lpus/logs/dump_test/1/stat.py
2020-06-05 19:37:13 +07:00

51 lines
1.9 KiB
Python

import pandas as pd
elpus = pd.read_csv('eprocess_lpusscan.csv')
flpus = pd.read_csv('file_lpusscan.csv', encoding='utf-8')
evol = pd.read_csv('eprocess_volscan.csv')
fvol = pd.read_csv('file_volscan.csv')
print('''
A simple statistics for LPUS and Volatility
Environment: Windows 10 2019 (build number 18362) on VirtualBox
RAM: 4GB
> The VM is downloaded through Microsoft
LPUS scan _EPROCESS and _FILE_OBJECT.
The scan time: approximate 5 minutes.
After that, use VirtualBox command to generate the memory image
> "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" debugvm "<name>" dumpvmcore --filename "/path/to/<name>.elf"
Volatility version is at 5f685e5
> The latest release of Volatility doesn't have support for Windows build no. 18362
Then compare the log from LPUS and the two volatility command with profile Win10x64_18362:
- psscan to scan _EPROCESS, approximate 30 minutes
- filescan to scan _EPROCESS, approximate 2-3 hours
(The log file is then converted to csv files, see 'eprocess_to_csv.py' and 'file_to_csv.py')
''')
print('==================================================')
print('_EPROCESS')
print('lpus scan: ', elpus['address'].shape, 'results')
print('volatility scan: ', evol['address'].shape, 'results')
print('volatility scan misses lpus: ', elpus['address'][~elpus['address'].isin(evol['address'])].shape, 'results')
print('lpus scan misses volatility: ', evol['address'][~evol['address'].isin(elpus['address'])].shape, 'results')
print('==================================================')
print('_FILE_OBJECT')
print('lpus scan: ', flpus['address'].shape, 'results')
print('volatility scan: ', fvol['address'].shape, 'results')
print('volatility scan misses lpus: ', flpus['address'][~flpus['address'].isin(fvol['address'])].shape, 'results')
print('lpus scan misses volatility: ', fvol['address'][~fvol['address'].isin(flpus['address'])].shape, 'results')