Skip to main content

Volatility Commands

Sample command format -f image--profile=profileplugin 

Timeliner plugin parses time-stamped objects found inmemory images -f mem.img timeliner --outputfile out.body--output=body --profile=Win10x64 

Display memory image metadata –f mem.img imageinfo 

Find API/DLL function hooks apihooks 

Map ASEPs to running processes autoruns -v 

Scan for COMMAND_HISTORY buffers cmdscan 

Scan for CONSOLE_INFORMATION output consoles 

Extract DLLs from specific processes dlldump --dump-dir ./output –r <dll> 

List of loaded dlls by process by PID dlllist –p ### 

Identify I/O Request Packet (IRP) hooks driverirp –r tcpip 

Extract FILE_OBJECTs from memory dumpfiles-n -i -r \\.exe --dumpdir=./

Extract all available registry hives dumpregistry--dump-dir ./output 

Scan memory for FILE_OBJECT handles filescan 

Print process security identifiers by PID getsids –p ### 

List of open handles for each process {Process, Thread, Key, Event, File, Mutant, Token, Port} handles –p ### –t File,Key 

Dump user NTLM and Lanman hashes hashdump 

Print all keys and subkeys in a hive. -o Offset of registry hive to dump (virtual offset) hivedump –o 0xe1a14b60 

Find and list available registry hives hivelist 

Detect process hollowing techniques hollowfind-D ./output_dir 

Display Interrupt Descriptor Table idt 

Convert alternate memory sources to raw imagecopy -f hiberfil.sys -O hiber.raw --profile=Win7SP1x64 

Convert alternate memory sources to raw imagecopy -f MEMORY.DMP -O crashdump.raw –-profile=Win2016x64_14393 

Detect unlinked DLLs ldrmodules –p ### -v

Find possible malicious injected code and dump sections malfind --dump-dir ./output_dir 

Extract every memory section into onefile memdump –-dump-dir ./output –p ### 

Extract kernel drivers moddump --dump-dir ./output –r <driver> 

Scan memory for loaded, unloaded, and unlinked drivers modscan 

Scan for TCP connections and sockets netscan 

Output a registry key,subkeys, and values printkey –K“Microsoft\Windows\CurrentVersion\Run” 

Dump process to executable sample procdump --dump-dir ./output –p ### 

High level view of running processes pslist 

Display parent-process relationships pstree 

Find hidden processes using cross-view psxview 

Hooks in System Service Descriptor Table ssdt 

Scan for Windows Service record structures svcscan-v 

Find and parse userassist key values userassist 

Scan memory for EPROCESS blocks

sh psscan