updated volatility
This commit is contained in:
parent
41af4b5b9a
commit
f9b6a83e17
|
|
@ -1,6 +1,14 @@
|
||||||
# Volatility
|
# Volatility
|
||||||
|
|
||||||
|
Search through collected volatile memory dumps, volume and VM images.
|
||||||
|
Volatility and Volatility 3 have a different syntax. The older one has
|
||||||
|
higher malware hunting abilities.
|
||||||
|
|
||||||
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
||||||
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
|
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
|
||||||
|
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
|
||||||
|
|
||||||
|
## Basic Commands
|
||||||
|
|
||||||
* Basic Info, find OS profile
|
* Basic Info, find OS profile
|
||||||
```sh
|
```sh
|
||||||
|
|
@ -19,9 +27,65 @@ volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
|
||||||
```sh
|
```sh
|
||||||
volatility -f <file.iso> --profile <OSprofile> shellbags
|
volatility -f <file.iso> --profile <OSprofile> shellbags
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Volatility3
|
||||||
|
|
||||||
|
* Basic Info works too, but you have to know the kind of OS anyway
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.info
|
||||||
|
```
|
||||||
|
|
||||||
|
* Process list, but processes can be hidden. Therefore use ` psscan `
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.pslist
|
||||||
|
volatility -f <file.iso> windows.psscan
|
||||||
|
volatility -f <file.iso> windows.pstree
|
||||||
|
```
|
||||||
|
|
||||||
|
* List dlls, this includes the path of the file
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.dlllist
|
||||||
|
```
|
||||||
|
|
||||||
|
* Find malicious files, fileless and including files, respectively
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.malfind
|
||||||
|
volatility -f <file.iso> windows.vadyarascan
|
||||||
|
```
|
||||||
|
|
||||||
|
* Dump memory map
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
|
||||||
|
```
|
||||||
|
|
||||||
|
* Dump and scan files
|
||||||
|
```sh
|
||||||
|
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
|
||||||
|
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
|
||||||
|
```
|
||||||
|
|
||||||
|
* Find file handles or mutex
|
||||||
|
```sh
|
||||||
|
volatility -f <file.iso> windows.mutex
|
||||||
|
```
|
||||||
|
|
||||||
|
* Malware hunting through hooking
|
||||||
|
```sh
|
||||||
|
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
|
||||||
|
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
|
||||||
|
windows.modules.Modules Lists the loaded kernel modules.
|
||||||
|
windows.driverscan.DriverScan Scans for drivers present in a particular windows
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Plugins
|
## Plugins
|
||||||
|
|
||||||
|
Volatility 3 plugins are named after the specific profile they are used for.
|
||||||
|
For the most part these are (` macOS.*, windows.*, linux.* `)
|
||||||
|
|
||||||
* For example
|
* For example
|
||||||
* Truecryptpassphrase
|
* Truecryptpassphrase
|
||||||
* cmdscan, command history
|
* cmdscan, command history
|
||||||
* shutdowntime
|
* shutdowntime
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue