hacktricks
  • 👾Welcome!
    • HackTricks
  • 🤩Generic Methodologies & Resources
    • Pentesting Methodology
    • External Recon Methodology
      • Wide Source Code Search
      • Github Dorks & Leaks
    • Pentesting Network
      • DHCPv6
      • EIGRP Attacks
      • GLBP & HSRP Attacks
      • IDS and IPS Evasion
      • Lateral VLAN Segmentation Bypass
      • Network Protocols Explained (ESP)
      • Nmap Summary (ESP)
      • Pentesting IPv6
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
    • Pentesting Wifi
      • Evil Twin EAP-TLS
    • Phishing Methodology
      • Clone a Website
      • Detecting Phishing
      • Phishing Files & Documents
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Acquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • File/Data Carving & Recovery Tools
      • Pcap Inspection
        • DNSCat pcap analysis
        • Suricata & Iptables cheatsheet
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
        • Browser Artifacts
        • Deofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Interesting Windows Registry Keys
    • Brute Force - CheatSheet
    • Python Sandbox Escape & Pyscript
      • Bypass Python sandboxes
        • LOAD_NAME / LOAD_CONST opcode OOB Read
      • Class Pollution (Python's Prototype Pollution)
      • Python Internal Read Gadgets
      • Pyscript
      • venv
      • Web Requests
      • Bruteforce hash (few chars)
      • Basic Python
    • Exfiltration
    • Tunneling and Port Forwarding
    • Threat Modeling
    • Search Exploits
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • 🐧Linux Hardening
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • Arbitrary File Write to Root
      • Cisco - vmanage
      • Containerd (ctr) Privilege Escalation
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Docker Security
        • Abusing Docker Socket for Privilege Escalation
        • AppArmor
        • AuthZ& AuthN - Docker Access Authorization Plugin
        • CGroups
        • Docker --privileged
        • Docker Breakout / Privilege Escalation
          • release_agent exploit - Relative Paths to PIDs
          • Docker release_agent cgroups escape
          • Sensitive Mounts
        • Namespaces
          • CGroup Namespace
          • IPC Namespace
          • PID Namespace
          • Mount Namespace
          • Network Namespace
          • Time Namespace
          • User Namespace
          • UTS Namespace
        • Seccomp
        • Weaponizing Distroless
      • Escaping from Jails
      • euid, ruid, suid
      • Interesting Groups - Linux Privesc
        • lxd/lxc Group - Privilege escalation
      • Logstash
      • ld.so privesc exploit example
      • Linux Active Directory
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Node inspector/CEF debug abuse
      • Payloads to execute
      • RunC Privilege Escalation
      • SELinux
      • Socket Command Injection
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Wildcards Spare tricks
    • Useful Linux Commands
    • Bypass Linux Restrictions
      • Bypass FS protections: read-only / no-exec / Distroless
        • DDexec / EverythingExec
    • Linux Environment Variables
    • Linux Post-Exploitation
      • PAM - Pluggable Authentication Modules
    • FreeIPA Pentesting
  • 🍏MacOS Hardening
    • macOS Security & Privilege Escalation
      • macOS Apps - Inspecting, debugging and Fuzzing
        • Introduction to x64
        • Introduction to ARM64v8
      • macOS AppleFS
      • macOS Bypassing Firewalls
      • macOS Defensive Apps
      • macOS GCD - Grand Central Dispatch
      • macOS Kernel & System Extensions
        • macOS IOKit
        • macOS Kernel Extensions
        • macOS Kernel Vulnerabilities
        • macOS System Extensions
      • macOS Network Services & Protocols
      • macOS File Extension & URL scheme app handlers
      • macOS Files, Folders, Binaries & Memory
        • macOS Bundles
        • macOS Installers Abuse
        • macOS Memory Dumping
        • macOS Sensitive Locations & Interesting Daemons
        • macOS Universal binaries & Mach-O Format
      • macOS Objective-C
      • macOS Privilege Escalation
      • macOS Process Abuse
        • macOS Dirty NIB
        • macOS Chromium Injection
        • macOS Electron Applications Injection
        • macOS Function Hooking
        • macOS IPC - Inter Process Communication
          • macOS MIG - Mach Interface Generator
          • macOS XPC
            • macOS XPC Authorization
            • macOS XPC Connecting Process Check
              • macOS PID Reuse
              • macOS xpc_connection_get_audit_token Attack
          • macOS Thread Injection via Task port
        • macOS Java Applications Injection
        • macOS Library Injection
          • macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
          • macOS Dyld Process
        • macOS Perl Applications Injection
        • macOS Python Applications Injection
        • macOS Ruby Applications Injection
        • macOS .Net Applications Injection
      • macOS Security Protections
        • macOS Gatekeeper / Quarantine / XProtect
        • macOS Launch/Environment Constraints & Trust Cache
        • macOS Sandbox
          • macOS Default Sandbox Debug
          • macOS Sandbox Debug & Bypass
            • macOS Office Sandbox Bypasses
        • macOS SIP
        • macOS TCC
          • macOS Apple Events
          • macOS TCC Bypasses
            • macOS Apple Scripts
          • macOS TCC Payloads
        • macOS Dangerous Entitlements & TCC perms
        • macOS FS Tricks
          • macOS xattr-acls extra stuff
      • macOS Users
    • macOS Red Teaming
      • macOS MDM
        • Enrolling Devices in Other Organisations
        • macOS Serial Number
      • macOS Keychain
    • macOS Useful Commands
    • macOS Auto Start
  • 🪟Windows Hardening
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • Abusing Tokens
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • COM Hijacking
      • Dll Hijacking
        • Writable Sys Path +Dll Hijacking Privesc
      • DPAPI - Extracting Passwords
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • Privilege Escalation with Autoruns
      • RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
      • SeDebug + SeImpersonate copy token
      • SeImpersonate from High To System
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
        • Shadow Credentials
      • AD Certificates
        • AD CS Account Persistence
        • AD CS Domain Escalation
        • AD CS Domain Persistence
        • AD CS Certificate Theft
      • AD information in printers
      • AD DNS Records
      • ASREPRoast
      • BloodHound & Other AD Enum Tools
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • Diamond Ticket
      • DSRM Credentials
      • External Forest Domain - OneWay (Inbound) or bidirectional
      • External Forest Domain - One-Way (Outbound)
      • Golden Ticket
      • Kerberoast
      • Kerberos Authentication
      • Kerberos Double Hop Problem
      • LAPS
      • MSSQL AD Abuse
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying / Brute Force
      • PrintNightmare
      • Force NTLM Privileged Authentication
      • Privileged Groups
      • RDP Sessions Abuse
      • Resource-based Constrained Delegation
      • Security Descriptors
      • SID-History Injection
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • Windows Security Controls
      • UAC - User Account Control
    • NTLM
      • Places to steal NTLM creds
    • Lateral Movement
      • AtExec / SchtasksExec
      • DCOM Exec
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WinRM
      • WmicExec
    • Pivoting to the Cloud
    • Stealing Windows Credentials
      • Windows Credentials Protections
      • Mimikatz
      • WTS Impersonator
    • Basic Win CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView/SharpView
    • Antivirus (AV) Bypass
  • 📱Mobile Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Bypass Biometric Authentication (Android)
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable application
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Install Burp Certificate
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Tapjacking
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • iOS App Extensions
      • iOS Basics
      • iOS Basic Testing Operations
      • iOS Burp Suite Configuration
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Extracting Entitlements From Compiled Application
      • iOS Frida Configuration
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
    • Cordova Apps
    • Xamarin Apps
  • 👽Network Services Pentesting
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
    • Pentesting SAP
    • Pentesting VoIP
      • Basic VoIP Protocols
        • SIP (Session Initiation Protocol)
    • Pentesting Remote GdbServer
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP Smuggling
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 49 - Pentesting TACACS+
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Angular
      • Apache
      • Artifactory Hacking guide
      • Bolt CMS
      • Buckets
        • Firebase Database
      • CGI
      • DotNetNuke (DNN)
      • Drupal
      • Electron Desktop Apps
        • Electron contextIsolation RCE via preload code
        • Electron contextIsolation RCE via Electron internal code
        • Electron contextIsolation RCE via IPC
      • Flask
      • NodeJS Express
      • Git
      • Golang
      • GWT - Google Web Toolkit
      • Grafana
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • ImageMagick Security
      • JBOSS
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
        • PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
        • PHP SSRF
      • Python
      • Rocket Chat
      • Special HTTP headers
      • Source code Review / SAST Tools
      • Spring Actuators
      • Symfony
      • Tomcat
        • Basic Tomcat Info
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • WAF Bypass
      • Web API Pentesting
      • WebDav
      • Werkzeug / Flask Debug
      • Wordpress
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
      • rpcclient enumeration
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • Cisco SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 700 - Pentesting EPP
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1414 - Pentesting IBM MQ
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
      • Types of MSSQL Users
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 3702/UDP - Pentesting WS-Discovery
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 4786 - Cisco Smart Install
    • 4840 - OPC Unified Architecture
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS) and DNS-SD
    • 5432,5433 - Pentesting Postgresql
    • 5439 - Pentesting Redshift
    • 5555 - Android Debug Bridge
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 5985,5986 - Pentesting OMI
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8086 - Pentesting InfluxDB
    • 8089 - Pentesting Splunkd
    • 8333,18333,38333,18444 - Pentesting Bitcoin
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
      • Memcache Commands
    • 15672 - Pentesting RabbitMQ Management
    • 24007,24008,24009,49152 - Pentesting GlusterFS
    • 27017,27018 - Pentesting MongoDB
    • 44134 - Pentesting Tiller (Helm)
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • 🕸️Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
      • CSP bypass: self + 'unsafe-inline' with Iframes
    • Cookies Hacking
      • Cookie Tossing
      • Cookie Jar Overflow
      • Cookie Bomb
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
      • SS-Leaks
    • Dependency Confusion
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
        • Client Side Prototype Pollution
        • Express Prototype Pollution Gadgets
        • Prototype Pollution to RCE
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • PHP - Deserialization + Autoload Classes
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
      • Python Yaml Deserialization
      • JNDI - Java Naming and Directory Interface & Log4Shell
    • Domain/Subdomain takeover
    • Email Injections
    • File Inclusion/Path traversal
      • phar:// deserialization
      • LFI2RCE via PHP Filters
      • LFI2RCE via Nginx temp files
      • LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
      • LFI2RCE via Segmentation Fault
      • LFI2RCE via phpinfo()
      • LFI2RCE Via temp file uploads
      • LFI2RCE via Eternal waiting
      • LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula/CSV/Doc/LaTeX/GhostScript Injection
    • gRPC-Web Pentest
    • HTTP Connection Contamination
    • HTTP Connection Request Smuggling
    • HTTP Request Smuggling / HTTP Desync Attack
      • Browser HTTP Request Smuggling
      • Request Smuggling in HTTP/2 Downgrades
    • HTTP Response Smuggling / Desync
    • Upgrade Header Smuggling
    • hop-by-hop headers
    • IDOR
    • Integer Overflow
    • JWT Vulnerabilities (Json Web Tokens)
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • NoSQL injection
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • Phone Number Injections
    • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - 1
      • Bypassing SOP with Iframes - 2
      • Steal postmessage modifying iframe location
    • Proxy / WAF Protections Bypass
    • Race Condition
    • Rate Limit Bypass
    • Registration & Takeover Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MS Access SQL Injection
      • MSSQL Injection
      • MySQL injection
        • MySQL File priv to SSRF/RCE
      • Oracle injection
      • Cypher Injection (neo4j)
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Languages
        • RCE with PostgreSQL Extensions
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
      • URL Format Bypass
      • SSRF Vulnerable Platforms
      • Cloud SSRF
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
      • Jinja2 SSTI
    • Reverse Tab Nabbing
    • Unicode Injection
      • Unicode Normalization
    • WebSocket Attacks
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • Abusing Service Workers
      • Chrome Cache to XSS
      • Debugging Client Side JS
      • Dom Clobbering
      • DOM Invader
      • DOM XSS
      • Iframes in XSS, CSP and SOP
      • JS Hoisting
      • Misc JS Tricks & Relevant Info
      • PDF Injection
      • Server Side XSS (Dynamic PDF)
      • Shadow DOM
      • SOME - Same Origin Method Execution
      • Sniff Leak
      • Steal Info JS
      • XSS in Markdown
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search/XS-Leaks
      • Connection Pool Examples
      • Connection Pool by Destination Example
      • Cookie Bomb + Onerror XS Leak
      • URL Max Length - Client Side
      • performance.now example
      • performance.now + Force heavy task
      • Event Loop Blocking + Lazy images
      • JavaScript Execution XS Leak
      • CSS Injection
        • CSS Injection Code
  • ⛈️Cloud Security
    • Pentesting Kubernetes
    • Pentesting Cloud (AWS, GCP, Az...)
    • Pentesting CI/CD (Github, Jenkins, Terraform...)
  • 😎Hardware/Physical Access
    • Physical Attacks
    • Escaping from KIOSKs
    • Firmware Analysis
      • Bootloader testing
      • Firmware Integrity
  • 🎯Binary Exploitation
    • Basic Binary Exploitation Methodology
      • ELF Basic Information
      • Exploiting Tools
        • PwnTools
    • Stack Overflow
      • Pointer Redirecting
      • Ret2win
        • Ret2win - arm64
      • Stack Shellcode
        • Stack Shellcode - arm64
      • Stack Pivoting - EBP2Ret - EBP chaining
      • Uninitialized Variables
    • ROP - Return Oriented Programing
      • BROP - Blind Return Oriented Programming
      • Ret2csu
      • Ret2dlresolve
      • Ret2esp / Ret2reg
      • Ret2lib
        • Leaking libc address with ROP
          • Leaking libc - template
        • One Gadget
        • Ret2lib + Printf leak - arm64
      • Ret2syscall
        • Ret2syscall - ARM64
      • Ret2vDSO
      • SROP - Sigreturn-Oriented Programming
        • SROP - ARM64
    • Array Indexing
    • Integer Overflow
    • Format Strings
      • Format Strings - Arbitrary Read Example
      • Format Strings Template
    • Heap
      • Use After Free
      • Heap Overflow
    • Common Binary Exploitation Protections & Bypasses
      • ASLR
        • Ret2plt
        • Ret2ret & Reo2pop
      • CET & Shadow Stack
      • Libc Protections
      • Memory Tagging Extension (MTE)
      • No-exec / NX
      • PIE
        • BF Addresses in the Stack
      • Relro
      • Stack Canaries
        • BF Forked & Threaded Stack Canaries
        • Print Stack Canary
    • Write What Where 2 Exec
      • WWW2Exec - atexit()
      • WWW2Exec - .dtors & .fini_array
      • WWW2Exec - GOT/PLT
      • WWW2Exec - __malloc_hook
    • Common Exploiting Problems
    • Windows Exploiting (Basic Guide - OSCP lvl)
    • Linux Exploiting (Basic) (SPA)
  • 🔩Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Word Macros
  • 🔮Crypto & Stego
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
    • Stego Tricks
    • Esoteric languages
    • Blockchain & Crypto Currencies
  • 🦂C2
    • Salseo
    • ICMPsh
    • Cobalt Strike
  • ✍️TODO
    • Other Big References
    • Rust Basics
    • More Tools
    • MISC
    • Pentesting DNS
    • Hardware Hacking
      • I2C
      • UART
      • Radio
      • JTAG
      • SPI
    • Radio Hacking
      • Pentesting RFID
      • Infrared
      • Sub-GHz RF
      • iButton
      • Flipper Zero
        • FZ - NFC
        • FZ - Sub-GHz
        • FZ - Infrared
        • FZ - iButton
        • FZ - 125kHz RFID
      • Proxmark 3
      • FISSURE - The RF Framework
      • Low-Power Wide Area Network
      • Pentesting BLE - Bluetooth Low Energy
    • Industrial Control Systems Hacking
    • Burp Suite
    • Other Web Tricks
    • Interesting HTTP
    • Emails Vulnerabilities
    • Android Forensics
    • TR-069
    • 6881/udp - Pentesting BitTorrent
    • Online Platforms with API
    • Stealing Sensitive Information Disclosure from a Web
    • Post Exploitation
    • Cookies Policy
由 GitBook 提供支持
在本页
  • 安装
  • volatility3
  • volatility2
  • Volatility Commands
  • “list”与“scan”插件的说明
  • 操作系统配置文件
  • Volatility3
  • Volatility2
  • 操作系统信息
  • Hashes/密码
  • 内存转储
  • 进程
  • 环境
  • Volatility Cheat Sheet
  • 句柄
  • Volatility Cheat Sheet
  • DLLs
  • 每个进程的字符串
  • Volatility Cheat Sheet
  • Volatility Cheat Sheet
  • 服务
  • 网络
  • Volatility Cheat Sheet
  • 注册表文件
  • 打印可用的注册表文件
  • Volatility Cheat Sheet
  • 获取数值
  • Volatility Cheatsheet
  • 转储
  • 文件系统
  • 挂载
  • Volatility Cheat Sheet
  • Basic Commands
  • Advanced Commands
  • 扫描/转储
  • 互斥体
  • 符号链接
  • 时间线
  • 驱动程序
  • Volatility Cheat Sheet
  • 获取剪贴板
  • 获取IE浏览历史
  • 获取记事本文本
  • 屏幕截图
  • 主引导记录(MBR)
  • 参考资料
  1. Generic Methodologies & Resources
  2. Basic Forensic Methodology
  3. Memory dump analysis

