killchain-compendium/Forensics/Volatility.md

106 lines
2.8 KiB
Markdown

# Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
## Basic Commands
* Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
```
* Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
* List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
* Last accessed dir
```sh
volatility -f <file.iso> --profile <OSprofile> shellbags
```
* Scan network
```sh
volatility -f <file.iso> --profile <OSprofile> netscan
```
* Scan files
```sh
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
```
* Dump files
```sh
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
```
### Volatility3
* Basic Info works too, but you have to know the kind of OS anyway
```sh
volatility -f <file.iso> windows.info
```
* Process list, but processes can be hidden. Therefore use ` psscan `
```sh
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
```
* List dlls, this includes the path of the file
```sh
volatility -f <file.iso> windows.dlllist
```
* Find malicious files, fileless and including files, respectively
```sh
volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan
```
* Dump memory map
```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
```
* Dump and scan files
```sh
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
```
* Find file handles or mutex
```sh
volatility -f <file.iso> windows.mutex
```
* Malware hunting through hooking
```sh
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
```
## Plugins
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (` macOS.*, windows.*, linux.* `)
* For example
* Truecryptpassphrase
* cmdscan, command history
* shutdowntime