Volatility - CheatSheet

Support HackTricks and get benefits!
If you want something fast and crazy that will launch several Volatility plugins on parallel you can use: https://github.com/carlospolop/autoVolatility​
1
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)
Copied!
Installation
volatility3
1
git clone https://github.com/volatilityfoundation/volatility3.git
2
cd volatility3
3
python3 setup.py install
4
python3 vol.py —h
Copied!
volatility2
Method1
Method 2
1
Download the executable from https://www.volatilityfoundation.org/26
Copied!
1
git clone https://github.com/volatilityfoundation/volatility.git
2
cd volatility
3
python setup.py install
Copied!
Volatility Commands
Access the official doc in Volatility command reference​
A note on “list” vs. “scan” plugins
Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of _EPROCESS structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.
That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the _EPROCESS linked list, it won’t show up in the Task Manager and neither will it in the pslist.
“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. psscan for instance will read the memory and try to make out _EPROCESS objects out of it (it uses pool-tag scanning, which is basically searching for 4-byte strings that indicate the presence of a structure of interest). The advantage is that it can dig up processes that have exited, and even if malware tampers with the _EPROCESS linked list, the plugin will still find the structure lying around in memory (since it still needs to exist for the process to run). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false-positives (a process that exited too long ago and had parts of its structure overwritten by other operations).
From: http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/​
OS Profiles
Volatility3
As explained inside the readme you need to put the symbol table of the OS you want to support inside volatility3/volatility/symbols.
Symbol table packs for the various operating systems are available for download at:
​https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip​
​https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip​
​https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip​
Volatility2
External Profile
You can get the list of supported profiles doing:
1
./volatility_2.6_lin64_standalone --info | grep "Profile"
Copied!
If you want to use a new profile you have downloaded (for example a linux one) you need to create somewhere the following folder structure: plugins/overlays/linux and put inside this folder the zip file containing the profile. Then, get the number of the profiles using:
1
./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
2
Volatility Foundation Volatility Framework 2.6
3
​
4
​
5
Profiles
6
--------
7
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
8
VistaSP0x64                                   - A Profile for Windows Vista SP0 x64
9
VistaSP0x86                                   - A Profile for Windows Vista SP0 x86
Copied!
You can download Linux and Mac profiles from https://github.com/volatilityfoundation/profiles​
In the previous chunk you can see that the profile is called LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 , and you can use it executing something like:
1
./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan
Copied!
Discover Profile
1
volatility imageinfo -f file.dmp
2
volatility kdbgscan -f file.dmp
Copied!
Differences between imageinfo and kdbgscan
As opposed to imageinfo which simply provides profile suggestions, kdbgscan is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from here).
Always take a look in the number of procceses that kdbgscan has found. Sometimes imageinfo and kdbgscan can find more than one suitable profile but only the valid one will have some process related (This is because in order to extract processes the correct KDBG address is needed)
1
# GOOD
2
PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
3
PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)
Copied!
1
# BAD
2
PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
3
PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)
Copied!
KDBG
The kernel debugger block (named KdDebuggerDataBlock of the type _KDDEBUGGER_DATA64, or KDBG by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
OS Information
1
#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
2
./vol.py -f file.dmp windows.info.Info
Copied!
The plugin banners.Banners can be used in vol3 to try to find linux banners in the dump.
Hashes/Passwords
Extract SAM hashes, domain cached credentials and lsa secrets.
vol3
vol2
1
./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
2
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
3
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets
Copied!
1
volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM)
2
volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry
3
volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets
Copied!
Memory Dump
The memory dump of a process will extract everything of the current status of the process. The procdump module will only extract the code.
1
volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
Copied!
Processes
List processes
Try to find suspicious processes (by name) or unexpected child processes (for example a cmd.exe as a child of iexplorer.exe).
It could be interesting to compare the result of pslist with the one of psscan to identify hidden processes.
vol3
vol2
1
python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
2
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
3
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)
Copied!
1
volatility --profile=PROFILE pstree -f file.dmp # Get process tree (not hidden)
2
volatility --profile=PROFILE pslist -f file.dmp # Get process list (EPROCESS)
3
volatility --profile=PROFILE psscan -f file.dmp # Get hidden process list(malware)
4
volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list
Copied!
Dump proc
vol3
vol2
1
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory
Copied!
1
volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f file.dmp
Copied!
Command line
Anything suspicious was executed?
vol3
vol2
1
python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line arguments
Copied!
1
volatility --profile=PROFILE cmdline -f file.dmp #Display process command-line arguments
2
volatility --profile=PROFILE consoles -f file.dmp #command history by scanning for _CONSOLE_INFORMATION
Copied!