Volatility - CheatSheet

上一页Memory dump analysis下一页Partitions/File Systems/Carving

最后更新于1年前

从零开始学习AWS黑客技术,成为专家 !

支持HackTricks的其他方式:

  • 如果您想在HackTricks中看到您的公司广告或下载PDF格式的HackTricks,请查看!

  • 获取

  • 探索,我们的独家

  • 加入 💬 或 或 关注我们的Twitter 🐦 。

  • 通过向和 github仓库提交PR来分享您的黑客技巧。

​

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)

安装

volatility3

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h

volatility2

Download the executable from https://www.volatilityfoundation.org/26
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install

Volatility Commands

“list”与“scan”插件的说明

Volatility有两种主要的插件方法,有时可以从它们的名称中反映出来。“list”插件将尝试浏览Windows内核结构,以检索诸如进程(在内存中定位和遍历_EPROCESS结构的链接列表)、操作系统句柄(定位和列出句柄表,取消引用找到的任何指针等)等信息。它们的行为几乎与请求Windows API列出进程时的行为相同。

这使得“list”插件非常快速,但与Windows API一样容易受到恶意软件的操纵。例如,如果恶意软件使用DKOM从_EPROCESS链接列表中取消链接一个进程,它将不会显示在任务管理器中,pslist中也不会显示。

另一方面,“scan”插件将采用类似于在内存中雕刻可能在解除引用为特定结构时有意义的内容的方法。例如,psscan将读取内存并尝试从中创建_EPROCESS对象(它使用池标签扫描,搜索指示感兴趣结构存在的4字节字符串)。优点是它可以找到已退出的进程,即使恶意软件篡改了_EPROCESS链接列表,插件仍将在内存中找到该结构(因为该结构仍然需要存在以使进程运行)。缺点是“scan”插件比“list”插件慢一些,有时可能产生误报(进程已退出太久,其结构的部分被其他操作覆盖)。

操作系统配置文件

Volatility3

如readme中所述,您需要将要支持的操作系统的符号表放入_volatility3/volatility/symbols_中。 各种操作系统的符号表包可在以下位置下载:

Volatility2

外部配置文件

您可以执行以下操作获取支持的配置文件列表:

./volatility_2.6_lin64_standalone --info | grep "Profile"

如果要使用您已下载的新配置文件(例如 Linux 配置文件),您需要在某个地方创建以下文件夹结构:plugins/overlays/linux,并将包含配置文件的 zip 文件放入此文件夹中。然后,使用以下命令获取配置文件的编号:

./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
VistaSP0x64                                   - A Profile for Windows Vista SP0 x64
VistaSP0x86                                   - A Profile for Windows Vista SP0 x86

在前面的片段中,您可以看到配置文件被称为LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64,您可以使用它来执行类似以下操作:

./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan

发现配置文件

volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp

imageinfo 与 kdbgscan 之间的区别

始终查看 kdbgscan 找到的进程数量。有时,imageinfo 和 kdbgscan 可能会找到 多个适合的 配置文件,但只有 有效的配置文件 才会有一些与进程相关的内容(这是因为提取进程需要正确的 KDBG 地址)。

