├── .gitignore ├── .travis.yml ├── AUTHORS ├── LICENSE ├── Makefile ├── README.md ├── agent ├── agent.py ├── example.conf ├── requirements.txt └── server.py ├── data └── win7_master_dll_redirects.json ├── include ├── dump.h ├── monitor.h ├── output.h ├── paging │ └── intel_64.h ├── rekall_parser.h └── vmi │ └── process.h ├── scripts ├── README.parse_exports ├── find_dlls.ps1 ├── find_vad.py ├── fix_binary.py ├── get_exports.ps1 └── parse_exports.py ├── src ├── dump.c ├── main.c ├── monitor.c ├── output.c ├── process │ ├── linux.c │ ├── process.c │ └── windows.c └── rekall_parser.c ├── test ├── import_reconstruction │ ├── impscan.section0000.0001.2752.json │ └── vadinfo.0001.2752.json ├── inputs │ ├── linux-rekall-example.json │ └── windows-rekall-example.json └── unit.c └── tools ├── astyle ├── astyle.config ├── astyle.tar.gz └── run.sh ├── cr3_tracker.c ├── rekall_linux.c ├── rekall_windows.c ├── table_monitor.c └── vmi_table_walk.c /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/.gitignore -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/.travis.yml -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/AUTHORS -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/README.md -------------------------------------------------------------------------------- /agent/agent.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/agent/agent.py -------------------------------------------------------------------------------- /agent/example.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/agent/example.conf -------------------------------------------------------------------------------- /agent/requirements.txt: -------------------------------------------------------------------------------- 1 | Click>=7.0 2 | libvirt-python>=1.3.1 3 | -------------------------------------------------------------------------------- /agent/server.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/agent/server.py -------------------------------------------------------------------------------- /data/win7_master_dll_redirects.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/data/win7_master_dll_redirects.json -------------------------------------------------------------------------------- /include/dump.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/dump.h -------------------------------------------------------------------------------- /include/monitor.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/monitor.h -------------------------------------------------------------------------------- /include/output.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/output.h -------------------------------------------------------------------------------- /include/paging/intel_64.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/paging/intel_64.h -------------------------------------------------------------------------------- /include/rekall_parser.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/rekall_parser.h -------------------------------------------------------------------------------- /include/vmi/process.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/include/vmi/process.h -------------------------------------------------------------------------------- /scripts/README.parse_exports: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/README.parse_exports -------------------------------------------------------------------------------- /scripts/find_dlls.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/find_dlls.ps1 -------------------------------------------------------------------------------- /scripts/find_vad.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/find_vad.py -------------------------------------------------------------------------------- /scripts/fix_binary.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/fix_binary.py -------------------------------------------------------------------------------- /scripts/get_exports.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/get_exports.ps1 -------------------------------------------------------------------------------- /scripts/parse_exports.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/scripts/parse_exports.py -------------------------------------------------------------------------------- /src/dump.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/dump.c -------------------------------------------------------------------------------- /src/main.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/main.c -------------------------------------------------------------------------------- /src/monitor.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/monitor.c -------------------------------------------------------------------------------- /src/output.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/output.c -------------------------------------------------------------------------------- /src/process/linux.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/process/linux.c -------------------------------------------------------------------------------- /src/process/process.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/process/process.c -------------------------------------------------------------------------------- /src/process/windows.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/process/windows.c -------------------------------------------------------------------------------- /src/rekall_parser.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/src/rekall_parser.c -------------------------------------------------------------------------------- /test/import_reconstruction/impscan.section0000.0001.2752.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/test/import_reconstruction/impscan.section0000.0001.2752.json -------------------------------------------------------------------------------- /test/import_reconstruction/vadinfo.0001.2752.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/test/import_reconstruction/vadinfo.0001.2752.json -------------------------------------------------------------------------------- /test/inputs/linux-rekall-example.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/test/inputs/linux-rekall-example.json -------------------------------------------------------------------------------- /test/inputs/windows-rekall-example.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/test/inputs/windows-rekall-example.json -------------------------------------------------------------------------------- /test/unit.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/test/unit.c -------------------------------------------------------------------------------- /tools/astyle/astyle.config: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/astyle/astyle.config -------------------------------------------------------------------------------- /tools/astyle/astyle.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/astyle/astyle.tar.gz -------------------------------------------------------------------------------- /tools/astyle/run.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/astyle/run.sh -------------------------------------------------------------------------------- /tools/cr3_tracker.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/cr3_tracker.c -------------------------------------------------------------------------------- /tools/rekall_linux.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/rekall_linux.c -------------------------------------------------------------------------------- /tools/rekall_windows.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/rekall_windows.c -------------------------------------------------------------------------------- /tools/table_monitor.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/table_monitor.c -------------------------------------------------------------------------------- /tools/vmi_table_walk.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/carter-yagemann/vmi-unpack/HEAD/tools/vmi_table_walk.c --------------------------------------------------------------------------------