Commands entered into cmd.exe are processed by conhost.exe (csrss.exe prior to Windows 7). So even if an attacker managed to kill the cmd.exe prior to us obtaining a memory dump, there is still a good chance of recovering history of the command line session from conhost.exe’s memory. If you find something weird (using the consoles modules), try to dump the memory of the conhost.exe associated process and search for strings inside it to extract the command lines.
Environment
Get the env variables of each running process. There could be some interesting values.
vol3
vol2
1
python3 vol.py -f file.dmp windows.envars.Envars [--pid <pid>] #Display process environment variables
Copied!
1
volatility --profile=PROFILE envars -f file.dmp [--pid <pid>] #Display process environment variables
2
​
3
volatility --profile=PROFILE -f file.dmp linux_psenv [-p <pid>] #Get env of process. runlevel var means the runlevel where the proc is initated 
Copied!
Token privileges
Check for privileges tokens in unexpected services.
It could be interesting to list the processes using some privileged token.
vol3
vol2
1
#Get enabled privileges of some processes
2
python3 vol.py -f file.dmp windows.privileges.Privs [--pid <pid>]
3
#Get all processes with interesting privileges
4
python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
Copied!
1
#Get enabled privileges of some processes
2
volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
3
#Get all processes with interesting privileges
4
volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
Copied!
SIDs
Check each SSID owned by a process.
It could be interesting to list the processes using a privileges SID (and the processes using some service SID).
vol3
vol2
1
./vol.py -f file.dmp windows.getsids.GetSIDs [--pid <pid>] #Get SIDs of processes
2
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services
Copied!
1
volatility --profile=Win7SP1x86_23418 getsids -f file.dmp #Get the SID owned by each process
2
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of each service
Copied!
Handles
Useful to know to which other files, keys, threads, processes... a process has a handle for (has opened)
vol3
vol2
1
vol.py -f file.dmp windows.handles.Handles [--pid <pid>]
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=<pid>]
Copied!
DLLs
vol3
vol2
1
./vol.py -f file.dmp windows.dlllist.DllList [--pid <pid>] #List dlls used by each
2
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory process
Copied!
1
volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f file.dmp #Get dlls of a proc
2
volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump dlls of a proc
Copied!
Strings per processes
Volatility allows to check to which process does a string belongs to.
vol3
vol2
1
strings file.dmp > /tmp/strings.txt
2
./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt
Copied!
1
strings file.dmp > /tmp/strings.txt
2
volatility -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt
3
​
4
volatility -f /tmp/file.dmp --profile=Win81U1x64 memdump -p 3532 --dump-dir .
5
strings 3532.dmp > strings_file
Copied!
It also allows to search for strings inside a process using the yarascan module:
vol3
vol2
1
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784
2
./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://"
Copied!
1
volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3312,3084,2784
Copied!
UserAssist
Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.
vol3
vol2
1
./vol.py -f file.dmp windows.registry.userassist.UserAssist
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp userassist
Copied!
Services
vol3
vol2
1
./vol.py -f file.dmp windows.svcscan.SvcScan #List services
2
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services
Copied!
1
#Get services and binary path
2
volatility --profile=Win7SP1x86_23418 svcscan -f file.dmp
3
#Get name of the services and SID (slow)
4
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp
Copied!
Network
vol3
vol2
1
./vol.py -f file.dmp windows.netscan.NetScan
2
#For network info of linux use volatility2
Copied!
1
volatility --profile=Win7SP1x86_23418 netscan -f file.dmp
2
volatility --profile=Win7SP1x86_23418 connections -f file.dmp#XP and 2003 only
3
volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections 
4
volatility --profile=Win7SP1x86_23418 sockscan -f file.dmp#Open sockets
5
volatility --profile=Win7SP1x86_23418 sockets -f file.dmp#Scanner for tcp socket objects
6
​
7
volatility --profile=SomeLinux -f file.dmp linux_ifconfig
8
volatility --profile=SomeLinux -f file.dmp linux_netstat
9
volatility --profile=SomeLinux -f file.dmp linux_netfilter
10
volatility --profile=SomeLinux -f file.dmp linux_arp #ARP table
11
volatility --profile=SomeLinux -f file.dmp linux_list_raw #Processes using promiscuous raw sockets (comm between processes)
12
volatility --profile=SomeLinux -f file.dmp linux_route_cache
Copied!
Registry hive
Print available hives
vol3
vol2
1
./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots
2
./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeys
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp hivelist #List roots
2
volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get initial subkeys
Copied!
Get a value
vol3
vol2
1
./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"
Copied!
1
volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f file.dmp
2
# Get Run binaries registry value
3
volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\Microsoft\Windows\CurrentVersion\Run'
Copied!
Dump
1
#Dump a hive
2
volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
3
#Dump all hives
4
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp
Copied!
Filesystem
Mount
vol3
vol2
1
#See vol2
Copied!