# GOOD
PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)
# BAD
PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)

KDBG

内核调试器块,由Volatility称为KDBG,对于Volatility和各种调试器执行的取证任务至关重要。被标识为KdDebuggerDataBlock,类型为_KDDEBUGGER_DATA64,其中包含诸如PsActiveProcessHead之类的关键引用。这个特定引用指向进程列表的头部,使得能够列出所有进程,这对于彻底的内存分析至关重要。

操作系统信息

#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
./vol.py -f file.dmp windows.info.Info

插件banners.Banners可在vol3中用于尝试在转储文件中查找Linux横幅。

Hashes/密码

./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volvality -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Analyzing Drivers json

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing Packed Binaries

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handle

  • Analyzing Process Memory

    • volatility -f <memory_dump> --profile=<profile> memmap

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo -p <pid>

volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM)
volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry
volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets

内存转储

进程的内存转储将提取进程当前状态的所有内容。procdump 模块将仅提取代码。

volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/

进程

列出进程

尝试查找可疑进程(按名称)或意外的子进程(例如,cmd.exe 作为 iexplorer.exe 的子进程)。 比较 pslist 的结果和 psscan 的结果以识别隐藏进程可能会很有趣。

python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljsonity -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Dumping Registry Hive

    • volatility -f <memory_dump> --profile=<profile> dumpregistry -o <offset> -D <output_directory>

  • File Analysis

    • voljsonity -f <memory_dump> --profile=<profile> filescan

  • Dumping a File json - volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

  • Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Driver Modules

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Crash Dump Analysis

    • volatility -f <memory_dump> --profile=<profile> memmap

  • Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Accounts json - volatility -f <memory_dump> --profile=<profile> userassist

  • Screenshots

    • volatility -f <memory_dump> --profile=<profile> screenshot -D <output_directory>

  • Yara Scanning

    • volatility -f <memory_dump> --profile=<profile> yarascan --yara-file=<rules_file>

  • API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden Objects

    • volvoljsonity -f <memory_dump> --profile=<profile> hiddenevents

  • Detecting Rootkits

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Injection

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting API-Hooking

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Inline Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Hollow Processes

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Processes

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked DLLs

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Drivers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked File Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Mutant Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Registry Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Token Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Desktop Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Keyed Event Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Io Completion Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked Timer Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked ALPC Ports

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Consumers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Unlinked WMI Filters

    • volatility -f <memory_dump> --profile=<profile> malfind

  • **Detecting

volatility --profile=PROFILE pstree -f file.dmp # Get process tree (not hidden)
volatility --profile=PROFILE pslist -f file.dmp # Get process list (EPROCESS)
volatility --profile=PROFILE psscan -f file.dmp # Get hidden process list(malware)
volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list

转储进程

./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • voljsonity -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Extracting Registry Hjson

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Identifying Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Checking for Rootkits

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyating Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f file.dmp

命令行

是否执行了任何可疑操作?

python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line arguments

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljsonity -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive json - volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • File Extraction

    • volatility -f <memory_dump> --profile=<profile> filescan | grep -i <file_extension>

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

  • Kernel Driver Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Accounts

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Screenshots

    • volatility -f <memory_dump> --profile=<profile> screenshot -D <output_directory>

  • Yara Scanning

    • voljsonity -f <memory_dump> --profile=<profile> yarascan --yara-rules=<rules_file>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden TCP/UDP Ports

    • volatility -f <memory_dump> --profile=<profile> portscan

  • Detecting Hidden Driver Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notsuss

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Driver Objects

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivescan

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notsuss

  • Detecting Hidden Mutants

    • volvoljsonity -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Driver Objects

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivescan

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden GDT Hooks json - volatility -f <memory_dump> --profile=<profile> gdt

  • Detecting Hidden EAT Hooks

    • volatility -f <memory_dump> --profile=<profile> eat

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notsuss

  • Detecting Hidden Mutants

    • volvoljsonity -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Driver Objects

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivescan

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden GDT Hooks

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Detecting Hidden EAT Hooks

    • volatility -f <memory_dump> --profile=<profile> eat

volatility --profile=PROFILE cmdline -f file.dmp #Display process command-line arguments
volatility --profile=PROFILE consoles -f file.dmp #command history by scanning for _CONSOLE_INFORMATION

在cmd.exe中执行的命令由**conhost.exe(或在Windows 7之前的系统上为csrss.exe)管理。这意味着,如果在获取内存转储之前攻击者终止了cmd.exe,仍然可以从conhost.exe的内存中恢复会话的命令历史记录。要做到这一点,如果检测到控制台模块中的异常活动,应该转储相关conhost.exe进程的内存。然后,通过在此转储中搜索字符串**,可以潜在地提取会话中使用的命令行。

环境

获取每个运行进程的环境变量。可能会有一些有趣的值。

python3 vol.py -f file.dmp windows.envars.Envars [--pid <pid>] #Display process environment variables

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • voljsonity -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> printkey -K <key_path>

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Drivers json - volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Dumping Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MFT

    • volatility -f <memory_dump> --profile=<profile> mftparser

  • Analyzing LDRModules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyating API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing CSRSS

    • volatility -f <memory_dump> --profile=<profile> csrss

  • Analyzing Print Spooler

    • volatility -f <memory_dump> --profile=<profile> printkey

  • Analyzing Desktops

    • volatility -f <memory_dump> --profile=<profile> desktops

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadwalk

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadlist

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Vad Trees

    • `volatility -f <memory_dump> --profile=

volatility --profile=PROFILE envars -f file.dmp [--pid <pid>] #Display process environment variables

volatility --profile=PROFILE -f file.dmp linux_psenv [-p <pid>] #Get env of process. runlevel var means the runlevel where the proc is initated

令牌权限

检查意外服务中的特权令牌。 列出使用某些特权令牌的进程可能很有趣。

#Get enabled privileges of some processes
python3 vol.py -f file.dmp windows.privileges.Privs [--pid <pid>]
#Get all processes with interesting privileges
python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljsonity -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive json - volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • File Extraction

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

  • Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Driver Modules

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • UserAssist

    • voljsonity -f <memory_dump> --profile=<profile> userassist

  • Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Crash Dumps

    • volatility -f <memory_dump> --profile=<profile> crashinfo

  • Yara Scanning

    • volatility -f <memory_dump> --profile=<profile> yarascan --yara-file=<rules_file>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Dumping a Process

    • `volatility -f <memory_dump> --profile= memdump -p -D <

#Get enabled privileges of some processes
volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
#Get all processes with interesting privileges
volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"

SIDs

检查每个进程拥有的SSID。 列出使用特权SID的进程(以及使用某些服务SID的进程)可能会很有趣。

./vol.py -f file.dmp windows.getsids.GetSIDs [--pid <pid>] #Get SIDs of processes
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • voljson -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

Advanced Commands

  • Analyzing a Process

    • volatility -f <memory_dump> --profile=<profile> pstree -p <pid>

  • Extracting DLLs json

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

Plugin Development

  • Creating a New Plugin

    • Create a new Python file in the volatility/plugins directory

    • Implement the plugin using the Volatility API

    • Use the vol.py command with the --plugins option to load the custom plugin

volatility --profile=Win7SP1x86_23418 getsids -f file.dmp #Get the SID owned by each process
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of each service

句柄

有助于了解进程打开了哪些其他文件、密钥、线程、进程...

vol.py -f file.dmp windows.handles.Handles [--pid <pid>]

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • voljson -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

Plugin Development

  • Creating a New Plugin

  • Compiling Plugins

    • python vol.py --plugins=<plugin_directory>

  • Using Custom Plugins

    • volatility --plugins=<custom_plugin_directory> -f <memory_dump> <custom_plugin_name>

volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=<pid>]

DLLs

./vol.py -f file.dmp windows.dlllist.DllList [--pid <pid>] #List dlls used by each
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory process

Volatility Cheat Sheet

Basic Forensic Methodology

  1. Memory Dump Analysis

    • Identify Profile: vol.py -f memory_dump.raw imageinfo

    • Analyze Processes: vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

    • Analyze DLLs: vol.py -f memory_dump.raw --profile=Win7SP1x64 dlllist

    • Analyze Handles: vol.py -f memory_dump.raw --profile=Win7SP1x64 handles

    • Analyze Registry: vol.py -f memory_dump.raw --profile=Win7SP1x64 printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

    • Analyze Network Connections: vol.py -f memory_dump.raw --profile=Win7SP1x64 netscan

    • Analyze Drivers: vol.py -f memory_dump.raw --profile=Win7SP1x64 driverscan

    • Analyze Mutants: vol.py -f memory_dump.raw --profile=Win7SP1x64 mutantscan

    • Analyze Sockets: vol.py -f memory_dump.raw --profile=Win7SP1x64 sockets

    • Analyze Autostart Locations: vol.py -f memory_dump.raw --profile=Win7SP1x64 autoruns

  2. File Analysis

    • Analyze MFT: vol.py -f memory_dump.raw --profile=Win7SPjson1 mftparser

    • Analyze File Metadata: vol.py -f memory_dump.raw --profile=Win7SP1x64 filescan

  3. Timeline Analysis

    • Create Timeline: vol.py -f memory_dump.raw --profile=Win7SP1x64 mactime

  4. Malware Analysis

    • Analyze Malware: vol.py -f memory_dump.raw --profile=Win7SP1x64 malfind

  5. Rootkit Detection

    • Detect Rootkits: vol.py -f memory_dump.raw --profile=Win7SP1x64 rootkit

  6. Memory Analysis

    • Analyze Memory: vol.py -f memory_dump.raw --profile=Win7SP1x64 memmap

  7. User Analysis

    • AnAnalyze Users: vol.py -f memory_dump.raw --profile=Win7SP1x64 userassist

  8. Registry Analysis

    • Analyze Registry: vol.py -f memory_dump.raw --profile=Win7SP1x64 printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

  9. Network Analysis

    • Analyze Network: vol.py -f memory_dump.raw --profile=Win7SP1x64 netscan

  10. Process Analysis

    • Analyze Processes: vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

  11. DLL Analysis

    • Analyze DLLs: vol.py -f memory_dump.raw --profile=Win7SP1x64 dlllist

  12. Handle Analysis

    • Analyze Handles: vol.py -f memory_dump.raw --profile=Win7SP1x64 handles

  13. Driver Analysis

    • Analyze Drivers: vol.py -f memory_dump.raw --profile=Win7SP1x64 driverscan

  14. Mutant Analysis

    • Analyze Mutants: vol.py -f memory_dump.raw --profile=Win7SP1x64 mutantscan

  15. Socket Analysis

    • Analyze Sockets: vol.py -f memory_dump.raw --profile=Win7SP1x64 sockets

  16. Autostart Analysis

    • Analyze Autostart Locations: vol.py -f memory_dump.raw --profile=Win7SP1x64 autoruns

