() 203 | 204 | def save_volatility_path(self, path): 205 | os.makedirs(resource_path("data"), exist_ok=True) 206 | csv_path = resource_path(os.path.join("data", "vol_path.csv")) 207 | try: 208 | with open(csv_path, "w", newline="") as f: 209 | writer = csv.writer(f) 210 | writer.writerow([path]) 211 | except Exception as e: 212 | messagebox.showerror( 213 | "Error", f"Failed to save Volatility path: {e}") 214 | 215 | def find_volatility(self): 216 | possible_paths = [ 217 | "/usr/local/bin/vol", 218 | os.path.expanduser("~/.local/bin/vol"), 219 | os.path.expanduser("~/Library/Python/3.9/bin/vol"), 220 | "vol" 221 | ] 222 | for path in possible_paths: 223 | try: 224 | subprocess.run([path, "--help"], 225 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) 226 | return path 227 | except: 228 | continue 229 | return "" 230 | 231 | def create_widgets(self): 232 | 233 | self.root.configure(bg="#000") 234 | 235 | style = ttk.Style() 236 | style.theme_use('default') 237 | style.configure("Black.TButton", 238 | background="#000", foreground="#ff4444", 239 | font=("Courier", 12, "bold"), 240 | borderwidth=1) 241 | style.map("Black.TButton", 242 | background=[('active', '#222')], 243 | foreground=[('active', '#fff')]) 244 | 245 | style.configure("Black.TCombobox", 246 | fieldbackground="#111", 247 | background="#111", 248 | foreground="#ff4444", 249 | selectbackground="#222", 250 | selectforeground="#ff4444", 251 | arrowcolor="#ff4444", 252 | bordercolor="#ff4444", 253 | lightcolor="#111", 254 | darkcolor="#111", 255 | borderwidth=1, 256 | font=("Courier", 12, "bold")) 257 | style.map("Black.TCombobox", 258 | fieldbackground=[('readonly', '#111')], 259 | foreground=[('readonly', '#ff4444')], 260 | background=[('readonly', '#111')], 261 | selectbackground=[('readonly', '#222')], 262 | selectforeground=[('readonly', '#ff4444')]) 263 | 264 | style.configure("Black.TNotebook", background="#000", borderwidth=0) 265 | style.configure("Black.TNotebook.Tab", 266 | background="#000", foreground="#ff4444", 267 | font=("Courier", 12, "bold"), 268 | lightcolor="#000", borderwidth=0, padding=10) 269 | style.map("Black.TNotebook.Tab", 270 | background=[("selected", "#222")], 271 | foreground=[("selected", "#fff")]) 272 | 273 | style.configure("Black.Vertical.TScrollbar", background="#111", 274 | troughcolor="#000", bordercolor="#000", arrowcolor="#ff4444") 275 | style.map("Black.Vertical.TScrollbar", 276 | background=[('active', '#222')], 277 | arrowcolor=[('active', '#fff')]) 278 | 279 | self.plugin_options = [ 280 | ("Process List", "windows.pslist.PsList"), 281 | ("Process Scan", "windows.psscan.PsScan"), 282 | ("DLL List", "windows.dlllist.DllList"), 283 | ("Network Scan", "windows.netscan.NetScan"), 284 | ("Malfind", "windows.malfind.Malfind"), 285 | ("Yara Scan", "windows.yarascan.YaraScan"), 286 | ("Callbacks", "windows.callbacks.Callbacks"), 287 | ("Driver Scan", "windows.driverscan.DriverScan"), 288 | ("Handles", "windows.handles.Handles"), 289 | ("CmdLine", "windows.cmdline.CmdLine"), 290 | ("Envars", "windows.envars.Envars"), 291 | ("Filescan", "windows.filescan.FileScan"), 292 | ("Registry Hives", "windows.registry.hivelist.HiveList"), 293 | ("Registry Printkey", "windows.registry.printkey.PrintKey"), 294 | ("SSDT", "windows.ssdt.SSDT"), 295 | ("Modules", "windows.modules.Modules"), 296 | ("Services