106 lines
2.8 KiB
Markdown
106 lines
2.8 KiB
Markdown
# Volatility
|
|
|
|
Search through collected volatile memory dumps, volume and VM images.
|
|
Volatility and Volatility 3 have a different syntax. The older one has
|
|
higher malware hunting abilities.
|
|
Always check both of the versions if you are not sure about how the file was dumped.
|
|
|
|
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
|
|
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
|
|
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
|
|
|
|
## Basic Commands
|
|
|
|
* Basic Info, find OS profile
|
|
```sh
|
|
volatility -f <file.iso> imageinfo
|
|
volatility -f <file.iso> kdbgscan
|
|
```
|
|
* Process list
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> pslist
|
|
```
|
|
* List dlls
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
|
|
```
|
|
* Last accessed dir
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> shellbags
|
|
```
|
|
* Scan network
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> netscan
|
|
```
|
|
* Scan files
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
|
|
```
|
|
* Dump files
|
|
```sh
|
|
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
|
|
```
|
|
|
|
### Volatility3
|
|
|
|
* Basic Info works too, but you have to know the kind of OS anyway
|
|
```sh
|
|
volatility -f <file.iso> windows.info
|
|
```
|
|
|
|
* Process list, but processes can be hidden. Therefore use ` psscan `
|
|
```sh
|
|
volatility -f <file.iso> windows.pslist
|
|
volatility -f <file.iso> windows.psscan
|
|
volatility -f <file.iso> windows.pstree
|
|
```
|
|
|
|
* List dlls, this includes the path of the file
|
|
```sh
|
|
volatility -f <file.iso> windows.dlllist
|
|
```
|
|
|
|
* Find malicious files, fileless and including files, respectively
|
|
```sh
|
|
volatility -f <file.iso> windows.malfind
|
|
volatility -f <file.iso> windows.vadyarascan
|
|
```
|
|
|
|
* Dump memory map
|
|
```sh
|
|
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
|
|
volatility -f <file.iso> windows.dumpfiles --pid <pid>
|
|
```
|
|
|
|
* Dump and scan files
|
|
```sh
|
|
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
|
|
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
|
|
```
|
|
|
|
* Find file handles or mutex
|
|
```sh
|
|
volatility -f <file.iso> windows.mutex
|
|
```
|
|
|
|
* Malware hunting through hooking
|
|
```sh
|
|
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
|
|
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
|
|
windows.modules.Modules Lists the loaded kernel modules.
|
|
windows.driverscan.DriverScan Scans for drivers present in a particular windows
|
|
```
|
|
|
|
|
|
## Plugins
|
|
|
|
Volatility 3 plugins are named after the specific profile they are used for.
|
|
For the most part these are (` macOS.*, windows.*, linux.* `)
|
|
|
|
* For example
|
|
* Truecryptpassphrase
|
|
* cmdscan, command history
|
|
* shutdowntime
|
|
|
|
|