  17. MFT Analysis

    • Analyze MFT: vol.py -f memory_dump.raw --profile=Win7SP1x64 mftparser

  18. File Metadata Analysis

    • Analyze File Metadata: vol.py -f memory_dump.raw --profile=Win7SP1x64 filescan

  19. Timeline Creation

    • Create Timeline: vol.py -f memory_dump.raw --profile=Win7SP1x64 mactime

  20. Malware Analysis

    • Analyze Malware: vol.py -f memory_dump.raw --profile=Win7SP1x64 malfind

  21. Rootkit Detection

    • Detect Rootkits: vol.py -f memory_dump.raw --profile=Win7SP1x64 rootkit

  22. Memory Analysis

    • Analyze Memory: vol.py -f memory_dump.raw --profile=Win7SP1x64 memmap

  23. User Analysis

    • Analyze Users: vol.py -f memory_dump.raw --profile=Win7SP1x64 userassist

  24. Registry Analysis

    • Analyze Registry: vol.py -f memory_dump.raw --profile=Win7SP1x64 printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

  25. Network Analysis

    • Analyze Network: vol.py -f memory_dump.raw --profile=Win7SP1x64 netscan

  26. Process Analysis

    • Analyze Processes: vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

  27. DLL Analysis

    • Analyze DLLs: vol.py -f memory_dump.raw --profile=Win7SP1x64 dlllist

  28. Handle Analysis

    • Analyze Handles: vol.py -f memory_dump.raw --profile=Win7SP1x64 handles

  29. Driver Analysis

    • Analyze Drivers: vol.py -f memory_dump.raw --profile=Win7SP1x64 driverscan

  30. Mutant Analysis

    • Analyze Mutants: vol.py -f memory_dump.raw --profile=Win7SP1x64 mutantscan

  31. Socket Analysis

    • Analyze Sockets: vol.py -f memory_dump.raw --profile=Win7SP1x64 sockets

  32. Autostart Analysis

    • Analyze Autostart Locations: vol.py -f memory_dump.raw --profile=Win7SP1x64 autoruns

  33. MFT Analysis

    • Analyze MFT: vol.py -f memory_dump.raw --profile=Win7SP1x64 mftparser

  34. File Metadata Analysis

    • Analyze File Metadata: vol.py -f memory_dump.raw --profile=Win7SP1x64 filescan

  35. Timeline Creation

    • Create Timeline: vol.py -f memory_dump.raw --profile=Win7SP1x64 mactime

  36. Malware Analysis

    • Analyze Malware: vol.py -f memory_dump.raw --profile=Win7SP1x64 malfind

  37. Rootkit Detection

    • Detect Rootkits: vol.py -f memory_dump.raw --profile=Win7SP1x64 rootkit

  38. Memory Analysis

    • Analyze Memory: vol.py -f memory_dump.raw --profile=Win7SP1x64 memmap

  39. User Analysis

    • Analyze Users: vol.py -f memory_dump.raw --profile=Win7SP1x64 userassist

  40. Registry Analysis

    • Analyze Registry: vol.py -f memory_dump.raw --profile=Win7SP1x64 printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

  41. Network Analysis

    • Analyze Network: vol.py -f memory_dump.raw --profile=Win7SP1x64 netscan

  42. Process Analysis

    • Analyze Processes: vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

  43. DLL Analysis

    • Analyze DLLs: vol.py -f memory_dump.raw --profile=Win7SP1x64 dlllist

  44. Handle Analysis

    • Analyze Handles: vol.py -f memory_dump.raw --profile=Win7SP1x64 handles

  45. Driver Analysis

    • Analyze Drivers: vol.py -f memory_dump.raw --profile=Win7SP1x64 driverscan

  46. Mutant Analysis

    • Analyze Mutants: vol.py -f memory_dump.raw --profile=Win7SP1x64 mutantscan

  47. Socket Analysis

    • Analyze Sockets: vol.py -f memory_dump.raw --profile=Win7SP1x64 sockets

  48. Autostart Analysis

    • Analyze Autostart Locations: vol.py -f memory_dump.raw --profile=Win7SP1x64 autoruns

  49. MFT Analysis

    • Analyze MFT: vol.py -f memory_dump.raw --profile=Win7SP1x64 mftparser

  50. File Metadata Analysis

    • Analyze File Metadata: vol.py -f memory_dump.raw --profile=Win7SP1x64 filescan

  51. Timeline Creation

    • Create Timeline: vol.py -f memory_dump.raw --profile=Win7SP1x64 mactime

  52. Malware Analysis

    • Analyze Malware: vol.py -f memory_dump.raw --profile=Win7SP1x64 malfind

  53. Rootkit Detection

    • Detect Rootkits: vol.py -f memory_dump.raw --profile=Win7SP1x64 rootkit

  54. Memory Analysis

    • Analyze Memory: vol.py -f memory_dump.raw --profile=Win7SP1x64 memmap

  55. User Analysis

    • Analyze Users: vol.py -f memory_dump.raw --profile=Win7SP1x64 userassist

  56. Registry Analysis

    • Analyze Registry: vol.py -f memory_dump.raw --profile=Win7SP1x64 printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

  57. Network Analysis

    • Analyze Network: vol.py -f memory_dump.raw --profile=Win7SP1x64 netscan

  58. Process Analysis

    • Analyze Processes: vol.py -f memory_dump.raw --profile=Win7SP1x64 pslist

  59. DLL Analysis

    • Analyze DLLs: vol.py -f memory_dump.raw --profile=Win7SP1x64 dlllist

  60. Handle Analysis

    • Analyze Handles: vol.py -f memory_dump.raw --profile=Win7SP1x64 handles

  61. Driver Analysis

    • Analyze Drivers: vol.py -f memory_dump.raw --profile=Win7SP1x64 driverscan

  62. Mutant Analysis

    • Analyze Mutants: vol.py -f memory_dump.raw --profile=Win7SP1x64 mutantscan

  63. Socket Analysis

    • Analyze Sockets: vol.py -f memory_dump.raw --profile=Win7SP1x64 sockets

  64. Autostart Analysis

    • Analyze Autostart Locations: vol.py -f memory_dump.raw --profile=Win7SP1x64 autoruns

volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f file.dmp #Get dlls of a proc
volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump dlls of a proc

每个进程的字符串

Volatility允许我们检查一个字符串属于哪个进程。

strings file.dmp > /tmp/strings.txt
./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • voljson -f <memory_dump> --profile=<profile> netscan

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> --dump-dir=<output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry json

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Drivers

    • voljson -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Mutantscan

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Yarascan

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDR Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Privilege Rights

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Kernel Hooks

    • volatility -f <memory_dump> --profile=<profile> kdbgscan

  • Analyzing Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Analyzing GDI Tables

    • volatility -f <memory_dump> --profile=<profile> gditimers

  • Analyzing GDI Shared Handles

    • volatility -f <memory_dump> --profile=<profile> gdiview

  • Analyzing GDI Objects

    • volatility -f <memory_dump> --profile=<profile> gdiobjects

  • Analyzing Atom Tables

    • volatility -f <memory_dump> --profile=<profile> atomscan

  • Analyzing Desktops

    • volatility -f <memory_dump> --profile=<profile> desktops

  • Analyzing Windows Stations

    • volatility -f <memory_dump> --profile=<profile> windows

  • Analyzing Sessions

    • volatility -f <memory_dump> --profile=<profile> sessions

  • Analyzing Printers

    • volatility -f <memory_dump> --profile=<profile> printers

  • Analyzing Shimcache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MFT

    • volatility -f <memory_dump> --profile=<profile> mftparser

  • Analyzing TrueCrypt Keys

    • volatility -f <memory_dump> --profile=<profile> truecryptmaster

  • Analyzing Bitlocker Keys

    • volatility -f <memory_dump> --profile=<profile> bitlockermemory

  • Analyzing LUKS Keys

    • volatility -f <memory_dump> --profile=<profile> luksmeta

  • Analyzing Chrome Extensions

    • volatility -f <memory_dump> --profile=<profile> chromehistory

  • Analyzing Firefox Extensions

    • volatility -f <memory_dump> --profile=<profile> firefoxhistory

  • Analyzing IE History

    • volatility -f <memory_dump> --profile=<profile> iehistory

  • Analyzing LSA Secrets

    • volatility -f <memory_dump> --profile=<profile> lsadump

  • Analyizing Hashdump

    • volatility -f <memory_dump> --profile=<profile> hashdump

  • Analyzing User Assist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MBR

    • volatility -f <memory_dump> --profile=<profile> mbrparser

  • Analyzing VBR

    • volatility -f <memory_dump> --profile=<profile> vbrparser

  • Analyzing Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing User Profiles

    • volatility -f <memory_dump> --profile=<profile> userprofiles

  • Analyzing PEB

    • volatility -f <memory_dump> --profile=<profile> peb

  • Analyzing Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDR Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyizing Privilege Rights

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Kernel Hooks

    • volatility -f <memory_dump> --profile=<profile> kdbgscan

  • Analyzing Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Analyzing GDI Tables

