pythonautoVolatility.py-fMEMFILE-dOUT_DIRECTORY-e/home/user/tools/volatility/vol.py# It will use the most important plugins (could use a lot of space depending on the size of the memory)
Volatility 有两种主要的插件方法,有时在其名称中反映出来。“list” 插件会尝试通过 Windows 内核结构导航,以检索诸如进程(定位并遍历内存中的 _EPROCESS 结构的链表)、操作系统句柄(定位并列出句柄表,解引用找到的任何指针等)等信息。它们的行为或多或少类似于 Windows API,如果请求列出进程的话。
这使得“list”插件相当快速,但与 Windows API 一样容易受到恶意软件的操控。例如,如果恶意软件使用 DKOM 从 _EPROCESS 链表中解除链接一个进程,它将不会出现在任务管理器中,也不会出现在 pslist 中。
./vol.py-ffile.dmpwindows.hashdump.Hashdump#Grab common windows hashes (SAM+SYSTEM)./vol.py-ffile.dmpwindows.cachedump.Cachedump#Grab domain cache hashes inside the registry./vol.py-ffile.dmpwindows.lsadump.Lsadump#Grab lsa secrets
volatility--profile=Win7SP1x86_23418hashdump-ffile.dmp#Grab common windows hashes (SAM+SYSTEM)volatility--profile=Win7SP1x86_23418cachedump-ffile.dmp#Grab domain cache hashes inside the registryvolatility--profile=Win7SP1x86_23418lsadump-ffile.dmp#Grab lsa secrets
python3vol.py-ffile.dmpwindows.pstree.PsTree# Get processes tree (not hidden)python3vol.py-ffile.dmpwindows.pslist.PsList# Get process list (EPROCESS)python3vol.py-ffile.dmpwindows.psscan.PsScan# Get hidden process list(malware)
volatility--profile=PROFILEpstree-ffile.dmp# Get process tree (not hidden)volatility--profile=PROFILEpslist-ffile.dmp# Get process list (EPROCESS)volatility--profile=PROFILEpsscan-ffile.dmp# Get hidden process list(malware)volatility--profile=PROFILEpsxview-ffile.dmp# Get hidden process list
转储进程
./vol.py-ffile.dmpwindows.dumpfiles.DumpFiles--pid<pid>#Dump the .exe and dlls of the process in the current directory
python3vol.py-ffile.dmpwindows.cmdline.CmdLine#Display process command-line arguments
volatility--profile=PROFILEcmdline-ffile.dmp#Display process command-line argumentsvolatility--profile=PROFILEconsoles-ffile.dmp#command history by scanning for _CONSOLE_INFORMATION
python3vol.py-ffile.dmpwindows.envars.Envars [--pid <pid>]#Display process environment variables
volatility--profile=PROFILEenvars-ffile.dmp [--pid <pid>]#Display process environment variablesvolatility--profile=PROFILE-ffile.dmplinux_psenv [-p <pid>]#Get env of process. runlevel var means the runlevel where the proc is initated
令牌权限
检查意外服务中的权限令牌。
列出使用某些特权令牌的进程可能会很有趣。
#Get enabled privileges of some processespython3vol.py-ffile.dmpwindows.privileges.Privs [--pid <pid>]#Get all processes with interesting privilegespython3vol.py-ffile.dmpwindows.privileges.Privs|grep"SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
#Get enabled privileges of some processesvolatility--profile=Win7SP1x86_23418privs--pid=3152-ffile.dmp|grepEnabled#Get all processes with interesting privilegesvolatility--profile=Win7SP1x86_23418privs-ffile.dmp|grep"SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
./vol.py-ffile.dmpwindows.getsids.GetSIDs [--pid <pid>]#Get SIDs of processes./vol.py-ffile.dmpwindows.getservicesids.GetServiceSIDs#Get the SID of services
volatility--profile=Win7SP1x86_23418getsids-ffile.dmp#Get the SID owned by each processvolatility--profile=Win7SP1x86_23418getservicesids-ffile.dmp#Get the SID of each service
./vol.py-ffile.dmpwindows.dlllist.DllList [--pid <pid>]#List dlls used by each./vol.py-ffile.dmpwindows.dumpfiles.DumpFiles--pid<pid>#Dump the .exe and dlls of the process in the current directory process
volatility--profile=Win7SP1x86_23418dlllist--pid=3152-ffile.dmp#Get dlls of a procvolatility--profile=Win7SP1x86_23418dlldump--pid=3152--dump-dir=.-ffile.dmp#Dump dlls of a proc
./vol.py-ffile.dmpwindows.svcscan.SvcScan#List services./vol.py-ffile.dmpwindows.getservicesids.GetServiceSIDs#Get the SID of services
#Get services and binary pathvolatility--profile=Win7SP1x86_23418svcscan-ffile.dmp#Get name of the services and SID (slow)volatility--profile=Win7SP1x86_23418getservicesids-ffile.dmp
网络
./vol.py-ffile.dmpwindows.netscan.NetScan#For network info of linux use volatility2