Scan", "windows.svcscan.SvcScan"), 297 | ("Get SIDs", "windows.getsids.GetSIDs"), 298 | ("MFT Parser", "windows.mftparser.MFTParser"), 299 | ("Shellbags", "windows.shellbags.ShellBags"), 300 | ("UserAssist", "windows.userassist.UserAssist"), 301 | ("Amcache", "windows.amcache.Amcache"), 302 | ("Shimcache", "windows.shimcache.ShimCache"), 303 | ("Timeliner", "windows.timeliner.TimeLiner"), 304 | ("Clipboard", "windows.clipboard.Clipboard"), 305 | ("CmdScan", "windows.cmdscan.CmdScan"), 306 | ("Consoles", "windows.consoles.Consoles"), 307 | ("Hashdump", "windows.hashdump.Hashdump"), 308 | ("LSA Dump", "windows.lsadump.Lsadump"), 309 | ("Dump Files", "windows.dumpfiles.DumpFiles"), 310 | ("ProcDump", "windows.procdump.ProcDump"), 311 | ("List Plugins", "list_plugins") 312 | ] 313 | 314 | info_frame = tk.Frame(self.root, bg="#000", padx=10, pady=10) 315 | info_frame.pack(fill=tk.X) 316 | tk.Label(info_frame, text="Memory Dump:", font=("Courier", 12, "bold"), 317 | fg="#ff4444", bg="#000").grid(row=0, column=0, sticky=tk.W) 318 | self.dump_entry = tk.Entry( 319 | info_frame, width=50, bg="#000", fg="#ff4444", insertbackground="#ff4444", font=("Courier", 12)) 320 | self.dump_entry.grid(row=0, column=1, sticky=tk.EW, padx=5) 321 | ttk.Button(info_frame, text="Browse", command=self.browse_dump, 322 | style="Black.TButton").grid(row=0, column=2, padx=5) 323 | 324 | tk.Label(info_frame, text="Volatility Path:", font=( 325 | "Courier", 12, "bold"), fg="#ff4444", bg="#000").grid(row=1, column=0, sticky=tk.W) 326 | self.vol_entry = tk.Entry( 327 | info_frame, width=50, bg="#000", fg="#ff4444", insertbackground="#ff4444", font=("Courier", 12)) 328 | self.vol_entry.grid(row=1, column=1, sticky=tk.EW, padx=5) 329 | self.vol_entry.insert(0, self.volatility_path) 330 | ttk.Button(info_frame, text="Browse", command=self.browse_volatility, 331 | style="Black.TButton").grid(row=1, column=2, padx=5) 332 | info_frame.columnconfigure(1, weight=1) 333 | 334 | options_frame = tk.Frame(self.root, bg="#000", padx=10, pady=10) 335 | options_frame.pack(fill=tk.X, padx=10, pady=(10, 0)) 336 | options_frame.columnconfigure(98, weight=1) 337 | 338 | tk.Label(options_frame, text="Select:", font=("Courier", 12, "bold"), 339 | fg="#ff4444", bg="#000").grid(row=0, column=0, sticky=tk.W, padx=(0, 5)) 340 | self.selected_plugin = tk.StringVar() 341 | plugin_names = [name for name, _ in self.plugin_options] 342 | self.plugin_combobox = ttk.Combobox( 343 | options_frame, textvariable=self.selected_plugin, values=plugin_names, 344 | state="readonly", style="Black.TCombobox", width=25, font=("Courier", 12)) 345 | self.plugin_combobox.current(0) 346 | self.plugin_combobox.grid(row=0, column=1, padx=(0, 10), sticky=tk.W) 347 | ttk.Button(options_frame, text="Run", 348 | command=self.run_selected_plugin, style="Black.TButton").grid(row=0, column=2, padx=(0, 10), sticky=tk.W) 349 | 350 | tk.Label(options_frame, text="Custom Plugin:", font=("Courier", 12), 351 | fg="#ff4444", bg="#000").grid(row=1, column=0, sticky=tk.W, padx=(0, 5), pady=(8, 0)) 352 | self.custom_cmd = tk.Entry( 353 | options_frame, width=25, bg="#000", fg="#ff4444", insertbackground="#ff4444", font=("Courier", 12)) 354 | self.custom_cmd.grid(row=1, column=1, padx=( 355 | 0, 10), sticky=tk.W, pady=(8, 0)) 356 | ttk.Button(options_frame, text="Run", 357 | command=self.run_custom_command, style="Black.TButton").grid(row=1, column=2, sticky=tk.W, padx=(0, 10), pady=(8, 0)) 358 | 359 | tk.Label(options_frame, text=""" 360 | 361 | .AMMMMMMMMMMA. 