Professional Documents
Culture Documents
2.3
Edition
Installation
/
Resources
Scan
for
hidden
or
terminated
processes:
psscan
Find
and
extract
injected
code
blocks:
malfind
-‐D/-‐-‐dump-‐dir=PATH
Dump
findings
here
Cross
reference
processes
with
various
lists:
psxview
Cross-‐reference
DLLs
with
memory
mapped
files:
ldrmodules
Show
processes
in
parent/child
tree:
pstree
Scan
a
block
of
code
in
process
or
kernel
memory
for
imported
APIs:
Process
Information
impscan
-‐p/-‐-‐pid=PID
Process
ID
-‐b/-‐-‐base=BASE
Base
address
to
scan
Specify
–O/-‐-‐offset=OFFSET
or
-‐p/-‐-‐pid
1
or
–p/-‐-‐
-‐s/-‐-‐size=SIZE
Size
to
scan
from
start
of
base
pid
1,2,3
to
any
of
these.
Display
DLLs:
Logs
/
Histories
Check
out
the
latest
development
build:
dlllist
#
svn
co
Recover
event
logs
(XP/2003):
http://volatility.googlecode.com/svn/trunk/
Display
details
on
VAD
allocations:
evtlogs
vadinfo
-‐S/-‐-‐save-‐evt
Save
raw
event
logs
Download
a
stable
release:
-‐D/-‐-‐dump-‐dir=PATH
Write
to
this
directory
https://code.google.com/p/volatility/downloads/l Dump
allocations
to
individual
files:
ist
vaddump
-‐-‐dump-‐dir=PATH
Recover
command
history:
cmdscan
and
consoles
Read
full
documentation:
Dump
all
valid
pages
to
a
single
file:
https://code.google.com/p/volatility/wiki/Volatili memdump
-‐-‐dump-‐dir=PATH
Recover
IE
cache/Internet
history:
tyIntroduction?tm=6
iehistory
Display
open
handles:
-‐L/-‐-‐leak
Find
LEAK
(deleted)
Development
Team
Blog:
handles
-‐R/-‐-‐redr
Find
REDR
(redirected)
http://volatility-‐labs.blogspot.com
-‐t/-‐-‐object-‐type=TYPE
Mutant,
File,
Key,
etc…
-‐s/-‐-‐silent
Hide
unnamed
handles
Show
running
services:
(Official)
Training
Contact:
svcscan
voltraining@memoryanalysis.net
Display
privileges:
-‐v/-‐-‐verbose
Show
ServiceDll
from
registry
privs
Follow:
@volatility
Join:
Volatility
User’s
Mailing
List
-‐r/-‐-‐regex=REGEX
Regex
privilege
name
-‐s/-‐-‐silent
Hide
unnamed
handles
Networking
Information
Active
info
(XP/2003):
Basic
Usage
Display
SIDs:
connections
and
sockets
getsids
Typical
command
components:
Scan
for
residual
info
(XP/2003):
#
./vol.py
-‐f
[image]
-‐-‐profile=[profile]
[plugin]
Display
environment
variables:
connscan
and
sockscan
envars
Display
profiles,
address
spaces,
plugins:
Network
info
for
Vista,
2008,
and
7:
#
./vol.py
-‐-‐info
Display
threads:
netscan
threads
Display
global
command-‐line
options:
-‐F/-‐-‐filter=FILTER
OrphanThread,
HookedSSDT
#
./vol.py
-‐-‐help
-‐L/-‐-‐listtags
List
filters
Kernel
Memory
Display
plugin-‐specific
arguments:
PE
File
Extraction
Display
loaded
kernel
modules:
modules
#
./vol.py
[plugin]
-‐-‐help
Specify
-‐D/-‐-‐dump-‐dir
to
any
of
these
plugins
to
Load
plugins
from
an
external
directory:
Scan
for
hidden
or
residual
modules:
identify
your
desired
output
directory.
