Initial commit - 611 cybersecurity skills across all subdomains

2026-06-13 06:34:57 +03:00 · 2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+"""
+Memory Forensics Automation with Volatility3
+
+Requirements:
+    pip install volatility3
+
+Usage:
+    python process.py --dump memory.raw --triage
+    python process.py --dump memory.raw --plugin windows.malfind
+"""
+
+import argparse
+import json
+import subprocess
+import sys
+
+
+def run_vol3(dump_path, plugin, extra_args=None, vol3_cmd="vol"):
+    cmd = [vol3_cmd, "-f", dump_path, "-r", "json", plugin]
+    if extra_args:
+        cmd.extend(extra_args)
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
+        if result.returncode == 0 and result.stdout.strip():
+            return json.loads(result.stdout)
+    except Exception as e:
+        print(f"[-] {plugin}: {e}")
+    return None
+
+
+def triage(dump_path):
+    plugins = [
+        "windows.pslist",
+        "windows.psscan",
+        "windows.malfind",
+        "windows.netscan",
+        "windows.cmdline",
+    ]
+    report = {}
+    for plugin in plugins:
+        print(f"[+] Running {plugin}...")
+        report[plugin] = run_vol3(dump_path, plugin)
+    return report
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Volatility3 Automation")
+    parser.add_argument("--dump", required=True, help="Memory dump file")
+    parser.add_argument("--triage", action="store_true")
+    parser.add_argument("--plugin", help="Specific plugin to run")
+    parser.add_argument("--output", help="Output JSON file")
+
+    args = parser.parse_args()
+
+    if args.triage:
+        report = triage(args.dump)
+    elif args.plugin:
+        report = {args.plugin: run_vol3(args.dump, args.plugin)}
+    else:
+        parser.print_help()
+        return
+
+    print(json.dumps(report, indent=2, default=str))
+    if args.output:
+        with open(args.output, 'w') as f:
+            json.dump(report, f, indent=2, default=str)
+
+
+if __name__ == "__main__":
+    main()