Volatility
Jump to navigation
Jump to search
Description
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
See here the procedure to build custom profiles.
The official documentation is very complete and is available here: http://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6
Plugins are grouped into following categories. Additional plugins are described here.
| Windows Core | |||||||
|---|---|---|---|---|---|---|---|
| Image Identification |
Processes and DLLs |
Process Memory |
Kernel Memory and Objects |
Networking | Registry | Crash Dumps, Hibernation and Conversion |
Miscellaneous |
|
|
Installation
$ cd /data/src/ $ wget https://www.volatilesystems.com/volatility/2.1/volatility-2.1.tar.gz $ tar xzvf volatility-2.1.tar.gz $ cd volatility-2.1/ $ python vol.py --help
Note
Specific python bindings are required by some plugins. They are specified in the "Required" section of each plugin.
Usage
Syntax
General usage:
python vol.py plugin options
Help on a given plugin:
python vol.py plugin -h
Example:
$ python vol.py yarascan -h
Volatile Systems Volatility Framework 2.2
Usage: Volatility - A memory forensics analysis platform.
[REMOVED]
-Y YARA_RULES, --yara-rules=YARA_RULES
Yara rules (as a string)
-y YARA_FILE, --yara-file=YARA_FILE
Yara rules (rules file)
-D DUMP_DIR, --dump-dir=DUMP_DIR
Directory in which to dump the files
---------------------------------
Module YaraScan
---------------------------------
Scan process or kernel memory with Yara signatures
Environment variables
You can define some environment variables (VOLATILITY_PROFILE, VOLATILITY_LOCATION) prior to calling volatility in order to save time. Here is an example:
$ export VOLATILITY_PROFILE=Win7SP0x86 $ export VOLATILITY_LOCATION=file:///tmp/myimage.img $ ./vol.py pslist $ ./vol.py files
Options
- -h, --help
- list all available options and their default values.
- Default values may be set in the configuration file (/etc/volatilityrc)
- --conf-file=.volatilityrc
- User based configuration file
- -d, --debug
- Debug volatility
- --plugins=PLUGINS
- Additional plugin directories to use (colon separated)
- --info
- Print information about all registered objects
- --cache-directory=~/.cache/volatility
- Directory where cache files are stored
- --cache
- Use caching
- --tz=TZ
- Sets the timezone for displaying timestamps
- -f FILENAME, --filename=FILENAME
- Filename to use when opening an image
- --profile=WinXPSP2x86
- Name of the profile to load. Supported profiles are:
- VistaSP0x64 (Windows Vista SP0 x64)
- VistaSP0x86 (Windows Vista SP0 x86)
- VistaSP1x64 (Windows Vista SP1 x64)
- VistaSP1x86 (Windows Vista SP1 x86)
- VistaSP2x64 (Windows Vista SP2 x64)
- VistaSP2x86 (Windows Vista SP2 x86)
- Win2003SP0x86 (Windows 2003 SP0 x86)
- Win2003SP1x64 (Windows 2003 SP1 x64)
- Win2003SP1x86 (Windows 2003 SP1 x86)
- Win2003SP2x64 (Windows 2003 SP2 x64)
- Win2003SP2x86 (Windows 2003 SP2 x86)
- Win2008R2SP0x64 (Windows 2008 R2 SP0 x64)
- Win2008R2SP1x64 (Windows 2008 R2 SP1 x64)
- Win2008SP1x64 (Windows 2008 SP1 x64)
- Win2008SP1x86 (Windows 2008 SP1 x86)
- Win2008SP2x64 (Windows 2008 SP2 x64)
- Win2008SP2x86 (Windows 2008 SP2 x86)
- Win7SP0x64 (Windows 7 SP0 x64)
- Win7SP0x86 (Windows 7 SP0 x86)
- Win7SP1x64 (Windows 7 SP1 x64)
- Win7SP1x86 (Windows 7 SP1 x86)
- WinXPSP1x64 (Windows XP SP1 x64)
- WinXPSP2x64 (Windows XP SP2 x64)
- WinXPSP2x86 (Windows XP SP2 x86)
- WinXPSP3x86 (Windows XP SP3 x86)
- -l LOCATION, --location=LOCATION
- A URN location from which to load an address space
- -w, --write
- Enable write support
- --use-old-as
- Use the legacy address spaces
- --dtb=DTB
- DTB Address
- --cache-dtb
- Cache virtual to physical mappings
- --output=text
- Output in this format (format support is module specific)
- --output-file=OUTPUT_FILE
- write output in this file
- -v, --verbose
- Verbose information
- -k KPCR, --kpcr=KPCR
- Specify a specific KPCR address
- -g KDBG, --kdbg=KDBG
- Specify a specific KDBG virtual address
Supported Plugin Commands
For a more detailed document, go here: http://code.google.com/p/volatility/wiki/CommandReference
apihooks
- Description
- Detect API hooks in process and kernel memory
- Requires
- Install distorm3 code.google.com/p/distorm/
pip install distorm3
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -u, --unsafe
- Bypasses certain sanity checks when creating image
- -N, --no-whitelist
- No whitelist (show all hooks, can be verbose)
- -R, --skip-kernel
- Skip kernel mode checks
- -P, --skip-process
- Skip process checks
- -Q, --quick
- Work faster by only analyzing critical processes and dlls
- Output example
$ python vol.py -f /data/tmp/memory.056f443f.img --profile=Win2003SP2x86 apihooks -p 1080 Volatile Systems Volatility Framework 2.2 ************************************************************************ Hook mode: Usermode Hook type: Inline/Trampoline Process: 1080 (svchost.exe) Victim module: ntdll.dll (0x7c800000 - 0x7c8c3000) Function: ntdll.dll!<unknown> at 0x7c826c4d Hook address: 0x4fb0000 Hooking module: <unknown> Disassembly(0): 0x7c826c4d e9ae937888 JMP 0x4fb0000 0x7c826c52 ba0003fe7f MOV EDX, 0x7ffe0300 0x7c826c57 ff12 CALL DWORD [EDX] 0x7c826c59 c22c00 RET 0x2c 0x7c826c5c 90 NOP 0x7c826c5d b828000000 MOV EAX, 0x28 0x7c826c62 ba DB 0xba 0x7c826c63 0003 ADD [EBX], AL Disassembly(1): 0x4fb0000 6825b8e9c4 PUSH DWORD 0xc4e9b825 0x4fb0005 e8d37b8777 CALL 0x7c827bdd 0x4fb000a 58 POP EAX 0x4fb000b c22c00 RET 0x2c 0x4fb000e c3 RET 0x4fb000f 0f DB 0xf 0x4fb0010 00b827000000 ADD [EAX+0x27], BH 0x4fb0016 e9 DB 0xe9 0x4fb0017 37 AAA
atoms
- Description
- Print session and window station atom tables
- Output example
$ python vol.py -f ~/tmp/infected.img atoms Volatile Systems Volatility Framework 2.2 Offset(P) Session WindowStation Atom RefCount HIndex Pinned Name ---------- ---------- ------------------ ---------- ---------- ---------- ---------- ---- 0xcc06c18 0 Service-0x0-3e5$ 0xc00c 1 12 1 Protocols 0xcc06c18 0 Service-0x0-3e5$ 0xc00d 1 13 1 Topics 0xcc06c18 0 Service-0x0-3e5$ 0xc00e 1 14 1 Formats 0xcc06c18 0 Service-0x0-3e5$ 0xc007 1 7 1 StdShowItem 0xcc06c18 0 Service-0x0-3e5$ 0xc011 1 17 1 True 0xcc06c18 0 Service-0x0-3e5$ 0xc010 1 16 1 EditEnvItems 0xcc06c18 0 Service-0x0-3e5$ 0xc012 1 18 1 False 0xcc06c18 0 Service-0x0-3e5$ 0xc015 1 21 1 Close 0xcc06c18 0 Service-0x0-3e5$ 0xc004 1 4 1 StdEditDocument 0xcc06c18 0 Service-0x0-3e5$ 0xc008 1 8 1 StdDoVerbItem 0xcc06c18 0 Service-0x0-3e5$ 0xc003 1 3 1 StdOpenDocument 0xcc06c18 0 Service-0x0-3e5$ 0xc005 1 5 1 StdNewfromTemplate 0xcc06c18 0 Service-0x0-3e5$ 0xc014 1 20 1 Save [REMOVED]
atomscan
- Description
- Pool scanner for _RTL_ATOM_TABLE
- Options
- -S offset, --sort-by=offset
- Sort by [offset | atom | refcount]
- Output example
$ python vol.py -f ~/tmp/infected.img atomscan Volatile Systems Volatility Framework 2.2 TableOfs(P) AtomOfs(V) Atom Refs Pinned Name ----------- ---------- ---------- ------ ------ ---- 0x31c4da8 0xe1000d48 0xc007 1 1 FileNameW 0x31c4da8 0xe1009148 0xc004 1 1 Native 0x31c4da8 0xe1013340 0xc146 2 0 wuauclt_icon 0x31c4da8 0xe101b2e0 0xc106 1 0 AFX_WM_ON_BEFORE_SHOW_RIBBON_ITEM_MENU 0x31c4da8 0xe1022810 0xc037 1 1 SysShadow 0x31c4da8 0xe108c620 0xc0a6 4 0 C:\WINDOWS\system32\NETSHELL.dll 0x31c4da8 0xe10e7488 0xc159 2 0 MdmDevChg 0x31c4da8 0xe1106478 0xc148 1 0 C:\WINDOWS\system32\wucltui.dll 0x31c4da8 0xe1116e10 0xc157 1 0 MS Forms Text 0x31c4da8 0xe1116e40 0xc098 2 0 MS_WebcheckMonitor 0x31c4da8 0xe1121270 0xc13e 2 0 Progman 0x31c4da8 0xe112fe20 0xc156 2 0 Rich Text Format Without Objects 0x31c4da8 0xe134fbd8 0xc01e 1 1 ComboLBox 0x31c4da8 0xe13575e8 0xc020 1 1 DDEMLMom [REMOVED]
bioskbd
- Description
- Reads the keyboard buffer from Real Mode memory
- Output example
$ python vol.py -f ~/tmp/infected.img bioskbd Volatile Systems Volatility Framework 2.1 Ascii Scancode
callbacks
- Description
- Print system-wide notification routines
- Output example
$ python vol.py -f ~/tmp/infected.img callbacks Volatile Systems Volatility Framework 2.1 Type Callback Module Details ------------------------------------ ---------- -------------------- ------- IoRegisterFsRegistrationChange 0xf84d5876 sr.sys - IoRegisterFsRegistrationChange 0xf84d5876 sr.sys - IoRegisterFsRegistrationChange 0xf84d5876 sr.sys - IoRegisterFsRegistrationChange 0xf84d5876 sr.sys - KeBugCheckCallbackListHead 0xf83fd5ef NDIS.sys Ndis miniport KeBugCheckCallbackListHead 0xf83fd5ef NDIS.sys Ndis miniport KeBugCheckCallbackListHead 0x806d87cc hal.dll ACPI 1.0 - APIC platform UP IoRegisterShutdownNotification 0xf8bba5be Fs_Rec.SYS \FileSystem\Fs_Rec IoRegisterShutdownNotification 0xb250c15e vmhgfs.sys \FileSystem\vmhgfs IoRegisterShutdownNotification 0xf831fc6a VIDEOPRT.SYS \Driver\VgaSave IoRegisterShutdownNotification 0xf8bba5be Fs_Rec.SYS \FileSystem\Fs_Rec IoRegisterShutdownNotification 0xf831fc6a VIDEOPRT.SYS \Driver\vmx_svga IoRegisterShutdownNotification 0xf853b2be ftdisk.sys \Driver\Ftdisk IoRegisterShutdownNotification 0xf8bba5be Fs_Rec.SYS \FileSystem\Fs_Rec IoRegisterShutdownNotification 0xf8bba5be Fs_Rec.SYS \FileSystem\Fs_Rec IoRegisterShutdownNotification 0xf879dc74 Cdfs.SYS \FileSystem\Cdfs IoRegisterShutdownNotification 0xf831fc6a VIDEOPRT.SYS \Driver\mnmdd [REMOVED]
clipboard
- Description
- Extract the contents of the windows clipboard
- Output example
$ python vol.py -f ~/memdump/stuxnet.vmem clipboard
Volatile Systems Volatility Framework 2.2
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
0 WinSta0 CF_UNICODETEXT 0x136012b 0xe29b0c68 74ddc49a7c121a61b8d06c03f92d0c13.exe
0 WinSta0 CF_LOCALE 0x270101 0xe1bdab58
0 WinSta0 CF_TEXT 0x1 ----------
0 WinSta0 CF_OEMTEXT 0x1 ----------
cmdscan
- Description
- Extract command history by scanning for _COMMAND_HISTORY
- Options
- -M 50, --max_history=50
- CommandCountMax (default = 50)
- Output example
$ python vol.py -f ~/tmp/infected.img cmdscan Volatile Systems Volatility Framework 2.1 ************************************************** CommandProcess: csrss.exe Pid: 772 CommandHistory: 0x10c87f0 Application: mdd_1.3.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x3fc ************************************************** CommandProcess: csrss.exe Pid: 772 CommandHistory: 0x10c8e50 Application: TPAutoConnect.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x714 ************************************************** CommandProcess: csrss.exe Pid: 772 CommandHistory: 0x10fc700 Application: cmd.exe Flags: Allocated, Reset CommandCount: 13 LastAdded: 12 LastDisplayed: 12 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x434 Cmd #0 @ 0x4f1f90: dir Cmd #1 @ 0x4f2ef8: cd .idlerc Cmd #2 @ 0x4f2f30: dir Cmd #3 @ 0x4f1f78: more Cmd #4 @ 0x1108b98: more breakpoints.lst Cmd #5 @ 0x4f2f40: more recent-files.lst Cmd #6 @ 0x1108cc8: cd .. Cmd #7 @ 0x10d4b40: dir Cmd #8 @ 0x10d4888: cd "Mes documents" Cmd #9 @ 0x10c8c40: dir Cmd #10 @ 0x4f1eb8: cd Downloads Cmd #11 @ 0x4f2360: dir Cmd #12 @ 0x10d4948: mdd_1.3.exe -q -o image.img
connections
- Description
- Print list of open connections [Windows XP and 2003 Only] at the time the memory dump was taken.
