From 0ffb2242a7ff23b2058c8b02458b718379279224 Mon Sep 17 00:00:00 2001
From: BenjamineSB <27532204+BenjamineSB@users.noreply.github.com>
Date: Sun, 17 Feb 2019 15:41:43 +0530
Subject: [PATCH] Implemented unified output features

'vol.py --plugins=path/to/ndispktscan -f memory.dmp --profile=Win7SP1x64 ndispktscan' output is showing on the terminal and it is difficult to process with the data if we saved the output to text file or something else.
This new change that I made will helpful to get the output of the ndispktscan in tabular format (especially in json or csv) to process inside the data.
example command:
vol.py --plugins=path/to/ndispktscan -f memory.dmp --profile=Win7SP1x64 ndispktscan --output=json --output-file=./jsonfile.json
vol.py --plugins path/to/ndispktscan/ -f memory.dmp --profile Win7SP1x64 ndispktscan --slack --output=json --output-file=./jsonfile.json
---
 AdamBridge/ndispktscan.py | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/AdamBridge/ndispktscan.py b/AdamBridge/ndispktscan.py
index 04a97b0..4a520a5 100644
--- a/AdamBridge/ndispktscan.py
+++ b/AdamBridge/ndispktscan.py
@@ -9,6 +9,9 @@
 import volatility.utils as utils
 import volatility.win32.tasks as tasks
 
+from volatility.renderers import TreeGrid
+from volatility.renderers.basic import Address, Hex
+
 
 # Add some structures
 _packet_types = {
@@ -632,3 +635,35 @@ def render_text(self, outfd, data):
                             dsts_file.write(dst + '\n')
                     outfd.write('Written {:,} destination IPs to \'{}\'.\n'.format(
                         len(dsts), self._config.DSTS))
+
+    def unified_output(self, data):
+		if self._config.SLACK:
+			return TreeGrid([("Offset (V)", Address),
+							 ("Slack Data", str),],
+							self.generator(data))
+		else:
+			return TreeGrid([("Offset (V)", Address),
+							 ("Source MAC", str),
+							 ("Destination MAC", str),
+							 ("Prot", str),
+							 ("Source IP", str),
+							 ("Destination IP", str),
+							 ("SPort", str),
+							 ("DPort", str),
+							 ("Flags", str)],
+							self.generator(data))
+	
+    def generator(self, data):
+		if self._config.SLACK:
+			for offset, slack in data:
+				better_slack = self.tidy_slack(slack)
+				if len(better_slack) > 1:
+					yield(0, [Address(offset), str(better_slack)])
+		else:
+			dsts = set()
+			for raw, eth, epl, pl in data:
+				dst_ip = epl.make_ip(epl.dst_ip)
+				dsts.add(dst_ip)
+				src_mac = eth.make_mac(eth.mac_src)
+
+				yield (0, [Address(eth.v()), str(src_mac), str(eth.make_mac(eth.mac_dst)), str('{:#04x}'.format(epl.get_proto())), str(epl.make_ip(epl.src_ip)), str(dst_ip), str(pl.src_port if pl else 'Proto'), str(pl.dst_port if pl else 'NotKn'), str(pl.get_flags() if pl else 'own')])