4.1 KiB
Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.
Volatility2
Basic Info, find OS profile
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
Take a look at what can be done with a specific profile
volatility -f <file.iso> --profile <OSprofile> -h
Process list
volatility -f <file.iso> --profile <OSprofile> pslist
List dlls
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
Last accessed dir
volatility -f <file.iso> --profile <OSprofile> shellbags
Scan network
volatility -f <file.iso> --profile <OSprofile> netscan
Scan files
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
Dump files
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
Plugins
Bash history
volatility -f <file.iso> --profile <OSprofile> linux_bash
Linux process list includes process ID as well as parent process ID
volatility -f <file.iso> --profile <OSprofile> linux_pslist
Dump Process binaries using the linux_procdump plugin to a target directory by
using the PID. The result is an elf file
volatility -f <file.iso> --profile <OSprofile> linux_procdump -D <directory> -p <PID>
File listing under Linux may be done via the linux_enumerate_files and
filtered via grep
volatility -f <file.iso> --profile <OSprofile> linux_enumerate_files
Dump files and directories via linux_find_file plugin after listing the files
to gather memory address
volatility -f <file.iso> --profile <OSprofile> linux_find_file -i <MemoryAddress> -O <OutputFileName>
Creating Profiles
Usable profiles are visible via volatility --info. There are only Windows
profiles per default.
To create Linux profiles follow the guide Security Post-it #3 Volatility Linux Profiles
Volatility3
Basic Info works too, but you have to know the kind of OS anyway
volatility -f <file.iso> windows.info
Process list, but processes can be hidden. Therefore use psscan
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
List dlls, this includes the path of the file
volatility -f <file.iso> windows.dlllist
Find malicious files, fileless and including files, respectively
volatility -f <file.iso> windows.malfind
volatility -f <file.iso> windows.vadyarascan
Dump memory map
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
Dump and scan files
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
Find file handles or mutex
volatility -f <file.iso> windows.mutex
Malware hunting through hooking
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
Plugins
Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (macOS.*, windows.*, linux.*)
-
For example
- Truecryptpassphrase
- shutdowntime
-
cmdscan, the command history is missing from volatility 3