    • volatility -f <memory_dump> --profile=<profile> gditimers

  • Analyzing GDI Shared Handles

    • volatility -f <memory_dump> --profile=<profile> gdiview

  • Analyzing GDI Objects

    • volatility -f <memory_dump> --profile=<profile> gdiobjects

  • Analyzing Atom Tables

    • volatility -f <memory_dump> --profile=<profile> atomscan

  • Analyzing Desktops

    • volatility -f <memory_dump> --profile=<profile> desktops

  • Analyzing Windows Stations

    • volatility -f <memory_dump> --profile=<profile> windows

  • Analyzing Sessions

    • volatility -f <memory_dump> --profile=<profile> sessions

  • Analyzing Printers

    • volatility -f <memory_dump> --profile=<profile> printers

  • Analyzing Shimcache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MFT

    • volatility -f <memory_dump> --profile=<profile> mftparser

  • Analyzing TrueCrypt Keys

    • volatility -f <memory_dump> --profile=<profile> truecryptmaster

  • Analyzing Bitlocker Keys

    • volatility -f <memory_dump> --profile=<profile> bitlockermemory

  • Analyzing LUKS Keys

    • volatility -f <memory_dump> --profile=<profile> luksmeta

  • Analyzing Chrome Extensions

    • volatility -f <memory_dump> --profile=<profile> chromehistory

  • Analyzing Firefox Extensions

    • volatility -f <memory_dump> --profile=<profile> firefoxhistory

  • Analyzing IE History

    • volatility -f <memory_dump> --profile=<profile> iehistory

  • Analyzing LSA Secrets

    • volatility -f <memory_dump> --profile=<profile> lsadump

  • Analyzing Hashdump

    • volatility -f <memory_dump> --profile=<profile> hashdump

  • Analyzing User Assist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MBR

    • volatility -f <memory_dump> --profile=<profile> mbrparser

  • Analyzing VBR

    • volatility -f <memory_dump> --profile=<profile> vbrparser

  • Analyzing Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing User Profiles

    • volatility -f <memory_dump> --profile=<profile> userprofiles

  • Analyzing PEB

    • volatility -f <memory_dump> --profile=<profile> peb

  • Analyzing Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDR Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyizing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Privilege Rights

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Kernel Hooks

    • volatility -f <memory_dump> --profile=<profile> kdbgscan

  • Analyzing Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Analyzing GDI Tables

    • volatility -f <memory_dump> --profile=<profile> gditimers

  • Analyzing GDI Shared Handles

    • volatility -f <memory_dump> --profile=<profile> gdiview

  • Analyzing GDI Objects

    • volatility -f <memory_dump> --profile=<profile> gdiobjects

  • Analyzing Atom Tables

    • volatility -f <memory_dump> --profile=<profile> atomscan

  • Analyzing Desktops

    • volatility -f <memory_dump> --profile=<profile> desktops

  • Analyzing Windows Stations

    • volatility -f <memory_dump> --profile=<profile> windows

  • Analyzing Sessions

    • volatility -f <memory_dump> --profile=<profile> sessions

  • Analyizing Printers

    • volatility -f <memory_dump> --profile=<profile> printers

  • Analyzing Shimcache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MFT

    • volatility -f <memory_dump> --profile=<profile> mftparser

  • Analyzing TrueCrypt Keys

    • volatility -f <memory_dump> --profile=<profile> truecryptmaster

  • Analyzing Bitlocker Keys

    • volatility -f <memory_dump> --profile=<profile> bitlockermemory

  • Analyzing LUKS Keys

    • volatility -f <memory_dump> --profile=<profile> luksmeta

  • Analyzing Chrome Extensions

    • volatility -f <memory_dump> --profile=<profile> chromehistory

  • Analyzing Firefox Extensions

    • volatility -f <memory_dump> --profile=<profile> firefoxhistory

  • Analyzing IE History

    • volatility -f <memory_dump> --profile=<profile> iehistory

  • Analyzing LSA Secrets

    • volatility -f <memory_dump> --profile=<profile> lsadump

  • Analyzing Hashdump

    • volatility -f <memory_dump> --profile=<profile> hashdump

  • Analyzing User Assist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing MBR

    • volatility -f <memory_dump> --profile=<profile> mbrparser

  • Analyzing VBR

    • volatility -f <memory_dump> --profile=<profile> vbrparser

  • Analyzing Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing User Profiles

    • volatility -f <memory_dump> --profile=<profile> userprofiles

  • Analyzing PEB

    • volatility -f <memory_dump> --profile=<profile> peb

  • Analyzing Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDR Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • `volatility -f <memory_dump> --profile=<profile

strings file.dmp > /tmp/strings.txt
volatility -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt

volatility -f /tmp/file.dmp --profile=Win81U1x64 memdump -p 3532 --dump-dir .
strings 3532.dmp > strings_file

它还允许使用yarascan模块在进程内搜索字符串:

./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784
./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://"

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • voljsonity -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> printkey -K <registry_key>

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Drivers json - volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Crashes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Analyizing ImpHash

    • volatility -f <memory_dump> --profile=<profile> impscan

  • Analyzing API Audit

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Trace

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Monitor

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3312,3084,2784

UserAssist

Windows 在注册表中使用名为 UserAssist keys 的功能来跟踪您运行的程序。这些键记录每个程序被执行的次数以及上次运行的时间。

./vol.py -f file.dmp windows.registry.userassist.UserAssist

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • voljson -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

Advanced Commands

  • Analyzing Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

Plugin Options

  • Using Specific Plugin

    • volatility -f <memory_dump> --profile=<profile> <plugin_name>

  • Plugin Help

    • volatility --info | grep <plugin_name>

  • Plugin Options

    • volatility --info | grep <plugin_name> -A <number_of_lines>

volatility --profile=Win7SP1x86_23418 -f file.dmp userassist

​

服务

./vol.py -f file.dmp windows.svcscan.SvcScan #List services
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services

在进行内存转储分析时,以下是一些常用的Volatility命令和技巧:

  • 查看进程列表:volatility -f <memory_dump> --profile=<profile> pslist

  • 查看网络连接:volatility -f <memory_dump> --profile=<profile> netscan

  • 查看注册表信息:volatility -f <memory_dump> --profile=<profile> printkey -K <registry_key>

  • 查看文件信息:volatility -f <memory_dump> --profile=<profile> filescan

记住,使用适当的插件和配置文件来确保分析的准确性和完整性。

#Get services and binary path
volatility --profile=Win7SP1x86_23418 svcscan -f file.dmp
#Get name of the services and SID (slow)
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp

网络

./vol.py -f file.dmp windows.netscan.NetScan
#For network info of linux use volatility2

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Listing Sockets

    • voljson -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive json- volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • File Extraction

    • volatility -f <memory_dump> --profile=<profile> filescan | grep -i <file_extension>

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

  • Rootkit Detection

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Process Tree

    • volatility -f <memory_dump> --profile=<profile> pstree

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Account Information

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Screen Capture

    • volatility -f <memory_dump> --profile=<profile> screenshot -D <output_directory>

  • Kernel Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Crash Dump Analysis

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden IDT Hooks

    • voljson -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> handles

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irp

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden UDP Ports

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden Notified Routines

    • volatility -f <memory_dump> --profile=<profile> notifys

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden Services

    • `volatility -f <memory_dump> --profile=<profile

volatility --profile=Win7SP1x86_23418 netscan -f file.dmp
volatility --profile=Win7SP1x86_23418 connections -f file.dmp#XP and 2003 only
volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections
volatility --profile=Win7SP1x86_23418 sockscan -f file.dmp#Open sockets
volatility --profile=Win7SP1x86_23418 sockets -f file.dmp#Scanner for tcp socket objects

volatility --profile=SomeLinux -f file.dmp linux_ifconfig
volatility --profile=SomeLinux -f file.dmp linux_netstat
volatility --profile=SomeLinux -f file.dmp linux_netfilter
volatility --profile=SomeLinux -f file.dmp linux_arp #ARP table
volatility --profile=SomeLinux -f file.dmp linux_list_raw #Processes using promiscuous raw sockets (comm between processes)
volatility --profile=SomeLinux -f file.dmp linux_route_cache

注册表文件

打印可用的注册表文件

./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots
./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeys

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • voljson -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting Files

    • volatility -f <memory_dump> --profile=<profile> filescan

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Process Memory

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Identifying Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing Packed Binaries

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Registry Transactions

    • volatility -f <memory_dump> --profile=<profile> printkey -K <key>

  • Analyzing User Assist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing TrueCrypt Keys

