{"id":21843299,"url":"https://github.com/tokeii0/lovelymem","last_synced_at":"2025-12-29T08:21:08.251Z","repository":{"id":214122841,"uuid":"735753257","full_name":"Tokeii0/LovelyMem","owner":"Tokeii0","description":"基于Memprocfs和Volatility的可视化内存取证工具","archived":false,"fork":false,"pushed_at":"2025-05-06T11:37:05.000Z","size":60587,"stargazers_count":970,"open_issues_count":0,"forks_count":66,"subscribers_count":7,"default_branch":"NewWorld","last_synced_at":"2025-05-15T07:03:12.724Z","etag":null,"topics":["ctf","ctftools","memprocfs","volatility","volatility3"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Tokeii0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-12-26T02:12:30.000Z","updated_at":"2025-05-15T06:37:48.000Z","dependencies_parsed_at":"2024-01-01T07:25:28.194Z","dependency_job_id":"2262f827-52fa-4030-b175-e22b3595d63c","html_url":"https://github.com/Tokeii0/LovelyMem","commit_stats":null,"previous_names":["tokeii0/lovelymem"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tokeii0%2FLovelyMem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tokeii0%2FLovelyMem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tokeii0%2FLovelyMem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tokeii0%2FLovelyMem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Tokeii0","download_url":"https://codeload.github.com/Tokeii0/LovelyMem/tar.gz/refs/heads/NewWorld","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254291961,"owners_count":22046424,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ctftools","memprocfs","volatility","volatility3"],"created_at":"2024-11-27T22:14:46.175Z","updated_at":"2025-12-29T08:21:08.245Z","avatar_url":"https://github.com/Tokeii0.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- markdownlint-disable MD033 MD041 --\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://ctf.dog\"\u003e\u003cimg src=\"https://github.com/Tokeii0/LovelyMem/blob/NewWorld/res/logo_200.png\" width=\"250\" height=\"250\" alt=\"lovelymem\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003cdiv align=\"center\"\u003e\n\n# LovelyMem\n\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable-next-line MD036 --\u003e\n_✨ 基于*Memprocfs*和*Volatility*的可视化内存取证工具 ✨_\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003ca href=\"https://qm.qq.com/q/MuXmudpdKy\"\u003e\u003cimg src=\"https://img.shields.io/badge/QQ%E7%BE%A4-668600249-orange?style=flat-square\" alt=\"QQGroup\"\u003e\u003c/a\u003e\n\u003ca href=\"http://ctf.dog\"\u003e\u003cimg src=\"https://img.shields.io/badge/CTF%E5%AF%BC%E8%88%AA%E7%AB%99-ctf.dog-5492ff?style=flat-square\" alt=\"ctfnav\"\u003e\u003c/a\u003e\n\u003ca href=\"..\"\u003e\u003cimg src=\"https://img.shields.io/badge/Python%20-%203.10.11-def1f2?style=flat-square\" alt=\"python\"\u003e\u003c/a\u003e\n\n\u003c/div\u003e\n\n---\n\n一群已满 请加二群：668600249 \n\n### 这是什么\n\n一款基于 `MemProcFS`、`Volatility2`、`Volatility3` 的快捷内存取证工具。\n\n区别于 [VolatilityPro](https://github.com/Tokeii0/VolatilityPro)，LovelyMem 提供了更快的取证速度和更便捷的功能。\n\n**视频展示**：https://www.bilibili.com/video/BV1z912YpECB\n\n**完整版下载**：https://pan.quark.cn/s/8343fccf1312\n\n---\n\n### 界面展示\n\n![image](https://github.com/user-attachments/assets/6c5e5807-1a1a-4285-b189-c36a3269b3c1)\n\n![image](https://github.com/user-attachments/assets/2e1c6084-88a9-4535-bba6-c5c917b37b06)\n\n![image](https://github.com/user-attachments/assets/1084eabf-2951-41c8-93b8-531fcefe3eff)\n\n\n---\n\n### 具体准备\n\n根据 `config` 文件夹下的 `base_config.yaml` 自助配置以下内容，或者直接在软件中通过 \"高级功能\" 下的 \"设置\" 按钮进行图形化配置。