362 | .AV. :::.:.:.::MA. 363 | A' :.. : .:`A 364 | A'.. . `A. 365 | A' :. ::::::::: : :`A 366 | M . :::.:.:.::: . .M 367 | M : ::.:.....::.: .M 368 | V : :.::.:........:.: :V 369 | A A: ..:...:...:. A A 370 | .V MA:.....:M.::.::. .:AM.M 371 | A' .VMMMMMMMMM:.:AMMMMMMMV: A 372 | :M . .`VMMMMMMV.:A `VMMMMV .:M: 373 | V.:. ..`VMMMV.:AM..`VMV' .: V 374 | V. .:. .....:AMMA. . .:. .V 375 | VMM...: ...:.MMMM.: .: MMV 376 | `VM: . ..M.:M..:::M' 377 | `M::. .:.... .::M 378 | M:. :. .... ..M 379 | V: M:. M. :M .V 380 | `V.:M.. M. :M.V' 381 | 382 | 383 | """, font=("Courier", 4, "bold"), 384 | fg="#ff4444", bg="#000" 385 | ).grid(row=0, column=99, rowspan=3, sticky=tk.NE, padx=(0, 0), pady=(10, 0)) 386 | 387 | output_frame = tk.Frame(self.root, bg="#000", padx=10, pady=10) 388 | output_frame.pack(fill=tk.BOTH, expand=True) 389 | 390 | out_ctrl_frame = tk.Frame(output_frame, bg="#000") 391 | out_ctrl_frame.pack(fill=tk.X, pady=(0, 5)) 392 | ttk.Button(out_ctrl_frame, text="Clear Output", command=lambda: self.set_output( 393 | "", clear=True), style="Black.TButton").pack(side=tk.LEFT, padx=2) 394 | ttk.Button(out_ctrl_frame, text="Copy Output", 395 | command=self.copy_output, style="Black.TButton").pack(side=tk.LEFT, padx=2) 396 | 397 | self.output_text = tk.Text( 398 | output_frame, 399 | wrap=tk.WORD, 400 | font=('Menlo', 11), 401 | undo=True, 402 | state='disabled', 403 | bg="#000", 404 | fg="#ff4444", 405 | insertbackground="#ff4444", 406 | selectbackground="#440000", 407 | selectforeground="#fff" 408 | ) 409 | self.output_text.pack(side=tk.LEFT, fill=tk.BOTH, expand=True) 410 | 411 | vsb = ttk.Scrollbar(output_frame, orient="vertical", 412 | command=self.output_text.yview, style="Black.Vertical.TScrollbar") 413 | vsb.pack(side=tk.RIGHT, fill=tk.Y) 414 | self.output_text.configure(yscrollcommand=vsb.set) 415 | 416 | search_frame = tk.Frame(self.root, bg="#000", padx=10, pady=5) 417 | search_frame.pack(fill=tk.X) 418 | tk.Label(search_frame, text="Search Output:", font=( 419 | "Courier", 12), fg="#ff4444", bg="#000").pack(side=tk.LEFT) 420 | self.search_entry = tk.Entry( 421 | search_frame, width=30, bg="#000", fg="#ff4444", insertbackground="#ff4444", font=("Courier", 12)) 422 | self.search_entry.insert(0, "Type to search...") 423 | self.search_entry.bind( 424 | "", lambda e: self._clear_placeholder()) 425 | self.search_entry.pack(side=tk.LEFT, padx=5) 426 | ttk.Button(search_frame, text="Find", 427 | command=self.search_output, style="Black.TButton").pack(side=tk.LEFT) 428 | ttk.Button(search_frame, text="Next", command=self.next_match, 429 | style="Black.TButton").pack(side=tk.LEFT, padx=2) 430 | ttk.Button(search_frame, text="Previous", command=self.prev_match, 431 | style="Black.TButton").pack(side=tk.LEFT, padx=2) 432 | ttk.Button(search_frame, text="CTF", command=self.ctf_search, 433 | style="Black.TButton").pack(side=tk.LEFT, padx=8) 434 | 435 | self.status_var = tk.StringVar() 436 | self.status_var.set("Ready") 437 | tk.Label(self.root, textvariable=self.status_var, relief=tk.SUNKEN, 438 | anchor="w", bg="#000", fg="#ff4444", font=("Courier", 11), 439 | borderwidth=0, highlightthickness=0).pack(fill=tk.X) 440 | 