whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Volatility.md

172 lines
4.1 KiB
Markdown
Raw Blame History

# Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.
* [Cheat sheet](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf)
* [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
* [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)
## Volatility2
Basic Info, find OS profile
```sh
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
```
Take a look at what can be done with a specific profile
```sh
volatility -f <file.iso> --profile <OSprofile> -h
```
Process list
```sh
volatility -f <file.iso> --profile <OSprofile> pslist
```
List dlls
```sh
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
```
Last accessed dir
```sh
volatility -f <file.iso> --profile <OSprofile> shellbags
```
Scan network
```sh
volatility -f <file.iso> --profile <OSprofile> netscan
```
Scan files
```sh
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
```
Dump files
```sh
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
```
### Plugins
Bash history
```sh
volatility -f <file.iso> --profile <OSprofile> linux_bash
```
Linux process list includes process ID as well as parent process ID
```sh
volatility -f <file.iso> --profile <OSprofile> linux_pslist
```
Dump Process binaries using the `linux_procdump` plugin to a target directory by
using the PID. The result is an elf file
```sh
volatility -f <file.iso> --profile <OSprofile> linux_procdump -D <directory> -p <PID>
```
File listing under Linux may be done via the `linux_enumerate_files` and
filtered via grep
```sh
volatility -f <file.iso> --profile <OSprofile> linux_enumerate_files
```
Dump files and directories via `linux_find_file` plugin after listing the files
to gather memory address
```sh
volatility -f <file.iso> --profile <OSprofile> linux_find_file -i <MemoryAddress> -O <OutputFileName>
```
### Creating Profiles
Usable profiles are visible via `volatility --info`. There are only Windows
profiles per default.
To create Linux profiles follow the guide [Security Post-it #3 Volatility Linux Profiles](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html)
## Volatility3
Basic Info works too, but you have to know the kind of OS anyway
```sh
volatility -f <file.iso> windows.info
```
Process list, but processes can be hidden. Therefore use ` psscan `
```sh
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
```
List dlls, this includes the path of the file
```sh
volatility -f <file.iso> windows.dlllist
```
Find malicious files, fileless and including files, respectively
```sh
volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan
```
Dump memory map
```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
```
Dump and scan files
```sh
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
```
Find file handles or mutex
```sh
volatility -f <file.iso> windows.mutex
```
Malware hunting through hooking
```sh
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
```
### Plugins
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (` macOS.*, windows.*, linux.* `)
* For example
* Truecryptpassphrase
* shutdowntime
* cmdscan, the command history is missing from volatility 3
Reference in New Issue View Git Blame Copy Permalink