#
./vol.py
-‐-‐plugins=[path]
[plugin]
modscan
Dump
a
kernel
module:
Specify
a
DTB
or
KDBG
address:
Display
recently
unloaded
modules:
moddump
#
./vol.py
-‐-‐dtb=[addr]
-‐-‐kdbg=[addr]
unloadedmodules
-‐r/-‐-‐regex=REGEX
Regex
module
name
-‐b/-‐-‐base=BASE
Module
base
address
Specify
an
output
file:
Display
timers
and
associated
DPCs:
#
./vol.py
-‐-‐output-‐file=[file]
timers
(x86
only)
Dump
a
process
(without
slack
space):
procexedump
Display
kernel
callbacks,
notification
routines:
Image
Identification
Dump
a
process
(with
slack
space):
callbacks
(x86
only)
procmemdump
Get
profile
suggestions
(OS
and
architecture):
Audit
the
SSDT
imageinfo
ssdt
Dump
DLLs
in
process
memory:
-‐v/-‐-‐verbose
Check
for
inline
API
hooks
dlldump
Find
and
parse
the
debugger
data
block:
-‐r/-‐-‐regex=REGEX
Regex
module
name
kdbgscan
Audit
the
IDT:
-‐b/-‐-‐base=BASE
Module
base
address
idt
(x86
only)
Processes
Listings
Injected
Code
Audit
the
GDT:
gdt
(x86
only)
Basic
active
process
listing:
Specify
–O/-‐-‐offset=OFFSET
or
-‐p/-‐-‐pid
1
or
–p/-‐-‐
pslist
pid
1,2,3
to
any
of
these.
Copyright
©
The
Volatility
Project
2.3
Edition
Audit
driver
dispatch
(IRP)
tables:
driverirp
Disassemble
data
in
an
address
space
GUI
Memory
-‐r/-‐-‐regex=REGEX
Regex
driver
name
>>>
dis(address,
length,
space)
Sessions
(shows
RDP
logins):
Sessions
Display
device
tree
(find
stacked
drivers):
Dump
bytes,
dwords
or
qwords:
devicetree
>>>
db(address,
length,
space)
Window
stations
(shows
clipboard
owners):
>>>
dd(address,
length,
space)
wndscan
Kernel
Objects
>>>
dq(address,
length,
space)
Desktops
(find
ransomware):
Display
a
type/structure:
Addresses
shown
as
Offset(P)
are
physical
deskscan
>>>
dt(“_EPROCESS”)
locations
in
the
memory
dump
file.
Display
global
and
session
atom
tables:
Display
a
type/structure
instance:
Scan
for
driver
objects:
atoms
and
atomscan
>>>
dt(“_EPROCESS”,
0x820c92a0)
driverscan
Dump
the
contents
of
the
clipboard:
Create
an
object
in
kernel
space:
Scan
for
mutexes:
clipboard
>>>
thread
=
obj.Object(“_ETHREAD”,
offset
=
mutantscan
0x820c92a0,
vm
=
self.addrspace)
-‐s/-‐-‐silent
Hide
unnamed
mutants
Detect
event
hooks:
Eventhooks
Scan
for
used/historical
file
objects:
Dump
Conversion
filescan
Detect
message
hooks
(keyloggers):
Create
a
raw
memory
dump
from
a
hibernation,
messagehooks
Scan
for
symbolic
link
objects
(shows
drive
crash
dump,
firewire
acquisition,
virtualbox,
mappings):
vmware
snapshot,
hpak,
or
EWF
file:
Dump
the
win32k.sys
gahti:
symlinkscan
imagecopy
–O/-‐-‐output-‐image=FILE
gahti
Registry
Convert
any
of
the
aforementioned
file
types
to
a
Windows
crash
dump
compatible
with
Windbg:
Take
a
screen
shot
from
the
memory
dump:
screenshot
-‐-‐dump-‐dir=PATH
raw2dmp
–O/-‐-‐output-‐image=FILE
Display
cached
hives:
Display
visible
and