    • volatility -f <memory_dump> --profile=<profile> truecryptmaster

  • Analyzing LUKS Keys

    • volatility -f <memory_dump> --profile=<profile> luksmeta

  • Analyzing Bitlocker Keys

    • volatility -f <memory_dump> --profile=<profile> bitlocker

  • Analyzing Chrome Extensions

    • volatility -f <memory_dump> --profile=<profile> chromehistory

  • Analyzing Firefox Extensions

    • volatility -f <memory_dump> --profile=<profile> firefoxhistory

  • Analyzing Internet Explorer History

    • volatility -f <memory_dump> --profile=<profile> iehistory

  • Analyzing Outlook Memory

    • volatility -f <memory_dump> --profile=<profile> outlook

  • Analyzing Thunderbird Memory

    • volatility -f <memory_dump> --profile=<profile> thunderbird

  • Analyzing Skype Memory

    • volatility -f <memory_dump> --profile=<profile> skype

  • Analyzing Telegram Memory

    • volatility -f <memory_dump> --profile=<profile> telegram

  • Analyzing Slack Memory

    • volatility -f <memory_dump> --profile=<profile> slack

  • Analyzing Discord Memory

    • volatility -f <memory_dump> --profile=<profile> discord

  • Analyzing Signal Memory

    • volatility -f <memory_dump> --profile=<profile> signal

  • Analyzing WhatsApp Memory

    • volatility -f <memory_dump> --profile=<profile> whatsapp

  • Analyzing Viber Memory

    • volatility -f <memory_dump> --profile=<profile> viber

  • Analyzing Facebook Messenger Memory

    • volatility -f <memory_dump> --profile=<profile> facebookmessenger

  • Analyzing Instagram Memory

    • volatility -f <memory_dump> --profile=<profile> instagram

  • Analyzing Snapchat Memory

    • volatility -f <memory_dump> --profile=<profile> snapchat

  • Analyzing TikTok Memory

    • volatility -f <memory_dump> --profile=<profile> tiktok

  • Analyzing WeChat Memory

    • volatility -f <memory_dump> --profile=<profile> wechat

  • Analyzing Line Memory

    • volatility -f <memory_dump> --profile=<profile> line

  • Analyzing Kik Memory

    • volatility -f <memory_dump> --profile=<profile> kik

  • Analyzing Telegram Memory

    • volatility -f <memory_dump> --profile=<profile> telegram

  • Analyzing Slack Memory

    • volatility -f <memory_dump> --profile=<profile> slack

  • Analyzing Discord Memory

    • volatility -f <memory_dump> --profile=<profile> discord

  • Analyzing Signal Memory

    • volatility -f <memory_dump> --profile=<profile> signal

  • Analyzing WhatsApp Memory

    • volatility -f <memory_dump> --profile=<profile> whatsapp

  • Analyzing Viber Memory

    • volatility -f <memory_dump> --profile=<profile> viber

  • Analyzing Facebook Messenger Memory

    • volatility -f <memory_dump> --profile=<profile> facebookmessenger

  • Analyzing Instagram Memory

    • volatility -f <memory_dump> --profile=<profile> instagram

  • Analyzing Snapchat Memory

    • volatility -f <memory_dump> --profile=<profile> snapchat

  • Analyzing TikTok Memory

    • volatility -f <memory_dump> --profile=<profile> tiktok

  • Analyzing WeChat Memory

    • volatility -f <memory_dump> --profile=<profile> wechat

  • Analyzing Line Memory

    • volatility -f <memory_dump> --profile=<profile> line

  • Analyzing Kik Memory

    • volatility -f <memory_dump> --profile=<profile> kik

  • Analyzing Telegram Memory

    • volatility -f <memory_dump> --profile=<profile> telegram

  • Analyzing Slack Memory

    • volatility -f <memory_dump> --profile=<profile> slack

  • Analyzing Discord Memory

    • volatility -f <memory_dump> --profile=<profile> discord

  • Analyzing Signal Memory

    • volatility -f <memory_dump> --profile=<profile> signal

  • Analyzing WhatsApp Memory

    • volatility -f <memory_dump> --profile=<profile> whatsapp

  • Analyzing Viber Memory

    • volatility -f <memory_dump> --profile=<profile> viber

  • Analyzing Facebook Messenger Memory

    • volatility -f <memory_dump> --profile=<profile> facebookmessenger

  • Analyzing Instagram Memory

    • volatility -f <memory_dump> --profile=<profile> instagram

  • Analyzing Snapchat Memory

    • volatility -f <memory_dump> --profile=<profile> snapchat

  • Analyzing TikTok Memory

    • volatility -f <memory_dump> --profile=<profile> tiktok

  • Analyzing WeChat Memory

    • volatility -f <memory_dump> --profile=<profile> wechat

  • Analyzing Line Memory

    • volatility -f <memory_dump> --profile=<profile> line

  • Analyzing Kik Memory

    • volatility -f <memory_dump> --profile=<profile> kik

  • Analyzing Telegram Memory

    • volatility -f <memory_dump> --profile=<profile> telegram

  • Analyzing Slack Memory

    • volatility -f <memory_dump> --profile=<profile> slack

  • Analyzing Discord Memory

    • volatility -f <memory_dump> --profile=<profile> discord

  • Analyzing Signal Memory

    • volatility -f <memory_dump> --profile=<profile> signal

  • Analyzing WhatsApp Memory

    • volatility -f <memory_dump> --profile=<profile> whatsapp

  • Analyzing Viber Memory

    • volatility -f <memory_dump> --profile=<profile> viber

  • Analyzing Facebook Messenger Memory

    • volatility -f <memory_dump> --profile=<profile> facebookmessenger

  • Analyzing Instagram Memory

    • volatility -f <memory_dump> --profile=<profile> instagram

  • Analyzing Snapchat Memory

    • volatility -f <memory_dump> --profile=<profile> snapchat

  • Analyzing TikTok Memory

    • volatility -f <memory_dump> --profile=<profile> tiktok

  • Analyzing WeChat Memory

    • volatility -f <memory_dump> --profile=<profile> wechat

  • Analyzing Line Memory

    • volatility -f <memory_dump> --profile=<profile> line

  • Analyzing Kik Memory

    • volatility -f <memory_dump> --profile=<profile> kik

  • Analyzing Telegram Memory

    • volatility -f <memory_dump> --profile=<profile> telegram

  • Analyzing Slack Memory

    • volatility -f <memory_dump> --profile=<profile> slack

  • Analyzing Discord Memory

    • volatility -f <memory_dump> --profile=<profile> discord

  • Analyzing Signal Memory

    • volatility -f <memory_dump> --profile=<profile> signal

  • Analyzing WhatsApp Memory

    • volatility -f <memory_dump> --profile=<profile> whatsapp

  • Analyzing Viber Memory

    • volatility -f <memory_dump> --profile=<profile> viber

  • Analyzing Facebook Messenger Memory

    • volatility -f <memory_dump> --profile=<profile> facebookmessenger

  • Analyzing Instagram Memory

    • volatility -f <memory_dump> --profile=<profile> instagram

  • Analyzing Snapchat Memory

    • volatility -f <memory_dump> --profile=<profile> snapchat

  • Analyzing TikTok Memory

    • volatility -f <memory_dump> --profile=<profile> tiktok

  • Analyzing WeChat Memory

    • volatility -f <memory_dump> --profile=<profile> wechat

  • Analyzing Line Memory

    • volatility -f <memory_dump> --profile=<profile> line

  • Analyzing Kik Memory

    • volatility -f <memory_dump> --profile=<profile> kik

volatility --profile=Win7SP1x86_23418 -f file.dmp hivelist #List roots
volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get initial subkeys

获取数值

./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"

Volatility Cheatsheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • voljson -f <memory_dump> --profile=<profile> dlllist

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive

    • volvolatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • File Extraction

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Dumping a File json -f <memory_dump> --profile= dumpfiles -Q <physical_offset> -D <output_directory>`

  • Kernel Driver Analysis

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Dumping Kernel Driver

    • volatility -f <memory_dump> --profile=<profile> moddump -o <offset> -D <output_directory>

  • Process Tree

    • volatility -f <memory_dump> --profile=<profile> pstree

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Accounts

    • volatility -f <memory_dump> --profile=<profile> useraccounts

  • Dumping SAM

    • volatility -f <memory_dump> --profile=<profile> hashdump -y <offset>

  • Crash Dump Analysis

    • volatility -f <memory_dump> --profile=<profile> memmap

Advanced Commands

  • Rootkit Detection

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Detecting Hidden Files

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Detecting Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivescan

  • Detecting Hidden Drivers

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden Objects

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Detecting Hidden IRPs

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Detecting Hidden TCP/IP Hooks

    • volatility -f <memory_dump> --profile=<profile> tcpip

  • Detecting Hidden Token Objects

    • volatility -f <memory_dump> --profile=<profile> tokens

  • Detecting Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Detecting Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Detecting Hidden SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Detecting Hidden IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irpfind

  • Detecting Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • **Detecting

volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f file.dmp
# Get Run binaries registry value
volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\Microsoft\Windows\CurrentVersion\Run'

转储

#Dump a hive
volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
#Dump all hives
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp

文件系统

挂载

#See vol2

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • voljson -f <memory_dump> --profile=<profile> dlllist

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Accounts

    • voljson -f <memory_dump> --profile=<profile> useraccounts

  • Dumping a File json

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Process Tree

    • volatility -f <memory_dump> --profile=<profile> pstree

  • Kernel Drivers json

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Rootkits

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Extracting Files

    • volatility -f <memory_dump> --profile=<profile> filescan

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

  • Dumping Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Network Packets

    • volatility -f <memory_dump> --profile=<profile> netscan

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Registry Handles

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Analyzing TCP Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Analyzing User Sessions

    • volatility -f <memory_dump> --profile=<profile> sessions

  • Analyzing Windows

    • volatility -f <memory_dump> --profile=<profile> windows

  • Analyzing WMI

    • volatility -f <memory_dump> --profile=<profile> wmiscan

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing Zipped Files

    • volatility -f <memory_dump> --profile=<profile> zipscan

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volvolatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

  • Analyzing Suspicious Files

    • volatility -f <memory_dump> --profile=<profile> malfile

  • Analyzing Suspicious Processes

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Suspicious Drivers

    • volatility -f <memory_dump> --profile=<profile> malsysdrivers

  • Analyzing Suspicious Modules

    • volatility -f <memory_dump> --profile=<profile> malsysmodules

  • Analyzing Suspicious Services

    • volatility -f <memory_dump> --profile=<profile> malsvcs

  • Analyzing Suspicious Registry Keys

    • volatility -f <memory_dump> --profile=<profile> malreg

  • Analyzing Suspicious Network Connections

    • volatility -f <memory_dump> --profile=<profile> malnet

volatility --profile=SomeLinux -f file.dmp linux_mount
volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the entire filesystem (if possible)

扫描/转储

./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr <0xAAAAA> #Offset from previous command

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • voljson -f <memory_dump> --profile=<profile> netscan

  • Dumping a File

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

    • volatility -f <memory_dump> --profile=<profile> moddump -o <offset> -D <output_directory>

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> drvscan

  • Analyating Packed Binaries

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handle

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Analyzing Process Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Pools

    • voljson -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process Dump

    • volatility -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

volatility --profile=Win7SP1x86_23418 filescan -f file.dmp #Scan for files inside the dump
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -f file.dmp #Dump all files
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -Q 0x000000007dcaa620 -f file.dmp

volatility --profile=SomeLinux -f file.dmp linux_enumerate_files
volatility --profile=SomeLinux -f file.dmp linux_find_file -F /path/to/file
volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O /path/to/dump/file

主文件表

# I couldn't find any plugin to extract this information in volatility3

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljson -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping a Registry Hive

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting Files

    • volatility -f <memory_dump> --profile=<profile> filescan --dump-dir=<output_directory>

  • Analyzing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Drivers

    • voljson -f <memory_dump> --profile=<profile> drvmap

  • Analyzing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing LDRModules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing CSRSS

    • volatility -f <memory_dump> --profile=<profile> csrss

  • Analyzing Print Spooler

    • volatility -f <memory_dump> --profile=<profile> printkey

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyizing User Sessions

    • volatility -f <memory_dump> --profile=<profile> users

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Driver Modules

    • volatility -f <memory_dump> --profile=<profile> modules

  • Analyzing SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing IDT Hooks

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irp

  • Analyzing Hidden Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Analyzing Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Hidden Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Hidden Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Hidden Ports

    • volatility -f <memory_dump> --profile=<profile> port

  • Analyzing Hidden Devices

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Hidden Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Analyzing Hidden Timers

    • volatility -f <memory_dump> --profile=<profile> timers

  • Analyzing Hidden Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Hidden Notepad

    • volatility -f <memory_dump> --profile=<profile> notepad

  • Analyzing Hidden Registry Keys

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Analyzing Hidden Registry Values