- This module follows the handle table in tcpip.sys and prints current connections.
- Note that if you are using a hibernated image this might not work because Windows closes all connections before hibernating. You might find it more effective to do connscan instead.
- Options
- -P, --physical-offset
- Physical Offset
- Output example
$ python vol.py -f ~/tmp/infected.img connections Volatile Systems Volatility Framework 2.1 Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ 0x81c6b008 192.168.1.27:1226 91.195.240.107:80 532 0x81c21008 192.168.1.27:1254 62.212.130.115:80 600 0x81c84008 192.168.1.27:1235 204.13.162.116:80 532 0x822ffc08 192.168.1.27:1224 195.216.243.2:80 532 0x81cdabc8 192.168.1.27:1255 62.212.130.115:80 600 0x81c20ba0 192.168.1.27:1298 67.215.65.132:31960 2944 0x81c71700 192.168.1.27:1237 46.45.171.124:80 532 0x81c1c910 192.168.1.27:1256 62.212.130.115:80 600 0x81e73008 192.168.1.27:1257 62.212.130.115:80 600 0x81cd0a50 192.168.1.27:1261 213.175.193.143:80 600 0x81cd9008 192.168.1.27:1236 87.248.203.254:80 532
connscan
- Description
- Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
- Output example
$ python vol.py -f ~/tmp/infected.img connscan Volatile Systems Volatility Framework 2.1 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x01e14338 192.168.1.27:1170 74.125.230.198:80 2760 0x01e17c60 192.168.1.27:1178 173.194.70.157:80 2760 0x01e18348 192.168.1.27:1150 95.101.227.172:80 2760 0x01e18738 192.168.1.27:1141 95.101.239.144:443 2760 0x01e18a48 192.168.1.27:1127 216.34.181.69:80 2760 0x01e1ba48 192.168.1.27:1192 173.194.70.157:443 2760 0x01e1c910 192.168.1.27:1256 62.212.130.115:80 600 0x01e20ba0 192.168.1.27:1298 67.215.65.132:31960 2944 0x01e21008 192.168.1.27:1254 62.212.130.115:80 600 0x01e28930 40.120.205.129:0 78.68.97.109:0 2944 0x01e6aa98 192.168.1.27:1146 173.194.44.41:80 2760 0x01e6b008 192.168.1.27:1226 91.195.240.107:80 532 0x01e6c708 192.168.1.27:1125 95.101.227.172:80 2760 0x01e6d280 72.163.24.130:61569 0.0.0.0:49296 2177290912 0x01e71700 192.168.1.27:1237 46.45.171.124:80 532 0x01e71a10 192.168.1.27:1177 95.101.239.144:80 2760 0x01e81330 192.168.1.27:1098 74.125.230.231:443 314769412 [REMOVED]
consoles
- Description
- Extract command history by scanning for _CONSOLE_INFORMATION
- Options
- -M 50, --max_history=50
- CommandCountMax (default = 50)
- -B 4, --history_buffers=4
- HistoryBufferMax (default = 4)
- Output example
$ python vol.py consoles -f ~/tmp/infected.img
Volatile Systems Volatility Framework 2.1
**************************************************
ConsoleProcess: csrss.exe Pid: 772
Console: 0x10c8958 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
Title: C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
AttachedProcess: TPAutoConnect.e Pid: 2420 Handle: 0x714
----
CommandHistory: 0x10c8e50 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x714
----
Screen 0x10c8c50 X:80 Y:25
Dump:
ThinPrint AutoConnect component, Copyright (c) 1999-2012 Cortado AG, 8.8.734.1
**************************************************
ConsoleProcess: csrss.exe Pid: 772
Console: 0x10d4008 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: ?O?O?m??O?O\system32\CMD.exe
Title:
**************************************************
ConsoleProcess: csrss.exe Pid: 772
Console: 0x10f04c0 CommandHistorySize: 50
HistoryBufferCount: 3 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\WINDOWS\system32\cmd.exe - mdd_1.3.exe -q -o image.img
AttachedProcess: mdd_1.3.exe Pid: 2908 Handle: 0x3fc
AttachedProcess: cmd.exe Pid: 2164 Handle: 0x434
----
CommandHistory: 0x10c87f0 Application: mdd_1.3.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x3fc
----
CommandHistory: 0x10c86f8 Application: more.com Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x10fc700 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 13 LastAdded: 12 LastDisplayed: 12
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x434
Cmd #0 at 0x4f1f90: dir
Cmd #1 at 0x4f2ef8: cd .idlerc
Cmd #2 at 0x4f2f30: dir
Cmd #3 at 0x4f1f78: more
Cmd #4 at 0x1108b98: more breakpoints.lst
Cmd #5 at 0x4f2f40: more recent-files.lst
Cmd #6 at 0x1108cc8: cd ..
Cmd #7 at 0x10d4b40: dir
Cmd #8 at 0x10d4888: cd "Mes documents"
Cmd #9 at 0x10c8c40: dir
Cmd #10 at 0x4f1eb8: cd Downloads
Cmd #11 at 0x4f2360: dir
Cmd #12 at 0x10d4948: mdd_1.3.exe -q -o image.img
----
Screen 0x10d4988 X:80 Y:300
Dump:
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\pilou>dir
Le volume dans le lecteur C n'a pas de nom.
Le num?ro de s?rie du volume est E0F1-D8A1
R?pertoire de C:\Documents and Settings\pilou
15/09/2012 21:57 <REP> .
15/09/2012 21:57 <REP> ..
15/09/2012 21:57 <REP> .idlerc
24/12/2012 13:03 <REP> Bureau
18/03/2012 08:44 <REP> Favoris
08/12/2011 21:44 <REP> Menu D?marrer
03/06/2012 09:35 <REP> Mes documents
0 fichier(s) 0 octets
7 R?p(s) 3?217?035?264 octets libres
[REMOVED]
crashinfo
- Description
- Dump crash-dump information
- Output example
$ python vol.py -f win7_x64.dmp --profile=Win7SP0x64 crashinfo Volatile Systems Volatility Framework 2.1_alpha _DMP_HEADER64: Majorversion: 0x0000000f (15) Minorversion: 0x00001db0 (7600) KdSecondaryVersion 0x00000000 DirectoryTableBase 0x32a44000 PfnDataBase 0xfffff80002aa8220 PsLoadedModuleList 0xfffff80002a3de50 PsActiveProcessHead 0xfffff80002a1fb30 MachineImageType 0x00008664 NumberProcessors 0x00000002 BugCheckCode 0x00000000 KdDebuggerDataBlock 0xfffff800029e9070 ProductType 0x00000001 SuiteMask 0x00000110 WriterStatus 0x00000000 Comment PAGEPAGEPAGEPAGEPAGEPAGE[snip] Physical Memory Description: Number of runs: 3 FileOffset Start Address Length 00002000 00001000 0009e000 000a0000 00100000 3fde0000 3fe80000 3ff00000 00100000 3ff7f000 3ffff000
deskscan
- Description
- Poolscaner for tagDESKTOP (desktops)
- Output example
$ python vol.py -f ~/memdump/infected.img deskscan Volatile Systems Volatility Framework 2.2 ************************************************** Desktop: 0x23c6288, Name: Service-0x0-3e5$\Default, Next: 0x0 SessionId: 0, DesktopInfo: 0xbc230650, fsHooks: 0 spwnd: 0xbc2306e8, Windows: 17 Heap: 0xbc230000, Size: 0x80000, Base: 0xbc230000, Limit: 0xbc2b0000 1556 (svchost.exe 1504 parent 840) 1444 (svchost.exe 1428 parent 840) 1432 (svchost.exe 1428 parent 840) 1336 (svchost.exe 1332 parent 840) 1508 (svchost.exe 1504 parent 840) ************************************************** Desktop: 0x23fb330, Name: SAWinSta\SADesktop, Next: 0x0 SessionId: 0, DesktopInfo: 0xbc640650, fsHooks: 0 spwnd: 0xbc6406e8, Windows: 20 Heap: 0xbc640000, Size: 0x80000, Base: 0xbc640000, Limit: 0xbc6c0000 ************************************************** Desktop: 0x20b48b0, Name: WinSta0\Default, Next: 0x81dc6168 SessionId: 0, DesktopInfo: 0xbbe30650, fsHooks: 0 spwnd: 0xbbe306e8, Windows: 145 Heap: 0xbbe30000, Size: 0x300000, Base: 0xbbe30000, Limit: 0xbc130000 492 (mdd_1.3.exe 2908 parent 2164) 2336 (explorer.exe 600 parent 796) 2612 (explorer.exe 600 parent 796) 2680 (vmtoolsd.exe 532 parent 272) 2156 (cmd.exe 2164 parent 600) [REMOVED]
devicetree
- Description
- Show device tree
- Output example
$ python vol.py -f ~/tmp/infected.img devicetree Volatile Systems Volatility Framework 2.1 DRV 0x01f13720 \Driver\IpFilterDriver ---| DEV 0x82295030 IPFILTERDRIVER FILE_DEVICE_NETWORK DRV 0x01fbcb10 \Driver\swenum ---| DEV 0x81f74138 KSENUM#0000000b FILE_DEVICE_UNKNOWN ------| ATT 0x81cb8f10 KSENUM#0000000b - \Driver\kmixer FILE_DEVICE_KS ---| DEV 0x821de258 KSENUM#00000002 FILE_DEVICE_UNKNOWN ------| ATT 0x821d98d0 KSENUM#00000002 - \Driver\sysaudio FILE_DEVICE_KS ---| DEV 0x821dd590 KSENUM#00000001 FILE_DEVICE_UNKNOWN ------| ATT 0x8232d7e0 KSENUM#00000001 - \Driver\wdmaud FILE_DEVICE_KS ---| DEV 0x81dbc6c0 FILE_DEVICE_BUS_EXTENDER DRV 0x01fbfda0 \Driver\mssmbios ---| DEV 0x82197020 FILE_DEVICE_UNKNOWN DRV 0x01fc33b8 \FileSystem\vmhgfs ---| DEV 0x81e6d348 hgfsInternal UNKNOWN ---| DEV 0x81e65600 hgfs FILE_DEVICE_NETWORK_FILE_SYSTEM DRV 0x01fc8f38 \FileSystem\MRxSmb ---| DEV 0x821bed80 LanmanDatagramReceiver FILE_DEVICE_NETWORK_BROWSER ---| DEV 0x81e55c00 LanmanRedirector FILE_DEVICE_NETWORK_FILE_SYSTEM DRV 0x01fda648 \Driver\Beep [REMOVED]
dlldump
- Description
- Dump DLLs from a process address space
- Options
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump executable files
- -u, --unsafe
- Bypasses certain sanity checks when creating image
- -r REGEX, --regex=REGEX
- Dump dlls matching REGEX
- -i, --ignore-case
- Ignore case in pattern match
- -o OFFSET, --offset=OFFSET
- Dump DLLs for Process with physical address OFFSET
- -b BASE, --base=BASE
- Dump DLLS at the specified BASE offset in the process address space
- Output example
