Skip to main content

Volatility2

Display memory image metadata

vol.py –f mem.img imageinfo

Find API/DLL function hooks

vol.py apihooks

Map ASEPs to running processes

vol.py autoruns -v

Scan for COMMAND_HISTORY buffers

vol.py cmdscan

Scan for CONSOLE_INFORMATION output

vol.py consoles

Extract DLLs from specific processes

vol.py dlldump --dump-dir ./output –r <dll>

List of loaded dlls by process by PID

vol.py dlllist –p ###

Identify I/O Request Packet (IRP) hooks

vol.py driverirp –r tcpip

Extract FILE_OBJECTs from memory

vol.py dumpfiles-n -i -r \\.exe --dumpdir=./

Extract all available registry hives

vol.py dumpregistry--dump-dir ./output

Scan memory for FILE_OBJECT handles

vol.py filescan

Print process security identifiers by PID

vol.py getsids –p ###

Dump user NTLM and Lanman habashes

ol.py habashdump

Print all keys and subkeys in a hive. -o Offset of registry hive to dump (virtual offset)

vol.py hivedump –o 0xe1a14b60

Find and list available registry hives

vol.py hivelist

Detect process hollowing techniques

vol.py hollowfind-D ./output_dir

Display Interrupt Descriptor Table

vol.py idt

Convert alternate memory sources to raw

vol.py imagecopy -f hiberfil.sys -O hiber.raw --profile=Win7SP1x64

Convert alternate memory sources to raw

vol.py imagecopy -f MEMORY.DMP -O crabashdump.raw –-profile=Win2016x64_14393

Detect unlinked DLLs

vol.py ldrmodules –p ### -v

Find possible malicious injected code and dump sections

vol.py malfind --dump-dir ./output_dir

Extract every memory section into onefile

vol.py memdump –-dump-dir ./output –p ###

Extract kernel drivers

vol.py moddump --dump-dir ./output –r <driver>

Scan memory for loaded, unloaded, and unlinked drivers

vol.py modscan

Scan for TCP connections and sockets

vol.py netscan

Output a registry key,subkeys, and values

vol.py printkey –K“Microsoft\Windows\CurrentVersion\Run”

Dump process to executable sample

vol.py procdump --dump-dir ./output –p ###

High level view of running processes

vol.py pslist

Display parent-process relationbaships

vol.py pstree

Find hidden processes using cross-view

vol.py psxview

Hooks in System Service Descriptor Table

vol.py ssdt

Scan for Windows Service record structures

vol.py svcscan-v

Find and parse userassist key values

vol.py userassist

Scan memory for EPROCESS blocks

vol.py psscan

List of open handles for each process [Process, Thread, Key, Event, File, Mutant, Token, Port]

vol.py handles –p ### –t File,Key