    • volatility -f <memory_dump> --profile=<profile> printkey

  • Analyzing Hidden Registry Data

    • volatility -f <memory_dump> --profile=<profile> hivedump

  • Analyzing Hidden Registry Handles

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Hidden Registry RecentFileCache

    • volatility -f <memory_dump> --profile=<profile> recentfilecache

  • Analyzing Hidden Registry AppCompatCache

    • volatility -f <memory_dump> --profile=<profile> appcompatcache

  • Analyzing Hidden Registry Amcache

    • volatility -f <memory_dump> --profile=<profile> amcache

  • Analyzing Hidden Registry BAM

    • volatility -f <memory_dump> --profile=<profile> bam

  • Analyzing Hidden Registry UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing Hidden Registry ShimCache

    • `volatility -

volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp

SSL密钥/证书

#vol3 allows to search for certificates inside the registry
./vol.py -f file.dmp windows.registry.certificates.Certificates

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljson -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping a Registry Hive json

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting Files

    • volatility -f <memory_dump> --profile=<profile> filescan

    • volatility -f <memory_dump> --profile=<profile> dumpfiles -Q <physical_offset> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Identifying Kernel Modules

    • voljson -f <memory_dump> --profile=<profile> modscan

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing LDRModules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing Crashes

    • volatility -f <memory_dump> --profile=<profile> crashinfo

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing User Sessions

    • volatility -f <memory_dump> --profile=<profile> users

  • Analyzing Registry Handles

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Analyzing Registry Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyjsoning Registry Keys

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Binaries

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Values

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Data

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Lists

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Timelining

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Analyzing Registry Key Usage

    • `volatility -

#vol2 allos you to search and dump certificates from memory
#Interesting options for this modules are: --pid, --name, --ssl
volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp

恶意软件

./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]
#Malfind will search for suspicious structures related to malware
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses

./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing DLLs

    • voljson -f <memory_dump> --profile=<profile> dlllist

  • Dumping a DLL

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Listing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping Registry Hive

    • voljson -f <memory_dump> --profile=<profile> printkey -o <output_directory>

  • File Analysis

    • volatility -f <memory_dump> --profile=<profile> filescan

  • Dumping a File json -f <memory_dump> --profile= dumpfiles -Q <address_range> -D <output_directory>`

  • Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Dumping a Kernel Module

    • volatility -f <memory_dump> --profile=<profile> moddump -p <pid> -D <output_directory>

  • Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Command History

    • volatility -f <memory_dump> --profile=<profile> cmdscan

  • User Accounts

    • volatility -f <memory_dump> --profile=<profile> useraccounts

  • Screenshots

    • volatility -f <memory_dump> --profile=<profile> screenshot -D <output_directory>

  • Yara Scanning

    • volatility -f <memory_dump> --profile=<profile> yarascan --yara-file=<rules_file>

  • API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Detecting Hidden Drivers json -f <memory_dump> --profile= ldrmodules`

  • Detecting Hidden DLLs

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Detecting Hidden TCP/UDP Ports

    • volatility -f <memory_dump> --profile=<profile> portscan

  • Detecting Rootkits

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Injection

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Modules

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Strings

    • volatility -f <memory_dump> --profile=<profile> strings

  • Detecting In-Memory Code

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Rootkits

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Mutexes

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Processes

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Services

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Timers

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Windows

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Handles

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory IRPs

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Imports

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Unload

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Start

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Sections

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Registry

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver IRPs

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Handles

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Functions

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Objects

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Stacks

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Names

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Extensions

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Characteristics

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Flags

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Security

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Policy

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Capabilities

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power State

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Type

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Level

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags2

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags3

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags4

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags5

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags6

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags7

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags8

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags9

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags10

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags11

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags12

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags13

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags14

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags15

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags16

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags17

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags18

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags19

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags20

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags21

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags22

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags23

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags24

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags25

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags26

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags27

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags28

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags29

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags30

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags31

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags32

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags33

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags34

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags35

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags36

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags37

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags38

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags39

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags40

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags41

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags42

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags43

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags44

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags45

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags46

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags47

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags48

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags49

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags50

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags51

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags52

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags53

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags54

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags55

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags56

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags57

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags58

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags59

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags60

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags61

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags62

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags63

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags64

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags65

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags66

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Detecting In-Memory Driver Device Power Shutdown Flags67

    • `volatility -f <memory_dump> --profile= m

volatility --profile=Win7SP1x86_23418 -f file.dmp malfind [-D /tmp] #Find hidden and injected code [dump each suspicious section]
volatility --profile=Win7SP1x86_23418 -f file.dmp apihooks #Detect API hooks in process and kernel memory
volatility --profile=Win7SP1x86_23418 -f file.dmp driverirp #Driver IRP hook detection
volatility --profile=Win7SP1x86_23418 -f file.dmp ssdt #Check system call address from unexpected addresses

volatility --profile=SomeLinux -f file.dmp linux_check_afinfo
volatility --profile=SomeLinux -f file.dmp linux_check_creds
volatility --profile=SomeLinux -f file.dmp linux_check_fop
volatility --profile=SomeLinux -f file.dmp linux_check_idt
volatility --profile=SomeLinux -f file.dmp linux_check_syscall
volatility --profile=SomeLinux -f file.dmp linux_check_modules
volatility --profile=SomeLinux -f file.dmp linux_check_tty
volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers

使用yara进行扫描

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
#Only Windows
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-file /tmp/malware_rules.yar
#All
./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yar

Volatility Cheat Sheet

Basic Forensic Methodology

  1. Memory Dump Acquisition

    • Physical Memory Dump: dd if=/dev/mem of=/path/to/image

    • Crash Dump: copy /y c:\windows\memory.dmp c:\path\to\image

    • Hibernation File: copy /y c:\hiberfil.sys c:\path\to\image

  2. Memory Dump Analysis

    • Identify Profile: volatility -f <dump> imageinfo

    • List Processes: volatility -f <dump> --profile=<profile> pslist

    • Dump Process: volatility -f <dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  3. Network Analysis

    • Connections: volatility -f <dump> --profile=<profile> connscan

    • Sockets: volatility -f <dump> --profile=<profile> sockets

    • HTTP Sessions: volatility -f <dump> --profile=<profile> volatilitfy -f <dump> --profile=<profile> netscan

  4. File Analysis

    • File Listing: volatility -f <dump> --profile=<profile> filescan

    • Dump File: volatility -f <dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

  5. Registry Analysis

    • User Listing: volatility -f <dump> --profile=<profile> hivelist

    • Dump Registry Hive: voljson -f <dump> --profile=<profile> printkey -o <output_directory> -K <registry_key>

  6. Malware Analysis

    • Detect Hidden Processes: volatility -f <dump> --profile=<profile> psxview json

    • Detect Hidden Modules: volatility -f <dump> --profile=<profile> ldrmodules

  7. Timeline Analysis

    • Show Timelines: volatility -f <dump> --profile=<profile> timeliner

    • Analyze Timelines: volatility -f <dump> --profile=<profile> mactime

  8. Other Useful Commands

    • API Hooks: volatility -f <dump> --profile=<profile> apihooks

    • Driver Modules: volatility -f <dump> --profile=<profile> modules

    • SSDT Hooks: volatility -f <dump> --profile=<profile> ssdt

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | grep "Rule:" | grep -v "Str_Win32" | sort | uniq

其他

外部插件

如果要使用外部插件,请确保与插件相关的文件夹是第一个参数使用的内容。

./vol.py --plugin-dirs "/tmp/plugins/" [...]

Volatility Cheat Sheet

Basic Memory Analysis

  • List processes: volatility -f <memory_dump> --profile=<profile> pslist

  • Dump a process: volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • List loaded drivers: volatility -f <memory_dump> --profile=<profile> ldrmodules

  • List open network connections: volatility -f <memory_dump> --profile=<profile> connections

  • Recover deleted files: volatility -f <memory_dump> --profile=<profile> filescan

Malware Analysis

  • Detect rootkits: volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Identify injected code: voljson -f <memory_dump> --profile=<profile> malfind

User Analysis

  • List user accounts: volatility -f <memory_dump> --profile=<profile> useraccounts

  • Retrieve user passwords: volatility -f <memory_dump> --profile=<profile> hashdump

Network Analysis

  • Analyze network packets: volatility -f <memory_dump> --profile=<profile> netscan

Timeline Analysis

  • Create a timeline of events: volatility -f <memory_dump> --profile=<profile> timeliner

Plugin Development

Memory Forensics Resources

volatilitye --plugins="/tmp/plugins/" [...]

Autoruns

volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns

互斥体

./vol.py -f file.dmp windows.mutantscan.MutantScan

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volmemory_dump> --profile=<profile> file -S <start_address> -E <end_address> -D <output_directory>

  • Registry Analysis

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Identifying Hidden Modules

    • voljson --output=json

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Extracting Kernel Drivers

    • volatility -f <memory_dump> --profile=<profile> moddump -D <output_directory>

  • Analyzing Timelining Information

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing Suspicious Binaries

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyizing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles -p <pid>

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads -p <pid>

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Environment Variables

    • volatility -f <memory_dump> --profile=<profile> envars -p <pid>

  • Analyzing Process Memory Map

    • volatility -f <memory_dump> --profile=<profile> memmap -p <pid>

volatility --profile=Win7SP1x86_23418 mutantscan -f file.dmp
volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p <PID> -t mutant

符号链接

./vol.py -f file.dmp windows.symlinkscan.SymlinkScan

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • voljson -f <memory_dump> --profile=<profile> procdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

  • Dumping a Registry Hive json

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting Files

    • volatility -f <memory_dump> --profile=<profile> filescan | grep -i <file_extension>

  • Dumping LSA Secrets

    • volatility -f <memory_dump> --profile=<profile> lsadump

  • Dumping SAM

    • volatility -f <memory_dump> --profile=<profile> hashdump

  • Dumping Cached Credentials

    • volatility -f <memory_dump> --profile=<profile> cachedump

  • Analyzing ShimCache

    • volatility -f <memory_dump> --profile=<profile> shimcache

  • Analyzing Shellbags

    • volatility -f <memory_dump> --profile=<profile> shellbags

  • Analyzing UserAssist

    • volatility -f <memory_dump> --profile=<profile> userassist

  • Analyzing MFT

    • volatility -f <memory_dump> --profile=<profile> mftparser

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Malware

    • volatility -f <memory_dump> --profile=<profile> malsysproc

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Analyzing Timeliner

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyizing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing CSRSS