volatility--profile=Win7SP1x86_23418netscan-ffile.dmpvolatility--profile=Win7SP1x86_23418connections-ffile.dmp#XPand2003onlyvolatility--profile=Win7SP1x86_23418connscan-ffile.dmp#TCPconnectionsvolatility--profile=Win7SP1x86_23418sockscan-ffile.dmp#Opensocketsvolatility--profile=Win7SP1x86_23418sockets-ffile.dmp#Scannerfortcpsocketobjectsvolatility--profile=SomeLinux-ffile.dmplinux_ifconfigvolatility--profile=SomeLinux-ffile.dmplinux_netstatvolatility--profile=SomeLinux-ffile.dmplinux_netfiltervolatility--profile=SomeLinux-ffile.dmplinux_arp#ARP tablevolatility--profile=SomeLinux-ffile.dmplinux_list_raw#Processes using promiscuous raw sockets (comm between processes)volatility--profile=SomeLinux-ffile.dmplinux_route_cache
注册表蜂巢
打印可用的蜂巢
./vol.py-ffile.dmpwindows.registry.hivelist.HiveList#List roots./vol.py-ffile.dmpwindows.registry.printkey.PrintKey#List roots and get initial subkeys
volatility--profile=Win7SP1x86_23418-ffile.dmphivelist#List rootsvolatility--profile=Win7SP1x86_23418-ffile.dmpprintkey#List roots and get initial subkeys
volatility--profile=Win7SP1x86_23418printkey-K"Software\Microsoft\Windows NT\CurrentVersion"-ffile.dmp# Get Run binaries registry valuevolatility-ffile.dmp--profile=Win7SP1x86printkey-o0x9670e9d0-K'Software\Microsoft\Windows\CurrentVersion\Run'
转储
#Dump a hivevolatility--profile=Win7SP1x86_23418hivedump-o0x9aad6148-ffile.dmp#Offset extracted by hivelist#Dump all hivesvolatility--profile=Win7SP1x86_23418hivedump-ffile.dmp
文件系统
挂载
#See vol2
volatility--profile=SomeLinux-ffile.dmplinux_mountvolatility--profile=SomeLinux-ffile.dmplinux_recover_filesystem#Dump the entire filesystem (if possible)
扫描/转储
./vol.py-ffile.dmpwindows.filescan.FileScan#Scan for files inside the dump./vol.py-ffile.dmpwindows.dumpfiles.DumpFiles--physaddr<0xAAAAA>#Offset from previous command
volatility--profile=Win7SP1x86_23418filescan-ffile.dmp#Scan for files inside the dumpvolatility--profile=Win7SP1x86_23418dumpfiles-n--dump-dir=/tmp-ffile.dmp#Dump all filesvolatility--profile=Win7SP1x86_23418dumpfiles-n--dump-dir=/tmp-Q0x000000007dcaa620-ffile.dmpvolatility--profile=SomeLinux-ffile.dmplinux_enumerate_filesvolatility--profile=SomeLinux-ffile.dmplinux_find_file-F/path/to/filevolatility--profile=SomeLinux-ffile.dmplinux_find_file-i0xINODENUMBER-O/path/to/dump/file
主文件表
# I couldn't find any plugin to extract this information in volatility3
#vol3 allows to search for certificates inside the registry./vol.py-ffile.dmpwindows.registry.certificates.Certificates
#vol2 allos you to search and dump certificates from memory#Interesting options for this modules are: --pid, --name, --sslvolatility--profile=Win7SP1x86_23418dumpcerts--dump-dir=.-ffile.dmp
恶意软件
./vol.py-ffile.dmpwindows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]#Malfind will search for suspicious structures related to malware./vol.py-ffile.dmpwindows.driverirp.DriverIrp#Driver IRP hook detection./vol.py-ffile.dmpwindows.ssdt.SSDT#Check system call address from unexpected addresses./vol.py-ffile.dmplinux.check_afinfo.Check_afinfo#Verifies the operation function pointers of network protocols./vol.py-ffile.dmplinux.check_creds.Check_creds#Checks if any processes are sharing credential structures./vol.py-ffile.dmplinux.check_idt.Check_idt#Checks if the IDT has been altered./vol.py-ffile.dmplinux.check_syscall.Check_syscall#Check system call table for hooks./vol.py-ffile.dmplinux.check_modules.Check_modules#Compares module list to sysfs info, if available./vol.py-ffile.dmplinux.tty_check.tty_check#Checks tty devices for hooks
volatility--profile=Win7SP1x86_23418-ffile.dmpmalfind [-D /tmp]#Find hidden and injected code [dump each suspicious section]volatility--profile=Win7SP1x86_23418-ffile.dmpapihooks#Detect API hooks in process and kernel memoryvolatility--profile=Win7SP1x86_23418-ffile.dmpdriverirp#Driver IRP hook detectionvolatility--profile=Win7SP1x86_23418-ffile.dmpssdt#Check system call address from unexpected addressesvolatility--profile=SomeLinux-ffile.dmplinux_check_afinfovolatility--profile=SomeLinux-ffile.dmplinux_check_credsvolatility--profile=SomeLinux-ffile.dmplinux_check_fopvolatility--profile=SomeLinux-ffile.dmplinux_check_idtvolatility--profile=SomeLinux-ffile.dmplinux_check_syscallvolatility--profile=SomeLinux-ffile.dmplinux_check_modulesvolatility--profile=SomeLinux-ffile.dmplinux_check_ttyvolatility--profile=SomeLinux-ffile.dmplinux_keyboard_notifiers#Keyloggers