$ python vol.py -f ~/tmp/infected.img dlldump -p 532 --dump-dir=output/ Volatile Systems Volatility Framework 2.1 Process(V) Name Module Base Module Name Result ---------- -------------------- ----------- -------------------- ------ 0x81f015d0 vmtoolsd.exe 0x000400000 vmtoolsd.exe OK: module.532.21015d0.400000.dll 0x81f015d0 vmtoolsd.exe 0x07c910000 ntdll.dll OK: module.532.21015d0.7c910000.dll 0x81f015d0 vmtoolsd.exe 0x040d30000 ieframe.dll Error: DllBase is paged 0x81f015d0 vmtoolsd.exe 0x000f70000 dndcp.dll Error: DllBase is paged 0x81f015d0 vmtoolsd.exe 0x010000000 intl.dll Error: DllBase is paged 0x81f015d0 vmtoolsd.exe 0x0719d0000 wshtcpip.dll OK: module.532.21015d0.719d0000.dll 0x81f015d0 vmtoolsd.exe 0x07e210000 shdocvw.dll Error: DllBase is paged 0x81f015d0 vmtoolsd.exe 0x076f80000 CLBCATQ.DLL Error: DllBase is paged 0x81f015d0 vmtoolsd.exe 0x076e30000 rtutils.dll OK: module.532.21015d0.76e30000.dll [REMOVED}
dlllist
- Description
- Print list of loaded dlls for each process
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/tmp/infected.img dlllist -p 532 Volatile Systems Volatility Framework 2.1 ************************************************************************ vmtoolsd.exe pid: 532 Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Service Pack 3 Base Size Path ---------- ---------- ---- 0x00400000 0x11000 C:\Program Files\VMware\VMware Tools\vmtoolsd.exe 0x7c910000 0xb9000 C:\WINDOWS\system32\ntdll.dll 0x7c800000 0x106000 C:\WINDOWS\system32\kernel32.dll 0x77da0000 0xac000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e50000 0x93000 C:\WINDOWS\system32\RPCRT4.dll 0x77fc0000 0x11000 C:\WINDOWS\system32\Secur32.dll 0x774a0000 0x13e000 C:\WINDOWS\system32\ole32.dll 0x77ef0000 0x49000 C:\WINDOWS\system32\GDI32.dll 0x7e390000 0x91000 C:\WINDOWS\system32\USER32.dll 0x77be0000 0x58000 C:\WINDOWS\system32\msvcrt.dll 0x77bd0000 0x8000 C:\WINDOWS\system32\VERSION.dll 0x78520000 0xa3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll [REMOVED]
driverirp
- Description
- Driver IRP hook detection
- Options
- -r REGEX, --regex=REGEX
- Analyze drivers matching REGEX
- Output example
$ python vol.py -f ~/tmp/infected.img driverirp Volatile Systems Volatility Framework 2.1 -------------------------------------------------- DriverName: IpFilterDriver DriverStart: 0xb1a2b000 DriverSize: 0x8080 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0xb1a2c2b4 ipfltdrv.sys 1 IRP_MJ_CREATE_NAMED_PIPE 0xb1a2c2b4 ipfltdrv.sys 2 IRP_MJ_CLOSE 0xb1a2c2b4 ipfltdrv.sys 3 IRP_MJ_READ 0xb1a2c2b4 ipfltdrv.sys 4 IRP_MJ_WRITE 0xb1a2c2b4 ipfltdrv.sys 5 IRP_MJ_QUERY_INFORMATION 0xb1a2c2b4 ipfltdrv.sys 6 IRP_MJ_SET_INFORMATION 0xb1a2c2b4 ipfltdrv.sys 7 IRP_MJ_QUERY_EA 0xb1a2c2b4 ipfltdrv.sys 8 IRP_MJ_SET_EA 0xb1a2c2b4 ipfltdrv.sys 9 IRP_MJ_FLUSH_BUFFERS 0xb1a2c2b4 ipfltdrv.sys 10 IRP_MJ_QUERY_VOLUME_INFORMATION 0xb1a2c2b4 ipfltdrv.sys 11 IRP_MJ_SET_VOLUME_INFORMATION 0xb1a2c2b4 ipfltdrv.sys 12 IRP_MJ_DIRECTORY_CONTROL 0xb1a2c2b4 ipfltdrv.sys [REMOVED]
driverscan
- Description
- Scan for driver objects _DRIVER_OBJECT
- Output example
$ python vol.py -f ~/tmp/infected.img driverscan Volatile Systems Volatility Framework 2.1 Offset(P) #Ptr #Hnd Start Size Service Key Name Driver Name ---------- ---- ---- ---------- ---------- -------------------- ------------ ----------- 0x01f13720 3 0 0xb1a2b000 0x8080 IpFilterDriver IpFil...iver \Driver\IpFilterDriver 0x01fbcb10 9 0 0xf8bb4000 0x1100 swenum swenum \Driver\swenum 0x01fbfda0 3 0 0xf83a6000 0x3c80 mssmbios mssmbios \Driver\mssmbios 0x01fc33b8 4 0 0xb2507000 0x22800 vmhgfs vmhgfs \FileSystem\vmhgfs 0x01fc8f38 4 0 0xb2444000 0x6f680 MRxSmb MRxSmb \FileSystem\MRxSmb 0x01fda648 3 0 0xf8bbc000 0x1080 Beep Beep \Driver\Beep 0x01fdaa70 3 0 0xf8a02000 0x5200 VgaSave VgaSave \Driver\VgaSave 0x01fdb2c0 3 0 0xf8a0a000 0x4a80 Msfs Msfs \FileSystem\Msfs 0x01fdd6e8 7 0 0xb2574000 0x58480 Tcpip Tcpip \Driver\Tcpip 0x01fddb10 6 0 0xb254c000 0x27c00 NetBT NetBT \Driver\NetBT 0x01fddf38 3 0 0xf8b5a000 0x2f00 WS2IFSL WS2IFSL \Driver\WS2IFSL
envars
- Description
- Display process environment variables
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/tmp/infected.img envars -p 532
Volatile Systems Volatility Framework 2.1
Pid Process Block Variable Value
-------- -------------------- ---------- ------------------------------ -----
532 vmtoolsd.exe 0x00010000 ALLUSERSPROFILE C:\Documents and Settings\All Users
532 vmtoolsd.exe 0x00010000 APPDATA C:\Documents and Settings\pilou\Application Data
532 vmtoolsd.exe 0x00010000 CLIENTNAME Console
532 vmtoolsd.exe 0x00010000 CommonProgramFiles C:\Program Files\Fichiers communs
532 vmtoolsd.exe 0x00010000 COMPUTERNAME OZ-C06A6A6F2D3C
532 vmtoolsd.exe 0x00010000 ComSpec C:\WINDOWS\system32\cmd.exe
532 vmtoolsd.exe 0x00010000 FP_NO_HOST_CHECK NO
532 vmtoolsd.exe 0x00010000 HOMEDRIVE C:
532 vmtoolsd.exe 0x00010000 HOMEPATH \Documents and Settings\pilou
532 vmtoolsd.exe 0x00010000 LOGONSERVER \\OZ-C06A6A6F2D3C
532 vmtoolsd.exe 0x00010000 NUMBER_OF_PROCESSORS 1
532 vmtoolsd.exe 0x00010000 OS Windows_NT
532 vmtoolsd.exe 0x00010000 Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\pstools;c:\python27;C:\Program Files\Nmap
[REMOVED]
eventhooks
- Description
- Print details on windows event hooks
- Output example
$ python vol.py -f win7x64.dd --profile=Win7SP1x64 eventhooks Volatile Systems Volatility Framework 2.1_alpha Handle: 0x300cb, Object: 0xfffff900c01eda10, Session: 1 Type: TYPE_WINEVENTHOOK, Flags: 0, Thread: 1516, Process: 880 eventMin: 0x4 EVENT_SYSTEM_MENUSTART eventMax: 0x7 EVENT_SYSTEM_MENUPOPUPEND Flags: none, offPfn: 0xff567cc4, idProcess: 0, idThread: 0 ihmod: -1
evtlogs
- Description
- Extract Windows Event Logs (XP/2003 only)
- Options
- -S, --save-evt
- Save the raw .evt files also
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump executable files
- Output example
$ python vol.py -f ~/memdump/infected.img evtlogs --dump-dir=output/ Volatile Systems Volatility Framework 2.2 Parsed data sent to internet.txt Parsed data sent to sysevent.txt Parsed data sent to secevent.txt Parsed data sent to thinprint.txt Parsed data sent to appevent.txt $ cat output/appevent.txt 2011-12-08 19:49:19|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|RSVP;QoS RSVP 2011-12-08 19:49:42|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|PSched;PSched 2011-12-08 19:49:43|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|RemoteAccess;Routage et accs distant 2011-12-08 19:50:01|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|TermService;Services Terminal Server 2011-12-08 19:50:02|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|MSDTC;MSDTC 2011-12-08 19:50:02|appevent.evt|OZ-C06A6A6F2D3C|N/A|MSDTC|4104|Info|N/A 2011-12-08 19:50:02|appevent.evt|OZ-C06A6A6F2D3C|N/A|MSDTC|2444|Info|0;0;0;0;0;0 2011-12-08 19:50:07|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|WmiApRpl;WmiApRpl 2011-12-08 19:50:07|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1001|Info|WmiApRpl;WmiApRpl 2011-12-08 19:50:07|appevent.evt|OZ-C06A6A6F2D3C|N/A|LoadPerf|1000|Info|WmiApRpl;WmiApRpl 2011-12-08 19:50:11|appevent.evt|OZ-C06A6A6F2D3C|S-1-5-18 (Local System)|WinMgmt|63|Warning|HiPerfCooker_v1;Root\WMI 2011-12-08 19:50:12|appevent.evt|OZ-C06A6A6F2D3C|S-1-5-18 (Local System)|WinMgmt|63|Warning|CmdTriggerConsumer;Root\cimv2 2011-12-08 19:50:12|appevent.evt|OZ-C06A6A6F2D3C|S-1-5-18 (Local System)|WinMgmt|63|Warning|CmdTriggerConsumer;Root\cimv2 2011-12-08 19:50:12|appevent.evt|OZ-C06A6A6F2D3C|S-1-5-18 (Local System)|WinMgmt|5603|Warning|Rsop Planning Mode Provider;root\RSOP [REMOVED]
filescan
- Description
- Scan Physical memory for _FILE_OBJECT pool allocations
- Output example
$ python vol.py -f ~/memdump/infected.img filescan Volatile Systems Volatility Framework 2.2 Offset(P) #Ptr #Hnd Access Name ---------- ------ ------ ------ ---- 0x01e1d5d8 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x01e1d670 1 0 -W---- \Device\HarddiskVolume1\Documents and Settings\pilou\Local Settings\Application Data\Google\Chrome\User Data\chrome_shutdown_ms.txt 0x01e1e970 3 0 RWD--- \Device\HarddiskVolume1\$Directory 0x01e1f890 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\d3d8thk.dll 0x01e26628 1 0 R--r-- \Device\HarddiskVolume1\WINDOWS\system32\win32k.sys 0x01e26a90 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\pilou\Local Settings\Application Data\Google\Chrome\User Data\Default\Session Storage\000005.sst 0x01e27628 1 0 -WD--- \Device\HarddiskVolume1??INDOWS\SoftwareDistribution\Download\2b92e2dcf8ad4df7317e353becd67cd7\_useselfcontained_.state 0x01e28e70 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\pilou\Local Settings\Application Data\Google\Chrome\User Data\Default\Network Action Predictor 0x01e29bb8 1 0 -WD--- \Device\HarddiskVolume1????DOWS\SoftwareDistributio?????? 0x01e29c50 1 0 -WD--- \Device\HarddiskVolume1\WINDOWS\SoftwareDistribution\Download\e07b1f39ad7efdd3145745a305217a88\_unpacked_.state 0x01e29ce8 1 0 -WD--- \Device\HarddiskVolume1????DOWS\SoftwareDistribution\Download\e07b1f39ad7efdd3145745a305217a88\_downloadprogress_.state 0x01e2a1b8 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\h323.tsp 0x01e2a510 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 0x01e2b450 3 0 RWD--- \Device\HarddiskVolume1\$Directory [REMOVED]
gahti