hidden
windows:
hivelist
API
Hooks
windows
and
wintree
Print
a
key’s
values
and
data:
Display
USER
objects:
printkey
Scan
for
API
hooks:
userhandles
-‐o/-‐-‐hive_offset=OFFSET
Hive
address
(virtual)
apihooks
(x86
only)
-‐t/-‐-‐type=TYPE
TYPE_TIMER,
TYPE_HWND,
…
-‐K/-‐-‐key=KEY
Key
name
-‐R/-‐-‐skip-‐kernel
Don’t
check
kernel
modules
-‐F/-‐-‐free
Show
freed
handles
-‐P/-‐-‐skip-‐process
Don’t
check
processes
Dump
userassist
data:
-‐N/-‐-‐no-‐whitelist
Show
all
hooks
(verbose)
userassist
-‐Q/-‐-‐quick
Scan
faster
Strings
Dump
shellbags
information:
shellbags
Yara
Scanning
Use
GNU
strings
or
Sysinternals
strings.exe:
strings
-‐a
-‐td
FILE
>
strings.txt
Scan
for
Yara
signatures:
strings
-‐a
-‐td
-‐el
FILE
>>
strings.txt
(Unicode)
Dump
the
shimcache:
yarascan
shimcache
-‐p/-‐-‐pid=PID
Process
IDs
to
scan
strings.exe
-‐q
-‐o
>
strings.txt
(Windows)
-‐K/-‐-‐kernel
Scan
kernel
memory
Timelines
-‐Y/-‐-‐yara-‐rules=RULES
String,
regex,
bytes,
etc.
Translate
the
string
addresses:
-‐y/-‐-‐yara-‐file=FILE
Yara
rules
file
-‐W/-‐-‐wide
Match
Unicode
strings
strings
-‐s/-‐-‐string-‐file=FILE
Input
strings.txt
file
To
create
a
timeline,
tell
volatility
to
create
output
-‐S/-‐-‐scan
in
body
file
format.
Combine
the
data
and
run
sleuthkit’s
mactime
to
create
a
comma-‐separated
File
System
Resources
values
file.
Password
Recovery
timeliner
-‐-‐output=body
>
time.txt
Find
and
parse
MBR
records
in
memory:
mbrparser
Dump
LSA
secrets:
shellbags
-‐-‐output-‐body
>>
time.txt
-‐-‐hash=HASH
Bootcode
hash
(up
to
RET)
lsadump
(x86
only)
mftparser
-‐-‐output-‐body
>>
time.txt
-‐-‐fullhash=HASH
Bootcode
hash
(full)
-‐y/-‐-‐sys-‐offset=OFFSET
Offset
to
system
hive
-‐-‐offset=OFFSET
Offset
(physical)
to
MBR
-‐s/-‐-‐sec-‐offset=OFFSET
Offset
to
security
hive
mactime
–b
[time.txt]
[-‐d]
>
csv.txt
-‐-‐check
Check
valid
partition
table
-‐-‐disk=MBR
MBR
extracted
from
disk
Volshell
-‐-‐maxdistance=NUM
Max
Levenshtein
distance
Dump
LM
and
NTLM
hashes:
hashdump
(x86
only)
Scan
for
MFT
records:
-‐y/-‐-‐sys-‐offset=OFFSET
Offset
to
system
hive
Interactive
memory
exploration:
mftparser
-‐s/-‐-‐sam-‐offset=OFFSET
volshell
-‐C/-‐-‐check
Hide
entries
w/
null
timestamps
-‐-‐output=body
Output
body
format
List
processes:
Extract
RSA
private
keys
and
certificates:
>>>
ps()
dumpcerts
Extract
cached
files
(registry
hives,
executables):
-‐s/-‐-‐ssl
Parse
certificates
with
openssl
(must
dumpfiles
Switch
contexts
by
pid,
offset,
or
name:
be
installed)
-‐S/-‐-‐summary-‐file=FILE
Summary
file
>>>
cc(pid
=
3028)
-‐F/-‐-‐filter=FILTER
HandleTable,
Vad,
…
Acquire
a
process
address
space
after
using
cc:
-‐D/-‐-‐dump-‐dir=PATH
Output
directory
-‐r/-‐-‐regex=REGEX
Regex
filename
to
dump
>>>
process_space
=
self.proc.get_process_address_space()
Copyright
©
The
Volatility
Project