    • volatility -f <memory_dump> --profile=<profile> csrss

  • Analyzing Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Audit

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing Callbacks

    • volatility -f <memory_dump> --profile=<profile> callbacks

  • Analyzing SSDT Hooks

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing IRP Hooks

    • volatility -f <memory_dump> --profile=<profile> irp

  • Analyizing Scanning Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Analyzing Kernel Modules

    • volvolatility -f <memory_dump> --profile=<profile> moddump -D <output_directory>

  • Analyzing Kernel Drivers

    • volatility -f <memory_dump> --profile=<profile> kdbgscan

  • Analyizing Kernel Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Callbacks

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Handles

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Objects

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Modules

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Sections

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Imports

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Exports

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Pools

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Allocations

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyizing Kernel Driver Unloads

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver Timers

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Handlers

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Callers

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Devices

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Queues

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Pending

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Completed

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Canceled

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Read

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Write

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Device Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyizing Kernel Driver IRP Close

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Cleanup

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Create

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Set Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query EA

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyizing Kernel Driver IRP Set EA

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Flush

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Volume Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Set Volume Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Directory Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP File System Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Device Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Internal Device Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Shutdown

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Lock Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Cleanup

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Create Mailslot

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Security

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Set Security

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP System Control

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Device Change

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Quota

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Set Quota

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Device Relations

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Interface

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query PNP Device State

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Bus Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Device Text

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query ID

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Device Relations

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Resources

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Resource Requirements

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Legacy Bus Information

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Device Usage Notification

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Surprise Removal

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Query Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Set Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Others

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Unknown

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyizing Kernel Driver IRP Min

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max Unknown

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min Unknown

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max Others

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min Others

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max Set Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min Set Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max Query Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min Query Power

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Min WMI

    • volatility -f <memory_dump> --profile=<profile> poolscanner

  • Analyzing Kernel Driver IRP Max WMI

    • `

volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan

Bash

可以从内存中读取bash历史记录。您也可以转储.bash_history文件,但如果它被禁用,您会很高兴能够使用这个volatility模块

./vol.py -f file.dmp linux.bash.Bash

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping Registry Hives

    • voljson -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

Advanced Commands

  • Analyzing Malware

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Extracting DLLs

    • volatility -f <memory_dump> --profile=<profile> dlldump -p <pid> -D <output_directory>

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

Plugin Resources

  • Official Volatility Plugins

  • Volatility Plugin List

  • Volatility Plugin Development

volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash

时间线

./vol.py -f file.dmp timeLiner.TimeLiner

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volvality -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> printkey -K <registry_key>

  • Extracting Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockets

  • Analyzing Drivers

    • voljson -f <memory_dump> --profile=<profile>

  • Analyzing Packed Binaries

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analylining Malicious DLL Injections

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Timelining

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing Process Memory

    • volatility -f <memory_dump> --profile=<profile> memmap

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyzing Process PEB

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Process Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing Process Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Process Vad

    • volatility -f <memory_dump> --profile=<profile> vadinfo

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyizing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Process Driverirp

    • volatility -f <memory_dump> --profile=<profile> driverirp

  • Analyzing Process Devicetree

    • volatility -f <memory_dump> --profile=<profile> devicetree

  • Analyzing Process Drivermodule

    • volatility -f <memory_dump> --profile=<profile> drivermodule

  • Analyzing Process Driverobject

    • volatility -f <memory_dump> --profile=<profile> driverobject

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing Process LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing Process IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing Process SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Process GDI Table

    • volatility -f <memory_dump> --profile=<profile> gdit

  • Analyzing Process User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Process Mutants

    • `volatility -f <memory_dump> --profile=

volatility --profile=Win7SP1x86_23418 -f timeliner

驱动程序

./vol.py -f file.dmp windows.driverscan.DriverScan

Volatility Cheat Sheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volvality -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry

    • volatility -f <memory_dump> --profile=<profile> printkey -K <key>

  • Extracting Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Identifying Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing Kernel Modules

    • voljsonity -f <memory_dump> --profile=<profile> modscan

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Timeliner

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Yara Rules

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing API Hooks

    • volatility -f <memory_dump> --profile=<profile> apihooks

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing CSRSS

    • volatility -f <memory_dump> --profile=<profile> csrss

  • Analyzing LDR Modules

    • volatility -f <memory_dump> --profile=<profile> ldrmodules

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vaddump

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Privileges

    • volatility -f <memory_dump> --profile=<profile> privs

  • Analyzing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyizing Threads

    • volatility -f <memory_dump> --profile=<profile> threads

  • Analyzing GDI Tables

    • volatility -f <memory_dump> --profile=<profile> gditimers

  • Analyzing GDI Objects

    • volatility -f <memory_dump> --profile=<profile> gdiobjects

  • Analyzing Atom Tables

    • volatility -f <memory_dump> --profile=<profile> atomscan

  • Analyzing Desktops

    • volatility -f <memory_dump> --profile=<profile> desktops

  • Analyzing Windows Stations

    • volatility -f <memory_dump> --profile=<profile> windows

  • Analyzing Services

    • volatility -f <memory_dump> --profile=<profile> svcscan

  • Analyzing Netscan

    • volatility -f <memory_dump> --profile=<profile> netscan

  • Analyzing Connections

    • volatility -f <memory_dump> --profile=<profile> connscan

  • Analyzing Malfind

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware

    • volatility -f <memory_dump> --profile=<profile> malprocfind

  • Analyzing Malware Config

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware Yara

    • volatility -f <memory_dump> --profile=<profile> yarascan

  • Analyzing Malware Strings

    • volatility -f <memory_dump> --profile=<profile> strings

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • volatility -f <memory_dump> --profile=<profile> malfind

  • Analyzing Malware MZ

    • `volatility -

volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan

获取剪贴板

#Just vol2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp

获取IE浏览历史

#Just vol2
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp

获取记事本文本

#Just vol2
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp

屏幕截图

#Just vol2
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp

主引导记录(MBR)

volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp

参考资料

​​ 是西班牙最重要的网络安全活动之一,也是欧洲最重要的之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士在各个领域的热点聚会。

如果您想要快速疯狂地同时运行多个Volatility插件,可以使用:

访问中的官方文档

来源:

您可以从下载Linux和Mac配置文件。

:与仅提供配置文件建议的 imageinfo 相反,kdbgscan 旨在积极识别正确的配置文件和正确的 KDBG 地址(如果存在多个)。该插件扫描与 Volatility 配置文件相关联的 KDBGHeader 签名,并应用合理性检查以减少误报。输出的详细程度和可以执行的合理性检查数量取决于 Volatility 是否能够找到 DTB,因此,如果您已经知道正确的配置文件(或者从 imageinfo 获得了配置文件建议),请确保使用它。

提取SAM哈希值,和。

是西班牙最重要的网络安全活动之一,也是欧洲最重要的之一。以促进技术知识为使命,这个大会是技术和网络安全专业人士在各个领域的热点交流会。

Refer to the official

​​​​ 是西班牙最重要的网络安全活动之一,也是欧洲最重要的之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士在各个领域的热点交流会。

NTFS文件系统使用一个关键组件,称为_主文件表_(MFT)。该表至少包含卷上每个文件的一个条目,也包括MFT本身。关于每个文件的重要细节,如大小、时间戳、权限和实际数据,都封装在MFT条目中或在MFT外部但由这些条目引用的区域中。更多详细信息可以在中找到。

使用此脚本从github下载并合并所有yara恶意软件规则: 创建名为_rules的目录并执行该脚本。这将创建一个名为malware_rules.yar_的文件,其中包含所有恶意软件的yara规则。

Develop custom plugins:

Official Volatility Documentation:

Memory Forensics Cheat Sheet:

从下载。

主引导记录(MBR) 在管理存储介质的逻辑分区方面发挥着至关重要的作用,这些分区使用不同的进行结构化。它不仅保存分区布局信息,还包含作为引导加载程序的可执行代码。这个引导加载程序要么直接启动操作系统的第二阶段加载过程(参见),要么与每个分区的(VBR)协同工作。欲了解更多信息,请参阅。

是西班牙最重要的网络安全活动之一,也是欧洲最重要的活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士在各个领域的热点交流之地。

从零开始学习 AWS 黑客技术,成为专家 !

支持 HackTricks 的其他方式:

如果您想在 HackTricks 中看到您的公司广告或下载 PDF 版本的 HackTricks,请查看!

获取

探索,我们的独家收藏品

加入 💬 或 或在 Twitter 🐦 ** 上关注我们。**

通过向 和 github 仓库提交 PR 来分享您的黑客技巧。

🤩
RootedCON
https://github.com/carlospolop/autoVolatility
Volatility命令参考
http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/
https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip
https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
https://github.com/volatilityfoundation/profiles
从这里
RootedCON
Volatility Plugin Development Guide
RootedCON
官方文档
https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Volatility Plugin Development
Volatility Documentation
Memory Forensics Cheat Sheet
https://github.com/tomchop/volatility-autoruns
https://github.com/volatilityfoundation/volatility/wiki/Plugins
https://github.com/superponible/volatility_plugins
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
文件系统
第二阶段引导加载程序
卷引导记录
MBR 维基百科页面
https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/
https://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html
https://or10nlabs.tech/cgi-sys/suspendedpage.cgi
https://www.aldeid.com/wiki/Windows-userassist-keys
https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
https://answers.microsoft.com/en-us/windows/forum/all/uefi-based-pc-protective-mbr-what-is-it/0fc7b558-d8d4-4a7d-bae2-395455bb19aa
RootedCON
htARTE(HackTricks AWS 红队专家)
订阅计划
官方 PEASS & HackTricks 商品
PEASS 家族
NFT
Discord 群组
电报群组
@hacktricks_live
HackTricks
HackTricks Cloud
htARTE(HackTricks AWS红队专家)
订阅计划
官方PEASS&HackTricks周边产品
PEASS家族
NFTs
Discord群组
电报群组
@hacktricks_live
HackTricks
HackTricks Cloud
域缓存凭据
lsa secrets
RootedCONRootedCON
RootedCONRootedCON
RootedCONRootedCON
RootedCONRootedCON
Logo
Logo
Logo
Logo