- Description
- Dump the USER handle type information
- Output example
$ python vol.py -f ~/memdump/infected.img gahti
Volatile Systems Volatility Framework 2.2
Session Type Tag fnDestroy Flags
-------- -------------------- -------- ---------- -----
0 TYPE_FREE 0x00000000
0 TYPE_WINDOW Uswd 0xbf89dd3b OCF_DESKTOPHEAP, OCF_THREADOWNED, OCF_USEPOOLIFNODESKTOP, OCF_USEPOOLQUOTA
0 TYPE_MENU 0xbf896641 OCF_DESKTOPHEAP, OCF_PROCESSOWNED
0 TYPE_CURSOR Uscu 0xbf89ed85 OCF_MARKPROCESS, OCF_PROCESSOWNED, OCF_USEPOOLQUOTA
0 TYPE_SETWINDOWPOS Ussw 0xbf81f9c4 OCF_THREADOWNED, OCF_USEPOOLQUOTA
0 TYPE_HOOK 0xbf860442 OCF_DESKTOPHEAP, OCF_THREADOWNED
0 TYPE_CLIPDATA Uscb 0xbf91c359
0 TYPE_CALLPROC 0xbf85df2f OCF_DESKTOPHEAP, OCF_PROCESSOWNED
0 TYPE_ACCELTABLE Usac 0xbf85df2f OCF_PROCESSOWNED, OCF_USEPOOLQUOTA
0 TYPE_DDEACCESS Usd9 0xbf91c359 OCF_THREADOWNED, OCF_USEPOOLQUOTA
0 TYPE_DDECONV UsdA 0xbf922619 OCF_THREADOWNED, OCF_USEPOOLQUOTA
0 TYPE_DDEXACT UsdB 0xbf922560 OCF_THREADOWNED, OCF_USEPOOLQUOTA
0 TYPE_MONITOR Usdi 0xbf931dfd OCF_SHAREDHEAP
0 TYPE_KBDLAYOUT Uskb 0xbf912a22
0 TYPE_KBDFILE Uskf 0xbf92a5c9
0 TYPE_WINEVENTHOOK Uswe 0xbf8ebdce OCF_THREADOWNED
0 TYPE_TIMER Ustm 0xbf80e874
0 TYPE_INPUTCONTEXT Usim 0xbf92b18d OCF_DESKTOPHEAP, OCF_THREADOWNED
0 TYPE_HIDDATA Usha 0xbf93291a OCF_THREADOWNED
0 TYPE_DEVICEINFO UsDI 0xbf881c48
gditimers
- Description
- Print installed GDI timers and callbacks
- Output example
$ python vol.py -f ~/memdump/infected.img gditimers Volatile Systems Volatility Framework 2.2 Sess Handle Object Thread Process nID Rate(ms) Countdown(ms) Func ------ ---------- ---------- -------- -------------------- ---------- ---------- ------------- ---------- 0 0x20033 0xe1956800 808 -:- 0x7ffe 1000 171 0xbf8012fb 0 0x130053 0xe168ebc8 808 -:- 0x7ffd 35000 29359 0xbf8f3acc 0 0x10087 0xe1c1b818 1812 -:- 0x7ffb 60000 38093 0x74ec1070 0 0x200cf 0xe20c46f0 812 -:- 0xfff5 100 100 0xbf80a556 0 0x400d5 0xe1e8f298 556 -:- 0x15 60000 3031 0x00000000 0 0x400d9 0xe1ee3008 556 -:- 0x19 86400000 85626532 0x00000000 0 0xc00fb 0xe17b2178 896 -:- 0x3e8 14400000 13401860 0x00000000 0 0x460107 0xe185e4c0 556 -:- 0x0 60000 6625 0x00000000 0 0x2470135 0xe18206a0 508 -:- 0x1 530 437 0x00000000 0 0x740147 0xe24bea88 556 -:- 0xe 43200000 42426328 0x00000000 0 0x60153 0xe1eda860 2572 -:- 0x7fc9 1000 937 0x763ee0eb 0 0x201a1 0xe1f31e40 1656 -:- 0x0 300000 251312 0x774f2d77 0 0xa021d 0xe21e8120 896 -:- 0x3e9 86400000 85397375 0x00000000
gdt
- Description
- Display Global Descriptor Table
- Output example
$ python vol.py -f ~/memdump/infected.img gdt
Volatile Systems Volatility Framework 2.2
CPU Sel Base Limit Type DPL Gr Pr
------ ---------- ---------- ---------- -------------- ------ ---- ----
0 0x0 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x8 0x00000000 0xffffffff Code RE Ac 0 Pg P
0 0x10 0x00000000 0xffffffff Data RW Ac 0 Pg P
0 0x18 0x00000000 0xffffffff Code RE Ac 3 Pg P
0 0x20 0x00000000 0xffffffff Data RW Ac 3 Pg P
0 0x28 0x80042000 0x000020ab TSS32 Busy 0 By P
0 0x30 0xffdff000 0x00001fff Data RW Ac 0 Pg P
0 0x38 0x7ffdd000 0x00000fff Data RW Ac 3 By P
0 0x40 0x00000400 0x0000ffff Data RW 3 By P
0 0x48 0x00000000 0x00000000 <Reserved> 0 By Np
0 0x50 0x8054a080 0x00000068 TSS32 Avl 0 By P
0 0x58 0x8054a0e8 0x00000068 TSS32 Avl 0 By P
0 0x60 0x00022f40 0x0000ffff Data RW Ac 0 By P
0 0x68 0x000b8000 0x00003fff Data RW 0 By P
0 0x70 0xffff7000 0x000003ff Data RW 0 By P
0 0x78 0x80400000 0x0000ffff Code RE 0 By P
0 0x80 0x80400000 0x0000ffff Data RW 0 By P
0 0x88 0x00000000 0x00000000 Data RW 0 By P
[REMOVED]
getservicesids
- Description
- Get the names of services in the Registry and return Calculated SID
- Output example
$ python vol.py -f ~/memdump/infected.img getservicesids
Volatile Systems Volatility Framework 2.2
servicesids = {
'S-1-5-80-2675092186-3691566608-1139246469-1504068187-1286574349': 'Abiosdsk',
'S-1-5-80-384935-177232180-2275229793-1867620679-4069250810': 'abp470n5',
'S-1-5-80-2200411935-3214395760-3985565908-2861215955-1226862917': 'abp480n5',
'S-1-5-80-850610371-2162948594-2204246734-1395993891-583065928': 'ACPIEC',
'S-1-5-80-3725335247-1751848567-2456254030-120447533-3735992947': 'AdobeFlashPlayerUpdateSvc',
'S-1-5-80-2838020983-819055183-730598559-323496739-448665943': 'adpu160m',
'S-1-5-80-3218321610-3296847771-3570773115-868698368-3117473630': 'aec',
'S-1-5-80-934984265-4079461471-3978616717-2318450786-290302611': 'Aha154x',
'S-1-5-80-1344778701-2960353790-662938617-678076498-4183748354': 'aic78u2',
'S-1-5-80-1076555770-1261388817-3553637611-899283093-3303637635': 'Alerter',
'S-1-5-80-1587539839-2488332913-1287008632-3751426284-4220573165': 'AliIde',
'S-1-5-80-3980410673-3391719637-2113285402-1294014731-1235999994': 'amsint',
'S-1-5-80-2636016386-2318576122-4003064359-4163118804-2687887603': 'asc',
'S-1-5-80-3570203740-1408783918-3026009114-267332295-1428103130': 'asc3350p',
[REMOVED]
getsids
- Description
- Print the SIDs owning each process
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img getsids -p 532 Volatile Systems Volatility Framework 2.2 vmtoolsd.exe (532): S-1-5-21-1801674531-1647877149-682003330-1003 vmtoolsd.exe (532): S-1-5-21-1801674531-1647877149-682003330-513 (Domain Users) vmtoolsd.exe (532): S-1-1-0 (Everyone) vmtoolsd.exe (532): S-1-5-32-544 (Administrators) vmtoolsd.exe (532): S-1-5-32-545 (Users) vmtoolsd.exe (532): S-1-5-4 (Interactive) vmtoolsd.exe (532): S-1-5-11 (Authenticated Users) vmtoolsd.exe (532): S-1-5-5-0-65129 (Logon Session) vmtoolsd.exe (532): S-1-2-0 (Local (Users with the ability to log in locally)) [REMOVED]
handles
- Description
- Print list of open handles for each process
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -P, --physical-offset
- Physical Offset
- -t OBJECT_TYPE, --object-type=OBJECT_TYPE
- Show these object types (comma-separated)
- -s, --silent
- Suppress less meaningful results
- Output example
$ python vol.py -f ~/memdump/infected.img handles -p 532 -s Volatile Systems Volatility Framework 2.2 Offset(V) Pid Handle Access Type Details ---------- ------ ---------- ---------- ---------------- ------- 0xe1005448 532 0x4 0xf0003 KeyedEvent CritSecOutOfMemoryEvent 0xe182a4d8 532 0x8 0x3 Directory KnownDlls 0x8223c190 532 0xc 0x100020 File \Device\HarddiskVolume1\Documents and Settings\pilou 0x81dd4d00 532 0x10 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0xe193c768 532 0x14 0xf000f Directory Windows 0x81dc6028 532 0x1c 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x81f21bb0 532 0x20 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x81e5bdb8 532 0x28 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x81dd07b0 532 0x2c 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x8227c2b0 532 0x30 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x821b5300 532 0x34 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0x81e837c0 532 0x38 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e 0xe1e7de28 532 0x40 0x20f003f Key MACHINE 0x81f722d0 532 0x44 0xf037f WindowStation WinSta0 0x81eb48b0 532 0x4c 0xf01ff Desktop Default 0x81f722d0 532 0x50 0xf037f WindowStation WinSta0 0x82285ea8 532 0x54 0x100001 File \Device\KsecDD [REMOVED]
hashdump
- Description
- Dumps passwords hashes (LM/NTLM) from memory
- Options
- -y SYS_OFFSET, --sys-offset=SYS_OFFSET
- SYSTEM hive offset (virtual)
- -s SAM_OFFSET, --sam-offset=SAM_OFFSET
- SAM hive offset (virtual)
- Output example
We need the hive list so we can get the starting location in memory where the registry information resides:
$ python vol.py -f ~/memdump/infected.img hivelist Volatile Systems Volatility Framework 2.2 Virtual Physical Name ---------- ---------- ---- 0xe2084008 0x0fe6b008 \Device\HarddiskVolume1\Documents and Settings\pilou\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1d1fb60 0x0db99b60 \Device\HarddiskVolume1\Documents and Settings\pilou\NTUSER.DAT 0xe19d8380 0x0d091380 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1c19508 0x0d644508 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT 0xe17206d0 0x0cad76d0 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe19fb008 0x0d403008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT 0xe196c6b8 0x0a9ca6b8 \Device\HarddiskVolume1\WINDOWS\system32\config\software 0xe1599b60 0x04870b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default 0xe196cb60 0x0a9cab60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY 0xe195eb60 0x0a6e2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM 0xe134f350 0x02f00350 [no name] 0xe1035b60 0x02aa3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system 0xe102e008 0x02a9d008 [no name] 0x806717a8 0x006717a8 [no name]
Then dump the hashes as follows:
$ python vol.py -f ~/memdump/infected.img hashdump -s 0xe195eb60 -y 0xe1035b60 Volatile Systems Volatility Framework 2.2 Administrateur:500:e039e3178e07d0c9a6e1e67c15d6275b:b246b548b6f17e45f349aa2214a5f6aa:::
You can then use online resources or a has cracker like John to crack the hash.
