whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added info on plugins for vol2

This commit is contained in:
gurkenhabicht 2023-12-20 19:56:27 +01:00
parent 2545b3e403
commit 74845509af
1 changed files with 88 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
Forensics/Volatility.md
View File

@ -9,81 +9,149 @@ Always check both of the versions if you are not sure about how the file was dum
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples) * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables) * [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
## Basic Commands ## Volatility2
Basic Info, find OS profile
* Basic Info, find OS profile
```sh ```sh
volatility -f <file.iso> imageinfo volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan volatility -f <file.iso> kdbgscan
``` ```
* Process list
Take a look at what can be done with a specific profile
```sh
volatility -f <file.iso> --profile <OSprofile> -h
```
Process list
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> pslist volatility -f <file.iso> --profile <OSprofile> pslist
``` ```
* List dlls
List dlls
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID> volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
``` ```
* Last accessed dir
Last accessed dir
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> shellbags volatility -f <file.iso> --profile <OSprofile> shellbags
``` ```
* Scan network
Scan network
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> netscan volatility -f <file.iso> --profile <OSprofile> netscan
``` ```
* Scan files
Scan files
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor> volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
``` ```
* Dump files
Dump files
```sh ```sh
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D . volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
``` ```
### Volatility3 ### Plugins
Bash history
```sh
volatility -f <file.iso> --profile <OSprofile> linux_bash
```
Linux process list includes process ID as well as parent process ID
```sh
volatility -f <file.iso> --profile <OSprofile> linux_pslist
```
Dump Process binaries using the `linux_procdump` plugin to a target directory by
using the PID. The result is an elf file
```sh
volatility -f <file.iso> --profile <OSprofile> linux_procdump -D <directory> -p <PID>
```
File listing under Linux may be done via the `linux_enumerate_files` and
filtered via grep
```sh
volatility -f <file.iso> --profile <OSprofile> linux_enumerate_files
```
Dump files and directories via `linux_find_file` plugin after listing the files
to gather memory address
```sh
volatility -f <file.iso> --profile <OSprofile> linux_find_file -i <MemoryAddress> -O <OutputFileName>
```
### Creating Profiles
Usable profiles are visible via `volatility --info`. There are only Windows
profiles per default.
To create Linux profiles follow the guide [Security Post-it #3 Volatility Linux Profiles](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html)
## Volatility3
Basic Info works too, but you have to know the kind of OS anyway
* Basic Info works too, but you have to know the kind of OS anyway
```sh ```sh
volatility -f <file.iso> windows.info volatility -f <file.iso> windows.info
``` ```
* Process list, but processes can be hidden. Therefore use ` psscan ` Process list, but processes can be hidden. Therefore use ` psscan `
```sh ```sh
volatility -f <file.iso> windows.pslist volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree volatility -f <file.iso> windows.pstree
``` ```
* List dlls, this includes the path of the file List dlls, this includes the path of the file
```sh ```sh
volatility -f <file.iso> windows.dlllist volatility -f <file.iso> windows.dlllist
``` ```
* Find malicious files, fileless and including files, respectively Find malicious files, fileless and including files, respectively
```sh ```sh
volatility -f <file.iso> windows.malfind volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan volatility -f <file.iso> windows.vadyarascan
``` ```
* Dump memory map Dump memory map
```sh ```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid> volatility -f <file.iso> windows.dumpfiles --pid <pid>
``` ```
* Dump and scan files Dump and scan files
```sh ```sh
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files. windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
``` ```
* Find file handles or mutex Find file handles or mutex
```sh ```sh
volatility -f <file.iso> windows.mutex volatility -f <file.iso> windows.mutex
``` ```
* Malware hunting through hooking Malware hunting through hooking
```sh ```sh
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image. windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
@ -91,10 +159,9 @@ windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows windows.driverscan.DriverScan Scans for drivers present in a particular windows
``` ```
### Plugins
## Plugins Volatility 3 plugins are named after the specific profile they are used for.
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (` macOS.*, windows.*, linux.* `) For the most part these are (` macOS.*, windows.*, linux.* `)
* For example * For example