441 | def set_output(self, text, clear=False): 442 | self.output_text.config(state='normal') 443 | if clear: 444 | self.output_text.delete(1.0, tk.END) 445 | self.output_text.insert(tk.END, text) 446 | self.output_text.see(tk.END) 447 | self.output_text.config(state='disabled') 448 | 449 | def append_output(self, text): 450 | self.output_text.config(state='normal') 451 | self.output_text.insert(tk.END, text) 452 | self.output_text.see(tk.END) 453 | self.output_text.config(state='disabled') 454 | 455 | def browse_dump(self): 456 | filepath = filedialog.askopenfilename( 457 | title="Select Memory Dump", 458 | filetypes=[ 459 | ("Memory dumps", "*.dmp *.img *.mem *.raw *.vmem"), ("All files", "*.*")] 460 | ) 461 | if filepath: 462 | self.memory_dump = filepath 463 | self.dump_entry.delete(0, tk.END) 464 | self.dump_entry.insert(0, filepath) 465 | 466 | def browse_volatility(self): 467 | filepath = filedialog.askopenfilename( 468 | title="Select Volatility Executable", 469 | filetypes=[("All files", "*")] 470 | ) 471 | if filepath: 472 | self.volatility_path = filepath 473 | self.vol_entry.delete(0, tk.END) 474 | self.vol_entry.insert(0, filepath) 475 | self.save_volatility_path(filepath) 476 | 477 | def run_analysis(self, plugin): 478 | if not self.validate_inputs(): 479 | return 480 | 481 | self.set_output(f"=== {plugin.upper()} ===\n", clear=True) 482 | self.status_var.set(f"Running {plugin}...") 483 | self.root.update() 484 | Thread(target=self._run_command_thread, 485 | args=(plugin,), daemon=True).start() 486 | 487 | def run_custom_command(self): 488 | plugin = self.custom_cmd.get().strip() 489 | if not plugin: 490 | messagebox.showwarning("Warning", "Please enter a plugin name") 491 | return 492 | self.run_analysis(plugin) 493 | 494 | def list_plugins(self): 495 | if not self.validate_volatility(): 496 | return 497 | self.status_var.set("Listing plugins...") 498 | self.root.update() 499 | Thread(target=self._list_plugins_thread, daemon=True).start() 500 | 501 | def run_malware_scan(self): 502 | plugins = [ 503 | "windows.pslist.PsList", 504 | "windows.psscan.PsScan", 505 | "windows.dlllist.DllList", 506 | "windows.netscan.NetScan", 507 | "windows.malfind.Malfind", 508 | "windows.yarascan.YaraScan", 509 | "windows.callbacks.Callbacks", 510 | "windows.driverscan.DriverScan" 511 | ] 512 | for plugin in plugins: 513 | self.run_analysis(plugin) 514 | 515 | def _run_command_thread(self, plugin): 516 | try: 517 | cmd = [self.volatility_path, "-f", self.memory_dump, plugin] 518 | result = subprocess.run(cmd, capture_output=True, text=True) 519 | if result.returncode == 0: 520 | self.append_output(result.stdout) 521 | else: 522 | self.append_output(f"Error:\n{result.stderr}") 523 | self.status_var.set(f"Completed {plugin}") 524 | except Exception as e: 525 | self.append_output( 526 | f"\nError running {plugin}: {str(e)}\n") 527 | self.status_var.set(f"Error running {plugin}") 528 | 529 | def _list_plugins_thread(self): 530 | try: 531 | self.set_output("=== AVAILABLE PLUGINS ===\n", clear=True) 532 | result = subprocess.run( 533 | [self.volatility_path, "--help"], capture_output=True, text=True) 534 | if result.returncode == 0: 535 | output = result.stdout 536 | if "The available plugins are:" in output: 537 | plugins = output.split("The available plugins are:")[ 538 | 1].split("\n\n")[0] 539 | self.append_output(plugins) 540 | else: 541 | self.append_output(output) 542 | else: 543 | self.append_output(f"Error:\n{result.stderr}") 544 | self.status_var.set("Plugin list completed") 545 | except Exception as e: 546 | self.append_output( 547 | f"\nError listing plugins: {str(e)}\n") 548 | self.status_var.set("Plugin list error") 549 | 550 | def validate_inputs(self): 551 | if not self.validate_volatility(): 552 | return False 553 | if not self.memory_dump or not os.path.exists(self.memory_dump): 554 | messagebox.showerror("Error", "Invalid memory dump file") 555 | return False 556 | return True 557 | 558 | def validate_volatility(self): 559 | if not self.volatility_path: 560 | messagebox.showerror("Error", "Volatility path not specified") 561 | return False 562 | try: 563 | subprocess.run([self.volatility_path, "--help"], 564 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) 565 | return True 566 | except: 567 | messagebox.showerror( 568 | "Error", f"Cannot run volatility at: {self.volatility_path}") 569 | return False 570 | 571 | def search_output(self): 572 | self.output_text.config(state='normal') 573 | self.output_text.tag_remove("search_match", "1.0", tk.END) 574 | self.output_text.config(state='disabled') 575 | self.search_matches = [] 576 | self.current_match = -1 577 | query = self.search_entry.get() 578 | if not query: 579 | return 580 | start = "1.0" 581 | while True: 582 | idx = self.output_text.search( 583 | query, start, stopindex=tk.END, nocase=1) 584 | if not idx: 585 | break 586 | end = f"{idx}+{len(query)}c" 587 | self.output_text.config(state='normal') 588 | self.output_text.tag_add("search_match", idx, end) 589 | self.output_text.config(state='disabled') 590 | self.search_matches.append((idx, end)) 591 | start = end 592 | self.output_text.config(state='normal') 593 | self.output_text.tag_config( 594 | "search_match", background="#ffe066", foreground="#222") 595 | self.output_text.config(state='disabled') 596 | if self.search_matches: 597 | self.current_match = 0 598 | self.highlight_current_match() 599 | 600 | def highlight_current_match(self): 601 | if not self.search_matches: 602 | return 603 | self.output_text.config(state='normal') 604 | self.output_text.tag_remove("current_match", "1.0", tk.END) 605 | idx, end = self.search_matches[self.current_match] 606 | self.output_text.tag_add("current_match", idx, end) 607 | self.output_text.tag_config( 608 | "current_match", background="#3399ff", foreground="#fff") 609 | self.output_text.see(idx) 610 | self.output_text.config(state='disabled') 611 | 612 | def next_match(self): 613 | if not self.search_matches: 614 | return 615 | self.current_match = (self.current_match + 616 | 1) % len(self.search_matches) 617 | self.highlight_current_match() 618 | 619 | def prev_match(self): 620 | if not self.search_matches: 621 | return 622 | self.current_match = (self.current_match - 623 | 1) % len(self.search_matches) 624 | self.highlight_current_match() 625 | 626 | def copy_output(self): 627 | self.root.clipboard_clear() 628 | self.root.clipboard_append(self.output_text.get("1.0", tk.END)) 629 | 630 | def _clear_placeholder(self): 631 | if self.search_entry.get() == "Type to search...": 632 | self.search_entry.delete(0, tk.END) 633 | 634 | def run_selected_plugin(self): 635 | 636 | selected_name = self.selected_plugin.get() 637 | for name, plugin in self.plugin_options: 638 | if name == selected_name: 639 | if plugin == "list_plugins": 640 | self.list_plugins() 641 | else: 642 | self.run_analysis(plugin) 643 | break 644 | 645 | def ctf_search(self): 646 | ctf_terms_path = resource_path( 647 | os.path.join("data", "ctf_flag_terms.csv")) 648 | if not os.path.exists(ctf_terms_path): 649 | messagebox.showerror( 650 | "Error", f"CTF terms file not found: {ctf_terms_path}") 651 | return 652 | 653 | terms = set() 654 | with open(ctf_terms_path, "r") as f: 655 | reader = csv.reader(f) 656 | for row in reader: 657 | for term in row: 658 | term = term.strip() 659 | if term: 660 | terms.add(term) 661 | if not terms: 662 | messagebox.showinfo( 663 | "CTF Search", "No terms found in CTF terms file.") 664 | return 665 | 666 | self.output_text.config(state='normal') 667 | self.output_text.tag_remove("ctf_match", "1.0", tk.END) 668 | match_count = 0 669 | for term in terms: 670 | start = "1.0" 671 | while True: 672 | idx = self.output_text.search( 673 | term, start, stopindex=tk.END, nocase=1) 674 | if not idx: 675 | break 676 | end = f"{idx}+{len(term)}c" 677 | self.output_text.tag_add("ctf_match", idx, end) 678 | match_count += 1 679 | start = end 680 | self.output_text.tag_config( 681 | "ctf_match", background="#00ff44", foreground="#000") 682 | self.output_text.config(state='disabled') 683 | messagebox.showinfo( 684 | "CTF Search", f"Found {match_count} matches for CTF terms.") 685 | 686 | 687 | class VolatilityApp(tk.Tk): 688 | def __init__(self): 689 | super().__init__() 690 | self.title("Memory Forensic Toolkit or smth idk") 691 | self.geometry("950x800") 692 | 693 | style = ttk.Style() 694 | style.theme_use('default') 695 | style.configure("Black.TNotebook", background="#000", borderwidth=0) 696 | style.configure("Black.TNotebook.Tab", 697 | background="#000", foreground="#ff4444", 698 | font=("Arial", 12, "bold"), 699 | lightcolor="#000", borderwidth=0, padding=10) 700 | style.map("Black.TNotebook.Tab", 701 | background=[("selected", "#222")], 702 | foreground=[("selected", "#fff")]) 703 | 704 | self.notebook = ttk.Notebook(self, style="Black.TNotebook") 705 | self.notebook.pack(fill=tk.BOTH, expand=True) 706 | 707 | self.memory_capture_tab = MemoryCaptureTab( 708 | self.notebook, self.set_memory_dump) 709 | self.notebook.add(self.memory_capture_tab, text="Freaky ahh Jeff") 710 | 711 | self.analyzer_tab = tk.Frame(self.notebook) 712 | self.notebook.add(self.analyzer_tab, text="Volatility Analyzer") 713 | self.analyzer = VolatilityAnalyzer(self.analyzer_tab) 714 | self.memory_dump = "" 715 | 716 | self.notebook.bind("<>", self.on_tab_changed) 717 | 718 | def set_memory_dump(self, path): 719 | self.memory_dump = path 720 | self.analyzer.memory_dump = path 721 | self.analyzer.dump_entry.delete(0, tk.END) 722 | self.analyzer.dump_entry.insert(0, path) 723 | 724 | def on_tab_changed(self, event): 725 | 726 | if self.notebook.index(self.notebook.select()) == 0: 727 | self.memory_capture_tab.show_random_tip() 728 | 729 | self.update_idletasks() 730 | width = self.winfo_width() 731 | height = self.winfo_height() 732 | self.wm_minsize(width, height) 733 | 734 | 735 | if __name__ == "__main__": 736 | app = VolatilityApp() 737 | app.mainloop() 738 | --------------------------------------------------------------------------------