hibinfo
- Description
- Dump hibernation file information
- Output example
$ python vol.py -f hiberfil.sys --profile=Win7SP1x64 hibinfo IMAGE_HIBER_HEADER: Signature: HIBR SystemTime: 2011-12-23 16:34:27 Control registers flags CR0: 80050031 CR0[PAGING]: 1 CR3: 00187000 CR4: 000006f8 CR4[PSE]: 1 CR4[PAE]: 1 Windows Version is 6.1 (7601)
hivedump
- Description
- Prints out a hive
- Options
- -o HIVE_OFFSET, --hive-offset=HIVE_OFFSET
- Hive offset (virtual)
- Output example
See hivelist to get the offset of a hive
$ python vol.py -f ~/memdump/infected.img hivedump -o 0xe196cb60 Volatile Systems Volatility Framework 2.2 Last Written Key 2013-02-18 20:54:33 \SECURITY 2012-03-17 16:29:11 \SECURITY\Cache 2011-12-08 19:49:19 \SECURITY\Policy 2011-12-08 20:00:07 \SECURITY\Policy\Accounts 2011-12-08 20:44:26 \SECURITY\Policy\Accounts\S-1-1-0 2011-12-08 20:44:58 \SECURITY\Policy\Accounts\S-1-1-0\ActSysAc 2011-12-08 20:44:58 \SECURITY\Policy\Accounts\S-1-1-0\Privilgs 2011-12-08 20:44:26 \SECURITY\Policy\Accounts\S-1-1-0\SecDesc 2011-12-08 20:44:26 \SECURITY\Policy\Accounts\S-1-1-0\Sid 2011-12-08 20:44:58 \SECURITY\Policy\Accounts\S-1-5-19 [REMOVED]
hivelist
- Description
- Print list of registry hives.
- Output example
$ python vol.py -f ~/memdump/infected.img hivelist Volatile Systems Volatility Framework 2.2 Virtual Physical Name ---------- ---------- ---- 0xe2084008 0x0fe6b008 \Device\HarddiskVolume1\Documents and Settings\pilou\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1d1fb60 0x0db99b60 \Device\HarddiskVolume1\Documents and Settings\pilou\NTUSER.DAT 0xe19d8380 0x0d091380 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1c19508 0x0d644508 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT 0xe17206d0 0x0cad76d0 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe19fb008 0x0d403008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT 0xe196c6b8 0x0a9ca6b8 \Device\HarddiskVolume1\WINDOWS\system32\config\software 0xe1599b60 0x04870b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default 0xe196cb60 0x0a9cab60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY 0xe195eb60 0x0a6e2b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM 0xe134f350 0x02f00350 [no name] 0xe1035b60 0x02aa3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system 0xe102e008 0x02a9d008 [no name] 0x806717a8 0x006717a8 [no name] [REMOVED]
Windows NT-based systems store the registry in a binary file format which can be exported, loaded and unloaded by the Registry Editor in these operating systems. The following system Registry files are stored in %SystemRoot%\System32\Config\:
- Sam – HKEY_LOCAL_MACHINE\SAMSecurity – HKEY_LOCAL_MACHINE\SECURITY
- Software – HKEY_LOCAL_MACHINE\SOFTWARE
- System – HKEY_LOCAL_MACHINE\SYSTEM
- Default – HKEY_USERS\.DEFAULT
- Userdiff – Not associated with a hive. Used only when upgrading operating systems.[29]
The following file is stored in each user's profile folder:
- %UserProfile%\Ntuser.dat – HKEY_USERS\<User SID> (linked to by HKEY_CURRENT_USER)
For Windows 2000, Server 2003 and Windows XP, the following additional user-specific file is used for file associations and COM information:
- %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes)
For Windows Vista and later, the path was changed to:
- %UserProfile%\AppData\Local\Microsoft\Windows\Usrclass.dat (path is not localized) alias %LocalAppData%\Microsoft\Windows\Usrclass.dat – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes)
Windows 2000 kept an alternate copy of the registry hives (.ALT) and attempts to switch to it when corruption is detected.[30] Windows XP and Windows Server 2003 do not maintain a System.alt hive because NTLDR on those versions of Windows can process the System.log file to bring up to date a System hive that has become inconsistent during a shutdown or crash. In addition, the %SystemRoot%\Repair folder contains a copy of the system's registry hives that were created after installation and the first successful startup of Windows. Each registry data file has an associated file with a ".log" extension that acts as a transaction log that is used to ensure that any interrupted updates can be completed upon next startup.[31] Internally, registry files are split into 4 kB "bins" that contain collections of "cells".
For more information, please refer to http://en.wikipedia.org/wiki/Windows_Registry.
hivescan
- Description
- Scan Physical memory for _CMHIVE objects (registry hives)
- Output example
$ python vol.py -f ~/memdump/infected.img hivescan Volatile Systems Volatility Framework 2.2 Offset(P) ---------- 0x02a9d008 0x02aa3b60 0x02f00350 0x04870b60 0x0a6e2b60 0x0a9ca6b8 0x0a9cab60 0x0c0d6350 0x0cad76d0 0x0d091380 0x0d403008 0x0d644508 0x0db99b60 0x0fe6b008 0x13037b60 0x160dc008 0x16186380 0x16745350 0x16e85b60 0x18960b60 0x1a0f8008 0x1ebf5008
idt
- Description
- Display Interrupt Descriptor Table
- Output example
$ python vol.py -f ~/memdump/infected.img idt
Volatile Systems Volatility Framework 2.2
CPU Index Selector Value Module Section
------ ------ -------- ---------- -------------------- ------------
0 0 8 0x8053e29c ntoskrnl.exe .text
0 1 8 0x8053e414 ntoskrnl.exe .text
0 2 88 0x00000000 ntoskrnl.exe
0 3 8 0x8053e7e4 ntoskrnl.exe .text
0 4 8 0x8053e964 ntoskrnl.exe .text
0 5 8 0x8053eac0 ntoskrnl.exe .text
0 6 8 0x8053ec34 ntoskrnl.exe .text
0 7 8 0x8053f29c ntoskrnl.exe .text
0 8 80 0x00000000 ntoskrnl.exe
0 9 8 0x8053f6c0 ntoskrnl.exe .text
0 A 8 0x8053f7e0 ntoskrnl.exe .text
0 B 8 0x8053f920 ntoskrnl.exe .text
0 C 8 0x8053fb7c ntoskrnl.exe .text
0 D 8 0x8053fe60 ntoskrnl.exe .text
0 E 8 0x80540568 ntoskrnl.exe .text
0 F 8 0x80540898 ntoskrnl.exe .text
0 10 8 0x805409b8 ntoskrnl.exe .text
0 11 8 0x80540af0 ntoskrnl.exe .text
0 12 160 0x80540898 UNKNOWN
0 13 8 0x80540c58 ntoskrnl.exe .text
0 14 8 0x80540898 ntoskrnl.exe .text
0 15 8 0x80540898 ntoskrnl.exe .text
[REMOVED}
imagecopy
- Description
- convert any existing type of address space (such as a crashdump, hibernation file, or live firewire session) to a raw memory image
- Options
- -b 5242880, --blocksize=5242880
- Size (in bytes) of blocks to copy
- -O OUTPUT_IMAGE, --output-image=OUTPUT_IMAGE
- Writes a raw DD image out to OUTPUT-IMAGE
- Output example
$ python vol.py imagecopy -f win7.dmp --profile=Win7SP0x86 -O win7.raw Volatile Systems Volatility Framework 2.0 Writing data (5.00 MB chunks): |.....................................................|
imageinfo
- Description
- Identify information for the image
- Output example
$ python vol.py -f ~/tmp/infected.img imageinfo
Volatile Systems Volatility Framework 2.1
Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/sebastiendamaye/tmp/infected.img)
PAE type : PAE
DTB : 0x31e000L
KDBG : 0x80545c60
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2013-02-18 21:20:52 UTC+0000
Image local date and time : 2013-02-18 22:20:52 +0100
impscan
- Description
- Scan for calls to imported functions
- Options
- -p PID, --pid=PID
- Process ID (leave off to scan kernel memory)
- -b BASE, --base=BASE
- Base address in process memory if --pid is supplied, otherwise an address in kernel space
- -s SIZE, --size=SIZE
- Size of memory to scan
- Output example
$ python vol.py -f ~/memdump/infected.img impscan -p 532 Volatile Systems Volatility Framework 2.2 IAT Call Module Function ---------- ---------- -------------------- -------- 0x00407000 0x77da7cb8 ADVAPI32.dll FreeSid 0x00407004 0x77db4b05 ADVAPI32.dll SetSecurityDescriptorOwner 0x00407008 0x77da79eb ADVAPI32.dll SetSecurityDescriptorDacl 0x0040700c 0x77da79c6 ADVAPI32.dll InitializeSecurityDescriptor 0x00407010 0x77db4ec2 ADVAPI32.dll SetEntriesInAclW 0x00407014 0x77da7cc9 ADVAPI32.dll AllocateAndInitializeSid 0x00407054 0x7c81f424 kernel32.dll IsDebuggerPresent 0x00407058 0x7c864042 kernel32.dll UnhandledExceptionFilter 0x0040705c 0x7c801e1a kernel32.dll TerminateProcess 0x00407060 0x7c8017e9 kernel32.dll GetSystemTimeAsFileTime 0x00407064 0x7c8099c0 kernel32.dll GetCurrentProcessId 0x00407068 0x7c8097d0 kernel32.dll GetCurrentThreadId [REMOVED]
kdbgscan
- Description
- Search for and dump potential KDBG values
- Output example
$ python vol.py -f ~/memdump/infected.img kdbgscan Volatile Systems Volatility Framework 2.2 ************************************************** Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x80545c60 Offset (P) : 0x545c60 KDBG owner tag check : True Profile suggestion (KDBGHeader): WinXPSP3x86 Version64 : 0x80545c38 (Major: 15, Minor: 2600) Service Pack (CmNtCSDVersion) : 3 Build string (NtBuildLab) : 2600.xpsp_sp3_gdr.120821-1629 PsActiveProcessHead : 0x8055a2d8 (35 processes) PsLoadedModuleList : 0x80554140 (124 modules) KernelBase : 0x804d7000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 1 KPCR : 0xffdff000 (CPU 0) [REMOVED]
kpcrscan
- Description
- Search for and dump potential KPCR (Kernel Processor Control Region) values
- Output example
$ python vol.py --profile=Win7SP0x86 -f win7.dmp kpcrscan Volatile Systems Volatility Framework 2.0 Potential KPCR structure virtual addresses: _KPCR: 0x8296dc00
ldrmodules
- Description
- Detect unlinked DLLs
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img ldrmodules -p 532
Volatile Systems Volatility Framework 2.2
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
532 vmtoolsd.exe 0x01ef0000 True True True \WINDOWS\system32\vmhgfs.dll
532 vmtoolsd.exe 0x00400000 True False True \Program Files\VMware\VMware Tools\vmtoolsd.exe
532 vmtoolsd.exe 0x76930000 True True True \WINDOWS\system32\ntshrui.dll