\n\n```yaml\ntools:\n  memprocfs:\n    path: \"../Tools/MemProcFS/MemProcFS.exe\"\n  volatility2:\n    path: \"../Tools/volatility2/vol.exe\"\n  volatility2_python:\n    path: \"../Tools/volatility2_python/vol.py\"\n  volatility3:\n    path: \"../Tools/volatility3/vol.py\"\n  volatility3_symbols:\n    path: \"../Tools/volatility3/symbols\"\n  gimp:\n    path: \"../Tools/gimp/bin/gimp-console-2.10.exe\"\n  volatility2_plugin:\n    path: \"../Tools/volatility2_plugin\"\n\nbase_tools:\n  python310:\n    path: \"../Tools/python3/python.exe\"\n  python27:\n    path: \"../Tools/python27/python27.exe\" \n  strings:\n    path: \"../Tools/other/strings.exe\"\n\nother_tools:\n  RegistryExplorer:\n    path: \"../Tools/RegistryExplorer/RegistryExplorer.exe\"\n  EvtxECmd:\n    path: \"../Tools/EvtxECmd/EvtxECmd.exe\"\n```\n\n---\n\n### 功能特点\n\n- **工具集成**：集成了 `MemProcFS`、`Volatility2`、`Volatility3` 等多种内存取证工具。\n- **快速检查**：提供常用取证功能的快速访问。\n- **任务编排**：可以创建和执行自定义的取证任务流程。\n- **报告编辑器**：方便生成和编辑取证报告。\n- **AI助手**：提供AI辅助分析功能。\n- **配置设置**：通过图形界面轻松配置工具路径、LLM设置和代理设置。\n\n---\n\n### 运行\n\n配置好相关内容后，运行：\n\n```bash\npython launcher.py\n```\n\n---\n\n### 插件开发\n\n下面是一个解压文件的插件示例，其他插件示例可参考 `extensions` 文件夹。\n\n```python\nimport zipfile\nimport os\n\n# 插件信息字典,包含插件的基本信息\nplugin_info = {\n    \"title\": \"解压文件\",  # 插件标题\n    \"description\": \"解压ZIP、RAR等压缩文件\",  # 插件描述\n    \"usage\": \"选择一个压缩文件,然后点击此插件\",  # 使用说明\n    \"category\": \"文件操作\"  # 插件类别\n}\n\ndef run(file_path):\n    \"\"\"\n    插件的主要执行函数\n    \n    参数:\n    file_path (str): 要处理的文件的路径\n    \n    返回:\n    None\n    \"\"\"\n    # 检查文件是否存在\n    if not os.path.exists(file_path):\n        print(f\"错误: 文件 {file_path} 不存在\")\n        return\n\n    # 获取文件扩展名\n    _, file_extension = os.path.splitext(file_path)\n    \n    # 根据文件扩展名选择相应的解压方法\n    if file_extension.lower() == '.zip':\n        extract_zip(file_path)\n    else:\n        print(f\"不支持的文件类型: {file_extension}\")\n\ndef extract_zip(file_path):\n    \"\"\"\n    解压ZIP文件\n    \n    参数:\n    file_path (str): ZIP文件的路径，即文件槽内文件路径\n    \n    返回:\n    None\n    \"\"\"\n    try:\n        # 创建输出目录\n        output_dir = os.path.join('output', 'extracted_files')\n        os.makedirs(output_dir, exist_ok=True)\n        \n        # 解压文件\n        with zipfile.ZipFile(file_path, 'r') as zip_ref:\n            zip_ref.extractall(output_dir)\n        \n        print(f\"文件已成功解压到: {output_dir}\")\n        \n        # 列出解压后的文件\n        print(\"解压的文件列表:\")\n        for root, dirs, files in os.walk(output_dir):\n            for file in files:\n                print(os.path.join(root, file))\n    \n    except zipfile.BadZipFile:\n        print(\"错误: 无效的ZIP文件\")\n    except Exception as e:\n        print(f\"解压过程中发生错误: {str(e)}\")\n\n# 注意: 如果需要支持其他类型的压缩文件(如RAR),\n# 可以添加相应的解压函数并在run()中调用\n```\n\n---\n\n### 适合什么题\n\n- 没有套娃的取证题目\n- *Windows* 内存取证\n\n---\n\n### 几个问题\n\n**Q: 为什么一开始收费，现在突然开源了？**\n\nA: 这个项目一开始收费时，我就给自己立了个flag：要么GitHub星标破1000，要么被人破解。结果显而易见，哈哈。我也不怪那位破解的大佬，毕竟技术无罪，大家一起努力嘛，共同进步！进一步开源的原因：与其等着破解满天飞不如直接开源~\n\n**Q: 开源之后还会继续更新吗？**\n\nA: 当然会更！这可是我第一个星标这么高的项目，只要我有时间，就会一直维护下去。也欢迎各位大佬多多参与，一起把项目做得更好～\n\n---\n\n### 其他\n\n远离内卷，还CTF圈一个朗朗乾坤。\n\n愿望是取证像喝水一样简单。\n\n---\n\n### 开发不易，请我喝杯咖啡吧\n\n![image](https://github.com/user-attachments/assets/d2f81d8a-a445-44ad-9069-664e053340d7)\n\n---\n\n### Star History Chart\n\n[![Star History Chart](https://api.star-history.com/svg?repos=Tokeii0/LovelyMem\u0026type=Date)](https://star-history.com/#Tokeii0/LovelyMem\u0026Date)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftokeii0%2Flovelymem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftokeii0%2Flovelymem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftokeii0%2Flovelymem/lists"}