2.8 KiB
2.8 KiB
Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.
Basic Commands
- Basic Info, find OS profile
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
- Process list
volatility -f <file.iso> --profile <OSprofile> pslist
- List dlls
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
- Last accessed dir
volatility -f <file.iso> --profile <OSprofile> shellbags
- Scan network
volatility -f <file.iso> --profile <OSprofile> netscan
- Scan files
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
- Dump files
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
Volatility3
- Basic Info works too, but you have to know the kind of OS anyway
volatility -f <file.iso> windows.info
- Process list, but processes can be hidden. Therefore use
psscan
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
- List dlls, this includes the path of the file
volatility -f <file.iso> windows.dlllist
- Find malicious files, fileless and including files, respectively
volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan
- Dump memory map
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
- Dump and scan files
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
- Find file handles or mutex
volatility -f <file.iso> windows.mutex
- Malware hunting through hooking
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
Plugins
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (macOS.*, windows.*, linux.*
)
- For example
- Truecryptpassphrase
- cmdscan, command history
- shutdowntime