532 vmtoolsd.exe 0x77f40000 True True True \WINDOWS\system32\shlwapi.dll
532 vmtoolsd.exe 0x62e40000 True True True \WINDOWS\system32\hnetcfg.dll
532 vmtoolsd.exe 0x77be0000 True True True \WINDOWS\system32\msvcrt.dll
532 vmtoolsd.exe 0x71990000 True True True \WINDOWS\system32\mswsock.dll
532 vmtoolsd.exe 0x779e0000 True True True \WINDOWS\system32\crypt32.dll
532 vmtoolsd.exe 0x778e0000 True True True \WINDOWS\system32\setupapi.dll
532 vmtoolsd.exe 0x77fc0000 True True True \WINDOWS\system32\secur32.dll
532 vmtoolsd.exe 0x719d0000 True True True \WINDOWS\system32\wshtcpip.dll
532 vmtoolsd.exe 0x71be0000 True True True \WINDOWS\system32\netrap.dll
[REMOVED]
lsadump
- Description
- Dump (decrypted) LSA secrets from the registry
- Options
- -y SYS_OFFSET, --sys-offset=SYS_OFFSET
- SYSTEM hive offset (virtual)
- -s SEC_OFFSET, --sec-offset=SEC_OFFSET
- SECURITY hive offset (virtual)
- Output example
- N/A
malfind
- Description
- Find hidden and injected code
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump the VAD files
- Output example
$ python vol.py -f ~/memdump/infected.img malfind -p 532 -D output/ Volatile Systems Volatility Framework 2.2 Process: vmtoolsd.exe Pid: 532 Address: 0x3140000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 4147, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x03140000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x03140010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x03140020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x03140030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................ 0x3140000 4d DEC EBP 0x3140001 5a POP EDX 0x3140002 90 NOP 0x3140003 0003 ADD [EBX], AL 0x3140005 0000 ADD [EAX], AL 0x3140007 000400 ADD [EAX+EAX], AL 0x314000a 0000 ADD [EAX], AL 0x314000c ff DB 0xff 0x314000d ff00 INC DWORD [EAX] 0x314000f 00b800000000 ADD [EAX+0x0], BH 0x3140015 0000 ADD [EAX], AL 0x3140017 004000 ADD [EAX+0x0], AL 0x314001a 0000 ADD [EAX], AL 0x314001c 0000 ADD [EAX], AL 0x314001e 0000 ADD [EAX], AL 0x3140020 0000 ADD [EAX], AL 0x3140022 0000 ADD [EAX], AL 0x3140024 0000 ADD [EAX], AL 0x3140026 0000 ADD [EAX], AL 0x3140028 0000 ADD [EAX], AL 0x314002a 0000 ADD [EAX], AL 0x314002c 0000 ADD [EAX], AL 0x314002e 0000 ADD [EAX], AL 0x3140030 0000 ADD [EAX], AL 0x3140032 0000 ADD [EAX], AL 0x3140034 0000 ADD [EAX], AL 0x3140036 0000 ADD [EAX], AL 0x3140038 0000 ADD [EAX], AL 0x314003a 0000 ADD [EAX], AL 0x314003c e000 LOOPNZ 0x314003e 0x314003e 0000 ADD [EAX], AL [REMOVED]
memdump
- Description
- Dump the addressable memory for a process
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump memory
- Output example
$ python vol.py -f ~/memdump/infected.img memdump -p 532 --dump-dir output/ Volatile Systems Volatility Framework 2.2 ************************************************************************ Writing vmtoolsd.exe [ 532] to 532.dmp
memmap
- Description
- Print the memory map
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img memmap -p 532 Volatile Systems Volatility Framework 2.2 vmtoolsd.exe pid: 532 Virtual Physical Size DumpFileOffset ---------- ---------- ---------- -------------- 0x00010000 0x11bb9000 0x1000 0x0 0x00020000 0x11b7a000 0x1000 0x1000 0x00126000 0x11f02000 0x1000 0x2000 0x00127000 0x12041000 0x1000 0x3000 0x00128000 0x12340000 0x1000 0x4000 0x00129000 0x11f3f000 0x1000 0x5000 0x0012a000 0x11ffe000 0x1000 0x6000 0x0012b000 0x1203d000 0x1000 0x7000 [REMOVED]
messagehooks
- Description
- List desktop and thread window message hooks
- Options
- Output example
$ python vol.py -f laqma.vmem messagehooks --output=block Volatile Systems Volatility Framework 2.1_alpha Offset(V) : 0xbc693988 Session : 0 Desktop : WinSta0\Default Thread : <any> Filter : WH_GETMESSAGE Flags : HF_ANSI, HF_GLOBAL Procedure : 0x1fd9 ihmod : 1 Module : C:\WINDOWS\system32\Dll.dll Offset(V) : 0xbc693988 Session : 0 Desktop : WinSta0\Default Thread : 1584 (explorer.exe 1624) Filter : WH_GETMESSAGE Flags : HF_ANSI, HF_GLOBAL Procedure : 0x1fd9 ihmod : 1 Module : C:\WINDOWS\system32\Dll.dll Offset(V) : 0xbc693988 Session : 0 Desktop : WinSta0\Default Thread : 252 (VMwareUser.exe 1768) Filter : WH_GETMESSAGE Flags : HF_ANSI, HF_GLOBAL Procedure : 0x1fd9 ihmod : 1 Module : C:\WINDOWS\system32\Dll.dll
moddump
- Description
- Dump a kernel driver to an executable file sample
- Options
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump executable files
- -u, --unsafe
- Bypasses certain sanity checks when creating image
- -r REGEX, --regex=REGEX
- Dump modules matching REGEX
- -i, --ignore-case
- Ignore case in pattern match
- -b BASE, --base=BASE
- Dump driver with BASE address (in hex)
- Output example
$ python vol.py -f ~/memdump/infected.img moddump --dump-dir output/ Volatile Systems Volatility Framework 2.2 Module Base Module Name Result ----------- -------------------- ------ 0x0804d7000 ntoskrnl.exe OK: driver.804d7000.sys 0x0806d1000 hal.dll OK: driver.806d1000.sys 0x0f84dc000 fltMgr.sys Error: Cannot acquire AS 0x0f8bba000 Fs_Rec.SYS OK: driver.f8bba000.sys 0x0f8ce4000 dxgthk.sys OK: driver.f8ce4000.sys 0x0b239b000 dump_atapi.sys OK: driver.b239b000.sys 0x0f84fc000 atapi.sys Error: Cannot acquire AS 0x0f877a000 Fips.SYS OK: driver.f877a000.sys 0x0f8144000 mouhid.sys OK: driver.f8144000.sys [REMOVED]
modscan
- Description
- Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
- Output example
$ python vol.py -f ~/memdump/infected.img modscan Volatile Systems Volatility Framework 2.2 Offset(P) Name Base Size File ---------- -------------------- ---------- ---------- ---- 0x01ed4508 kmixer.sys 0xb1610000 0x2b000 \SystemRoot\system32\drivers\kmixer.sys 0x02087100 rasacd.sys 0xf8b52000 0x3000 \SystemRoot\system32\DRIVERS\rasacd.sys 0x02094950 flpydisk.sys 0xf89ea000 0x5000 \SystemRoot\system32\DRIVERS\flpydisk.sys 0x020a0008 vmx_fb.dll 0xbf012000 0x19c000 \SystemRoot\System32\vmx_fb.dll 0x020b9af8 HIDPARSE.SYS 0xf8a32000 0x7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0x020be820 netbios.sys 0xf876a000 0x9000 \SystemRoot\system32\DRIVERS\netbios.sys 0x020bf0e8 ndisuio.sys 0xb229b000 0x4000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0x020c4ef0 HTTP.sys 0xb1777000 0x41000 \SystemRoot\System32\Drivers\HTTP.sys 0x020cda08 RDPCDD.sys 0xf8bc0000 0x2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys [REMOVED]
modules
- Description
- Print list of loaded modules
- Options
- -P, --physical-offset
- Physical Offset
- Output example
$ python vol.py -f ~/memdump/infected.img modules Volatile Systems Volatility Framework 2.2 Offset(V) Name Base Size File ---------- -------------------- ---------- ---------- ---- 0x823fc3a0 ntoskrnl.exe 0x804d7000 0x1f9c80 \WINDOWS\system32\ntkrnlpa.exe 0x823fc338 hal.dll 0x806d1000 0x20300 \WINDOWS\system32\hal.dll 0x823fc2d0 kdcom.dll 0xf8b9a000 0x2000 \WINDOWS\system32\KDCOM.DLL 0x823fc260 BOOTVID.dll 0xf8aaa000 0x3000 \WINDOWS\system32\BOOTVID.dll 0x823fc1f8 ACPI.sys 0xf856a000 0x2f000 ACPI.sys 0x823fc188 WMILIB.SYS 0xf8b9c000 0x2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0x823fc120 pci.sys 0xf8559000 0x11000 pci.sys 0x823fc0b0 isapnp.sys 0xf869a000 0xa000 isapnp.sys 0x823fc040 compbatt.sys 0xf8aae000 0x3000 compbatt.sys 0x823ed008 BATTC.SYS 0xf8ab2000 0x4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
mutantscan
- Description
- Scan for mutant objects _KMUTANT
- Options
- -s, --silent
- Suppress less meaningful results
- Output example
$ python vol.py -f ~/memdump/infected.img mutantscan Volatile Systems Volatility Framework 2.2 Offset(P) #Ptr #Hnd Signal Thread CID Name ---------- ---- ---- ------ ---------- --------- ---- 0x01e2ba90 1 1 1 0x00000000 0x01e2c150 2 1 1 0x00000000 RAS_MO_02 0x01e34170 1 1 1 0x00000000 0x01e3c878 2 1 1 0x00000000 jqs.exeM_1512_ 0x01e3cfe0 3 2 1 0x00000000 WininetConnectionMutex 0x01e458e0 1 1 1 0x00000000 0x01eb7160 1 1 1 0x00000000 0x01ebbe28 2 1 1 0x00000000 vmtoolsd.exeM_1732_ 0x01ecb7f8 1 1 1 0x00000000 0x01ed5640 2 1 0 0x81ea9da0 1364:1520 Instance1: ESENT Performance Data Schema Version 40 0x01ed5eb8 2 1 1 0x00000000 !PrivacIE!SharedMemory!Mutex [REMOVED]
netscan
- Description
- To scan for network artifacts in 32- and 64-bit Windows Vista, Windows 2008 Server and Windows 7 memory dumps, use the netscan command.
- Output example
$ python vol.py -f ~/Desktop/win7_trial_64bit.raw --profile=Win7SP0x64 netscan Volatile Systems Volatility Framework 2.1_alpha Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0xf882a30 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 628 svchost.exe 0xfc13770 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 916 svchost.exe 0xfdda1e0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 916 svchost.exe 0xfdda1e0 TCPv6 :::49154 :::0 LISTENING 916 svchost.exe 0x1121b7b0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 628 svchost.exe 0x1121b7b0 TCPv6 :::135 :::0 LISTENING 628 svchost.exe 0x11431360 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 332 wininit.exe 0x11431360 TCPv6 :::49152 :::0 LISTENING 332 wininit.exe [REMOVED]
patcher
- Description
- Patches memory based on page scans
Warning
Notice that you will need to enable the write support and that your memory dump will be modified
- Options
- -x XML_INPUT, --xml-input=XML_INPUT
- Input XML file for patching binaries (example given below)
<patchfile>
<patchinfo method="pagescan" name="Some Descriptive Name">
<constraints>
<match offset="0x123">554433221100</match>
</constraints>
<patches>
<setbytes offset="0x234">001122334455</setbytes>
</patches>
</patchinfo>
<patchinfo>
...