1
volatility --profile=SomeLinux -f file.dmp linux_mount
2
volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the entire filesystem (if possible)
Copied!
Scan/dump
vol3
vol2
1
./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump
2
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr <0xAAAAA> #Offset from previous command
Copied!
1
volatility --profile=Win7SP1x86_23418 filescan -f file.dmp #Scan for files inside the dump
2
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -f file.dmp #Dump all files
3
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -Q 0x000000007dcaa620 -f file.dmp
4
​
5
volatility --profile=SomeLinux -f file.dmp linux_enumerate_files
6
volatility --profile=SomeLinux -f file.dmp linux_find_file -F /path/to/file
7
volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O /path/to/dump/file
Copied!
Master File Table
vol3
vol2
1
# I couldn't find any plugin to extract this information in volatility3
Copied!
1
volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp
Copied!
The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From here.
SSL Keys/Certs
vol3
vol2
1
#vol3 allows to search for certificates inside the registry
2
./vol.py -f file.dmp windows.registry.certificates.Certificates
Copied!
1
#vol2 allos you to search and dump certificates from memory
2
#Interesting options for this modules are: --pid, --name, --ssl
3
volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp
Copied!
Malware
vol3
vol2
1
./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]
2
#Malfind will search for suspicious structures related to malware
3
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
4
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses
5
​
6
./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
7
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
8
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
9
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
10
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
11
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp malfind [-D /tmp] #Find hidden and injected code [dump each suspicious section]
2
volatility --profile=Win7SP1x86_23418 -f file.dmp apihooks #Detect API hooks in process and kernel memory
3
volatility --profile=Win7SP1x86_23418 -f file.dmp driverirp #Driver IRP hook detection
4
volatility --profile=Win7SP1x86_23418 -f file.dmp ssdt #Check system call address from unexpected addresses
5
​
6
volatility --profile=SomeLinux -f file.dmp linux_check_afinfo
7
volatility --profile=SomeLinux -f file.dmp linux_check_creds
8
volatility --profile=SomeLinux -f file.dmp linux_check_fop
9
volatility --profile=SomeLinux -f file.dmp linux_check_idt
10
volatility --profile=SomeLinux -f file.dmp linux_check_syscall
11
volatility --profile=SomeLinux -f file.dmp linux_check_modules
12
volatility --profile=SomeLinux -f file.dmp linux_check_tty
13
volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers
Copied!
Scanning with yara
Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.
vol3
vol2
1
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
2
mkdir rules
3
python malware_yara_rules.py
4
#Only Windows
5
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-file /tmp/malware_rules.yar
6
#All
7
./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yar
Copied!
1
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
2
mkdir rules
3
python malware_yara_rules.py
4
volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | grep "Rule:" | grep -v "Str_Win32" | sort | uniq
Copied!
MISC
External plugins
If you want to use an external plugins make sure that the plugins related folder is the first parameter used.
vol3
vol2
1
./vol.py --plugin-dirs "/tmp/plugins/" [...]
Copied!
1
 volatilitye --plugins="/tmp/plugins/" [...]
Copied!
Autoruns
Download it from https://github.com/tomchop/volatility-autoruns​
1
 volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns
Copied!
Mutexes
vol3
vol2
1
./vol.py -f file.dmp windows.mutantscan.MutantScan
Copied!
1
volatility --profile=Win7SP1x86_23418 mutantscan -f file.dmp
2
volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p <PID> -t mutant
Copied!
Symlinks
vol3
vol2
1
./vol.py -f file.dmp windows.symlinkscan.SymlinkScan
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan
Copied!
Bash
It's possible to read from memory the bash history. You could also dump the .bash_history file, but it was disabled you will be glad you can use this volatility module
vol3
vol2
1
./vol.py -f file.dmp linux.bash.Bash
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash
Copied!
TimeLine
vol3
vol2
1
./vol.py -f file.dmp timeLiner.TimeLiner
Copied!
1
volatility --profile=Win7SP1x86_23418 -f timeliner
Copied!
Drivers
vol3
vol2
1
./vol.py -f file.dmp windows.driverscan.DriverScan
Copied!
1
volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan
Copied!
Get clipboard
1
#Just vol2
2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp
Copied!
Get IE history
1
#Just vol2
2
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp
Copied!
Get notepad text
1
#Just vol2
2
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp
Copied!
Screenshot
1
#Just vol2
2
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp
Copied!
Master Boot Record (MBR)
1
volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp
Copied!
The MBR holds the information on how the logical partitions, containing file systems, are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system—usually by passing control over to the loader's second stage, or in conjunction with each partition's volume boot record (VBR). This MBR code is usually referred to as a boot loader. From here.
Support HackTricks and get benefits!

Memory dump analysis

Partitions/File Systems/Carving

Last modified 19d ago