fix bug

Tokeii0 · Apr 17, 2024 · 5ab7b0f · 5ab7b0f
1 parent cfd78fd
commit 5ab7b0f
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 3 deletions.
diff --git a/config.py b/config.py
@@ -2,4 +2,46 @@
 volatility2 = r'Tools\volatility2\vol.exe'
 gimp = r'Tools\gimp\bin\gimp-console-2.10.exe'
 profile  = ['Win7SP1x64', 'Win7SP1x86', 'WinXPSP3x86', 'WinXPSP2x86', 'WinXPSP2x64']
-pythonpath = r'mem_venv\Scripts\python.exe' # 你的python3位置
+pythonpath = r'mem_venv\Scripts\python.exe'
+
+
+#-------------------------未来功能----------------------------
+# 应该为空的目录
+suspicious_directories = [
+    r"\Users\Public\Music"
+]
+
+
+# 排除规则可以是完整的文件路径或者是正则表达式
+excluded_patterns = [
+    r"\\Windows\\Fonts\\.*\.ttf$",  # 排除Windows\Fonts目录下的所有.ttf文件
+]
+
+# 添加重点关注列表,file_name为文件名，excluded_directories为文件应该出现的目录，比如说explorer.exe应该在Windows目录下
+watchlist_items = [
+    {
+        'file_name': r"cmd.exe",
+        'excluded_directories': [
+            r"\\Windows\\System32\\",
+            r"\\Windows\\SysWOW64\\"
+        ]
+    },
+    {
+        'file_name': r"f.exe",
+        'excluded_directories': [
+            r"\\Windows\\System32\\",
+            r"\\Windows\\SysWOW64\\"
+        ]
+    }
+]
+
+# 排除动作
+action_items = [
+    {
+        'action': r"CRE",
+        'excluded_directories': [
+            r"\\Windows\\System32\\",
+            r"\\Windows\\SysWOW64\\"
+        ]
+    }
+]
diff --git a/main.py b/main.py
@@ -366,11 +366,12 @@ def runvol2pro(self):
             path = self.mem_path
         except:
             print(Fore.RED + '[×] 请先加载内存镜像文件！' + Style.RESET_ALL)
+
         if os.path.exists(self.regpath): 
             cmd = [config.pythonpath, 'volpro.py', path, self.profile]
             print(Fore.YELLOW + '[*] 正在调用volpro进行分析，使用profile:{self.profile}：' + cmd + Style.RESET_ALL)
         else :
-            cmd = [pythonpath, 'volpro.py', path]
+            cmd = [config.pythonpath, 'volpro.py', path]
             print(Fore.YELLOW + '[*] 正在调用volpro进行分析，使用profile:{self.profile}：' + cmd + Style.RESET_ALL)
         try:
             print
@@ -733,4 +734,4 @@ def closeEvent(self, event):
 if __name__ == '__main__':
     app = QApplication(sys.argv)
     lovelymem = Lovelymem()
-    sys.exit(app.exec())
+    sys.exit(app.exec())