</patchinfo>
</patchfile>
printkey
- Description
- Print a registry key, and its subkeys and values
- Options
- -o HIVE_OFFSET, --hive-offset=HIVE_OFFSET
- Hive offset (virtual)
- -K KEY, --key=KEY
- Registry Key
- Output example
$ python vol.py -f ~/memdump/zeus2x4.vmem printkey --key="Software\Microsoft\Windows\CurrentVersion\Run"
Volatile Systems Volatility Framework 2.2
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Run (S)
Last updated: 2010-09-09 19:56:33
Subkeys:
Values:
REG_SZ {D9A7AA9F-6631-D3B2-E89F-56E338669386} : (S) "C:\Documents and Settings\Administrator\Application Data\Obyt\ihah.exe"
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Run (S)
Last updated: 2009-04-04 10:33:06
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Run (S)
Last updated: 2009-04-04 02:24:52
Subkeys:
Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Run (S)
Last updated: 2009-04-04 10:33:03
Subkeys:
Values:
procexedump
- Description
- Dump a process to an executable file sample
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump executable files
- -u, --unsafe
- Bypasses certain sanity checks when creating image
- Output example
$ python vol.py -f ~/memdump/infected.img procexedump -p 532 --dump-dir=output/ Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81f015d0 0x00400000 vmtoolsd.exe OK: executable.532.exe
Note
If Volatility is not able to dump a process with the -p parameter (e.g. process does not appear in the pslist output), you can try to use the -o (offset) parameter instead.
procmemdump
- Description
- Dump a process to an executable memory sample
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump executable files
- -u, --unsafe
- Bypasses certain sanity checks when creating image
- Output example
$ python vol.py -f ~/memdump/infected.img procmemdump -p 532 --dump-dir=output/ Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81f015d0 0x00400000 vmtoolsd.exe OK: executable.532.exe
pslist
- Description
- print all running processes by following the EPROCESS lists
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -P, --physical-offset
- Physical Offset
- Output example
$ python vol.py -f ~/tmp/infected.img pslist Volatile Systems Volatility Framework 2.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x823c8830 System 4 0 58 599 ------ 0 0x81e0b4b0 smss.exe 412 4 3 19 ------ 0 2013-02-18 20:54:31 0x82164020 csrss.exe 772 412 12 465 0 0 2013-02-18 20:54:33 0x81eee548 winlogon.exe 796 412 21 459 0 0 2013-02-18 20:54:33 0x81f13958 services.exe 840 796 16 280 0 0 2013-02-18 20:54:33 0x821ecda0 lsass.exe 852 796 22 365 0 0 2013-02-18 20:54:33 0x81e219a0 vmacthlp.exe 1028 840 1 25 0 0 2013-02-18 20:54:33 0x81e57500 svchost.exe 1052 840 17 198 0 0 2013-02-18 20:54:34 0x81eae808 svchost.exe 1120 840 10 245 0 0 2013-02-18 20:54:34 0x82190658 svchost.exe 1364 840 81 1693 0 0 2013-02-18 20:54:34 0x82236020 svchost.exe 1412 840 6 91 0 0 2013-02-18 20:54:34 0x821687e8 svchost.exe 1504 840 13 179 0 0 2013-02-18 20:54:35 0x821e8468 spoolsv.exe 1820 840 13 145 0 0 2013-02-18 20:54:36 0x8217ac10 explorer.exe 272 212 0 -------- 0 0 2013-02-18 20:54:51 2013-02-18 21:08:03 0x81dd7da0 rundll32.exe 496 272 7 81 0 0 2013-02-18 20:54:52 0x81f015d0 vmtoolsd.exe 532 272 38 563 0 0 2013-02-18 20:54:52 0x821a47e8 svchost.exe 1332 840 6 165 0 0 2013-02-18 20:55:00 0x81e693c0 svchost.exe 1428 840 3 78 0 0 2013-02-18 20:55:00 0x8219f500 jqs.exe 1512 840 8 241 0 0 2013-02-18 20:55:00 0x81e0f980 vmtoolsd.exe 1732 840 7 307 0 0 2013-02-18 20:55:00 0x81e55778 wscntfy.exe 128 1364 4 44 0 0 2013-02-18 20:55:18 0x8221cb20 TPAutoConnSvc.e 1880 840 5 99 0 0 2013-02-18 20:55:21 0x81e457f8 TPAutoConnect.e 2420 1880 4 77 0 0 2013-02-18 20:55:25 0x82166928 wmiapsrv.exe 3160 840 3 144 0 0 2013-02-18 20:58:01 0x82241518 wuauclt.exe 4012 1364 6 120 0 0 2013-02-18 21:04:15 0x81ccb020 explorer.exe 600 796 19 481 0 0 2013-02-18 21:08:05 0x81cbdb20 netsh.exe 3860 532 0 -------- 0 0 2013-02-18 21:15:17 2013-02-18 21:15:18 0x81c75020 notepad.exe 3052 532 0 -------- 0 0 2013-02-18 21:15:20 2013-02-18 21:15:20 0x81c20620 chrome.exe 2760 600 0 -------- 0 0 2013-02-18 21:17:07 2013-02-18 21:17:44 0x81cd6630 chrome.exe 3436 2760 0 -------- 0 0 2013-02-18 21:17:08 2013-02-18 21:17:18 0x81c7b308 chrome.exe 4016 2760 0 -------- 0 0 2013-02-18 21:17:08 2013-02-18 21:17:44 0x81c76328 chrome.exe 460 2760 0 -------- 0 0 2013-02-18 21:17:17 2013-02-18 21:17:21 0x81c211c8 chrome.exe 4088 2760 0 -------- 0 0 2013-02-18 21:17:19 2013-02-18 21:17:44 0x81c88480 cmd.exe 2164 600 4 35 0 0 2013-02-18 21:17:42 0x81c6bda0 mdd_1.3.exe 2908 2164 1 28 0 0 2013-02-18 21:20:52
psscan
- Description
- Scan Physical memory for _EPROCESS pool allocations
- Output example
$ python vol.py -f ~/memdump/infected.img psscan Volatile Systems Volatility Framework 2.2 Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- -------------------- -------------------- 0x01e20620 chrome.exe 2760 600 0x0ac80280 2013-02-18 21:17:07 2013-02-18 21:17:44 0x01e211c8 chrome.exe 4088 2760 0x0ac80300 2013-02-18 21:17:19 2013-02-18 21:17:44 0x01e6bda0 mdd_1.3.exe 2908 2164 0x0ac80260 2013-02-18 21:20:52 0x01e75020 notepad.exe 3052 532 0x0ac802c0 2013-02-18 21:15:20 2013-02-18 21:15:20 0x01e76328 chrome.exe 460 2760 0x0ac802a0 2013-02-18 21:17:17 2013-02-18 21:17:21 0x01e7b308 chrome.exe 4016 2760 0x0ac80440 2013-02-18 21:17:08 2013-02-18 21:17:44 0x01e88480 cmd.exe 2164 600 0x0ac802e0 2013-02-18 21:17:42 0x01ebdb20 netsh.exe 3860 532 0x0ac803e0 2013-02-18 21:15:17 2013-02-18 21:15:18 0x01ecb020 explorer.exe 600 796 0x0ac80460 2013-02-18 21:08:05 0x01ed6630 chrome.exe 3436 2760 0x0ac801c0 2013-02-18 21:17:08 2013-02-18 21:17:18 [REMOVED]
To visualize the processes and dependencies, you can install Graphviz and generate an image as follows:
$ python vol.py -f ~/memdump/infected.img psscan --output=dot --output-file=output/test.dot $ dot -Tpng test.dot -o test.png
Here is an example:
pstree
- Description
- Print process list as a tree
- Output example
$ python vol.py -f ~/tmp/infected.img pstree Volatile Systems Volatility Framework 2.1 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ -------------------- 0x823c8830:System 4 0 58 599 1970-01-01 00:00:00 . 0x81e0b4b0:smss.exe 412 4 3 19 2013-02-18 20:54:31 .. 0x82164020:csrss.exe 772 412 12 465 2013-02-18 20:54:33 .. 0x81eee548:winlogon.exe 796 412 21 459 2013-02-18 20:54:33 ... 0x81ccb020:explorer.exe 600 796 19 481 2013-02-18 21:08:05 .... 0x81c20620:chrome.exe 2760 600 0 ------ 2013-02-18 21:17:07 ..... 0x81cd6630:chrome.exe 3436 2760 0 ------ 2013-02-18 21:17:08 ..... 0x81c7b308:chrome.exe 4016 2760 0 ------ 2013-02-18 21:17:08 ..... 0x81c76328:chrome.exe 460 2760 0 ------ 2013-02-18 21:17:17 ..... 0x81c211c8:chrome.exe 4088 2760 0 ------ 2013-02-18 21:17:19 .... 0x81c88480:cmd.exe 2164 600 4 35 2013-02-18 21:17:42 ..... 0x81c6bda0:mdd_1.3.exe 2908 2164 1 28 2013-02-18 21:20:52 ... 0x81f13958:services.exe 840 796 16 280 2013-02-18 20:54:33 .... 0x82166928:wmiapsrv.exe 3160 840 3 144 2013-02-18 20:58:01 .... 0x81e693c0:svchost.exe 1428 840 3 78 2013-02-18 20:55:00 .... 0x82236020:svchost.exe 1412 840 6 91 2013-02-18 20:54:34 .... 0x821e8468:spoolsv.exe 1820 840 13 145 2013-02-18 20:54:36 .... 0x81e219a0:vmacthlp.exe 1028 840 1 25 2013-02-18 20:54:33 .... 0x821a47e8:svchost.exe 1332 840 6 165 2013-02-18 20:55:00 .... 0x821687e8:svchost.exe 1504 840 13 179 2013-02-18 20:54:35 .... 0x81e0f980:vmtoolsd.exe 1732 840 7 307 2013-02-18 20:55:00 .... 0x82190658:svchost.exe 1364 840 81 1693 2013-02-18 20:54:34 ..... 0x81e55778:wscntfy.exe 128 1364 4 44 2013-02-18 20:55:18 ..... 0x82241518:wuauclt.exe 4012 1364 6 120 2013-02-18 21:04:15 .... 0x8221cb20:TPAutoConnSvc.e 1880 840 5 99 2013-02-18 20:55:21 ..... 0x81e457f8:TPAutoConnect.e 2420 1880 4 77 2013-02-18 20:55:25 .... 0x81eae808:svchost.exe 1120 840 10 245 2013-02-18 20:54:34 .... 0x8219f500:jqs.exe 1512 840 8 241 2013-02-18 20:55:00 .... 0x81e57500:svchost.exe 1052 840 17 198 2013-02-18 20:54:34 ... 0x821ecda0:lsass.exe 852 796 22 365 2013-02-18 20:54:33 0x8217ac10:explorer.exe 272 212 0 ------ 2013-02-18 20:54:51 . 0x81dd7da0:rundll32.exe 496 272 7 81 2013-02-18 20:54:52 . 0x81f015d0:vmtoolsd.exe 532 272 38 563 2013-02-18 20:54:52 .. 0x81cbdb20:netsh.exe 3860 532 0 ------ 2013-02-18 21:15:17 .. 0x81c75020:notepad.exe 3052 532 0 ------ 2013-02-18 21:15:20
psxview
- Description
- Find hidden processes with various process listings. If you see any that are "False" for pslist, psscan, and thrdproc it's an attempt to hide the process by DKOM (Direct Kernel Object Manipulation).
- Options
- -P, --physical-offset
- Physcal Offset
- Output example
$ python vol.py -f ~/memdump/infected.img psxview Volatile Systems Volatility Framework 2.2 Offset(P) Name PID pslist psscan thrdproc pspcdid csrss ---------- -------------------- ------ ------ ------ -------- ------- ----- 0x0239f500 jqs.exe 1512 True True False True True 0x02057500 svchost.exe 1052 True True False True True 0x01e211c8 chrome.exe 4088 True True False True False 0x020ae808 svchost.exe 1120 True True False True True 0x0237ac10 explorer.exe 272 True True False True False 0x02113958 services.exe 840 True True False True True 0x01ebdb20 netsh.exe 3860 True True False True False [REMOVED] 0x04c67500 svchost.exe 1052 False True False False False 0x16369c10 explorer.exe 272 False True False False False 0x0ce6c658 svchost.exe 1364 False True False False False 0x104ecb20 TPAutoConnSvc.e 1880 False True False False False 0x0f6db4b0 smss.exe 412 False True False False False 0x0867d020 notepad.exe 3052 False True False False False 0x09b60830 System 4 False True False False False [REMOVED]
raw2dmp
- Description
- Converts a physical memory sample to a windbg crash dump
- Options
- -b 5242880, --blocksize=5242880
- Size (in bytes) of blocks to copy
- -O OUTPUT_IMAGE, --output-image=OUTPUT_IMAGE
- Writes a raw DD image out to OUTPUT-IMAGE
- Output example
$ python vol.py -f ~/memdump/infected.img raw2dmp -O infected.dmp Volatile Systems Volatility Framework 2.2 Writing data (5.00 MB chunks): |....................
screenshot
- Description
- Save a pseudo-screenshot based on GDI windows
- Requires PIL
PIL first requires lib jpeg:
$ curl -O http://www.ijg.org/files/jpegsrc.v9.tar.gz $ tar xzvf jpegsrc.v9.tar.gz $ cd jpeg-9/ $ ./configure $ make $ sudo make install
Also install freetype:
$ sudo port install freetype
Then install PIL:
$ sudo pip install PIL
- Output example
$ python vol.py -f ~/tmp/infected.img screenshot --dump-dir=output Volatile Systems Volatility Framework 2.2 Wrote output/session_0.Service-0x0-3e5$.Default.png Wrote output/session_0.SAWinSta.SADesktop.png Wrote output/session_0.WinSta0.Default.png Wrote output/session_0.WinSta0.Disconnect.png Wrote output/session_0.WinSta0.Winlogon.png Wrote output/session_0.Service-0x0-3e7$.Default.png Wrote output/session_0.Service-0x0-3e4$.Default.png
Here is how it looks like:
sessions
- Description
- List details on _MM_SESSION_SPACE (user logon sessions)
- Output example
$ python vol.py -f ~/memdump/infected.img sessions Volatile Systems Volatility Framework 2.2 ************************************************** Session(V): f8bdc000 ID: 0 Processes: 26 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 772 csrss.exe 2013-02-18 20:54:33 Process: 796 winlogon.exe 2013-02-18 20:54:33 Process: 840 services.exe 2013-02-18 20:54:33 Process: 852 lsass.exe 2013-02-18 20:54:33 Process: 1028 vmacthlp.exe 2013-02-18 20:54:33 Process: 1052 svchost.exe 2013-02-18 20:54:34 Process: 1120 svchost.exe 2013-02-18 20:54:34 Process: 1364 svchost.exe 2013-02-18 20:54:34 Process: 1412 svchost.exe 2013-02-18 20:54:34 Process: 1504 svchost.exe 2013-02-18 20:54:35 Process: 1820 spoolsv.exe 2013-02-18 20:54:36 Process: 496 rundll32.exe 2013-02-18 20:54:52 [REMOVED]
shimcache
- Description
- Parses the Application Compatibility Shim Cache registry key
- Output example
$ python vol.py -f ~/memdump/stuxnet.vmem shimcache Volatile Systems Volatility Framework 2.2 Last Modified: 2010-10-08 03:33:07 , Lastupdate: 2010-10-08 03:33:11 , Path: \??\C:\Documents and Settings\Administrator\My Documents\Downloads\setuptools-0.6c11.win32-py2.6.exe Last Modified: 2010-09-27 17:29:06 , Lastupdate: 2010-10-08 03:30:58 , Path: \??\C:\Documents and Settings\Administrator\Desktop\pydasm-1.5.win32-py2.6.exe Last Modified: 2008-04-14 12:00:00 , Lastupdate: 2010-10-29 17:08:31 , Path: \??\C:\WINDOWS\system32\wscntfy.exe Last Modified: 2008-04-14 12:00:00 , Lastupdate: 2010-10-08 04:05:22 , Path: \??\C:\WINDOWS\System32\cscui.dll Last Modified: 2008-04-14 12:00:00 , Lastupdate: 2010-10-08 03:31:48 , Path: \??\C:\WINDOWS\system32\wuaucpl.cpl\setup50.exe Last Modified: 2010-09-27 17:48:34 , Lastupdate: 2010-10-08 03:31:05 , Path: \??\C:\Documents and Settings\Administrator\Desktop\ssdeep-2.0-0.1.win32-py2.6.exe Last Modified: 2008-04-14 12:00:00 , Lastupdate: 2010-10-29 16:49:28 , Path: \??\C:\WINDOWS\system32\verclsid.exe Last Modified: 2008-04-14 12:00:00 , Lastupdate: 2010-10-29 16:49:29 , Path: \??\C:\WINDOWS\system32\SHELL32.dll [REMOVED]
sockets
- Description
- Print list of open sockets
- Options
- -P, --physical-offset
- Physical Offset
- Output example
$ python vol.py -f ~/memdump/infected.img sockets Volatile Systems Volatility Framework 2.2 Offset(V) PID Port Proto Protocol Address Create Time ---------- ------ ------ ------ --------------- --------------- ----------- 0x81ec08b0 4 137 17 UDP 192.168.1.27 2013-02-18 20:54:54 0x82295318 4 0 47 GRE 0.0.0.0 2013-02-18 21:08:01 0x81dff960 532 1291 17 UDP 0.0.0.0 2013-02-18 21:20:38 0x81efb2f0 852 500 17 UDP 0.0.0.0 2013-02-18 20:55:01 0x81c2e008 532 1224 6 TCP 0.0.0.0 2013-02-18 21:18:28 0x81c7bc58 600 1255 6 TCP 0.0.0.0 2013-02-18 21:19:25 0x81e69d08 532 1295 17 UDP 0.0.0.0 2013-02-18 21:20:40 0x81cd9c18 532 1299 17 UDP 0.0.0.0 2013-02-18 21:20:42 [REMOVED]
sockscan
- Description
- Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
- Output example
$ python vol.py -f ~/memdump/infected.img sockscan Volatile Systems Volatility Framework 2.2 Offset(P) PID Port Proto Protocol Address Create Time ---------- ------ ------ ------ --------------- --------------- ----------- 0x01e14d80 2760 1206 6 TCP 0.0.0.0 2013-02-18 21:17:31 0x01e17378 1412 41257 17 UDP 0.0.0.0 2013-02-18 21:18:32 0x01e17e98 2760 1178 6 TCP 0.0.0.0 2013-02-18 21:17:22 0x01e188d8 2760 1128 6 TCP 0.0.0.0 2013-02-18 21:17:19 0x01e1b4b8 2760 1163 6 TCP 0.0.0.0 2013-02-18 21:17:22 [REMOVED] 0x01fc94b0 4 445 17 UDP 0.0.0.0 2013-02-18 20:54:31 0x01fff960 532 1291 17 UDP 0.0.0.0 2013-02-18 21:20:38 0x02018660 1364 123 17 UDP 127.0.0.1 2013-02-18 20:55:12 0x02020e98 4 138 17 UDP 192.168.60.135 2013-02-18 20:54:39 0x02030e98 1504 1900 17 UDP 192.168.1.27 2013-02-18 20:55:25 [REMOVED]
ssdt
- Description
- Display SSDT entries
- Output example
$ python vol.py -f ~/memdump/infected.img ssdt Volatile Systems Volatility Framework 2.2 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... SSDT[0] at 80501bcc with 284 entries Entry 0x0000: 0x80599ade (NtAcceptConnectPort) owned by ntoskrnl.exe Entry 0x0001: 0x805e7784 (NtAccessCheck) owned by ntoskrnl.exe Entry 0x0002: 0x805eafca (NtAccessCheckAndAuditAlarm) owned by ntoskrnl.exe Entry 0x0003: 0x805e77b6 (NtAccessCheckByType) owned by ntoskrnl.exe Entry 0x0004: 0x805eb004 (NtAccessCheckByTypeAndAuditAlarm) owned by ntoskrnl.exe Entry 0x0005: 0x805e77ec (NtAccessCheckByTypeResultList) owned by ntoskrnl.exe Entry 0x0006: 0x805eb048 (NtAccessCheckByTypeResultListAndAuditAlarm) owned by ntoskrnl.exe Entry 0x0007: 0x805eb08c (NtAccessCheckByTypeResultListAndAuditAlarmByHandle) owned by ntoskrnl.exe Entry 0x0008: 0x8060c902 (NtAddAtom) owned by ntoskrnl.exe Entry 0x0009: 0x8060d646 (NtAddBootEntry) owned by ntoskrnl.exe Entry 0x000a: 0x805e2b6a (NtAdjustGroupsToken) owned by ntoskrnl.exe Entry 0x000b: 0x805e27c2 (NtAdjustPrivilegesToken) owned by ntoskrnl.exe Entry 0x000c: 0x805cb024 (NtAlertResumeThread) owned by ntoskrnl.exe [REMOVED]
strings
- Description
- Match physical offsets to virtual addresses (may take a while, VERY verbose)
- Requires
- Requires strings file generated by Sysinternals Strings (http://technet.microsoft.com/en-us/sysinternals/bb897439).
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -s STRING_FILE, --string-file=STRING_FILE
- File output in strings format (offset:string)
- -S, --scan
- Use PSScan if no offset is provided
- -p PIDS, --pids=PIDS
- Operate on these Process IDs (comma-separated)
- Output example
First generate a strings file as follows (could be performed from Windows, on a Windows based VM or via Wine):
C:\> strings.exe -q -o infected.img > infected.strings.txt
Then use your file as follows:
$ python vol.py -f ~/memdump/infected.img strings -s ~/memdump/infected.strings.txt -p 532 Volatile Systems Volatility Framework 2.2 000003c1 [kernel:f83ae3c1] (,(@ 00000636 [kernel:f83ae636] 8,t 000006c1 [kernel:f83ae6c1] w#r 000006d8 [kernel:f83ae6d8] sQOtN2 000006fc [kernel:f83ae6fc] t+a`" 00000719 [kernel:f83ae719] aas 0000072c [kernel:f83ae72c] Table de partition n 0000074a [kernel:f83ae74a] Erreur lors du chargement du syst 0000076c [kernel:f83ae76c] me d'exploitati 0000077c [kernel:f83ae77c] Syst 00000781 [kernel:f83ae781] me d'exploitation absent 000007b5 [kernel:f83ae7b5] ,J|'#(# 00001000 [kernel:f83af000] node_in_array != NULL 00001018 [kernel:f83af018] c:\toolchain\src\glib-2.22.4-1\glib-2.22.4\glib\gbsearcharray.h 00001058 [kernel:f83af058] file %s: line %d: assertion `%s' failed 00001080 [kernel:f83af080] Glib-GObject 00001090 [kernel:f83af090] index_ <= barray->n_nodes 000010b0 [kernel:f83af0b0] c:\toolchain\src\glib-2.22.4-1\glib-2.22.4\glib\gbsearcharray.h 000010f0 [kernel:f83af0f0] file %s: line %d: assertion `%s' failed [REMOVED]
svcscan
- Description
- Scan for Windows services
- Output example
$ python vol.py -f ~/memdump/infected.img svcscan Volatile Systems Volatility Framework 2.2 Offset: 0x381e90 Order: 1 Process ID: - Service Name: Abiosdsk Display Name: Abiosdsk Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: - Offset: 0x381f20 Order: 2 Process ID: - Service Name: abp480n5 Display Name: abp480n5 Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: - [REMOVED]
symlinkscan
- Description
- Scan for symbolic link objects
- Output example
$ python vol.py -f ~/memdump/infected.img symlinkscan Volatile Systems Volatility Framework 2.2 Offset(P) #Ptr #Hnd Creation time From To ---------- ------ ------ ------------------------ -------------------- ------------------------------------------------------------ 0x02a152a0 1 0 2013-02-18 20:54:16 Scsi1: \Device\Ide\IdePort1 0x02a16148 1 0 2013-02-18 20:54:16 VMCIDev \Device\VMCIHostDev 0x02a16538 1 0 2013-02-18 20:54:14 Global \GLOBAL?? 0x02a16658 1 0 2013-02-18 20:54:14 GLOBALROOT 0x02a1d6c0 1 0 2013-02-18 20:54:14 DosDevices \?? 0x02a1f4b8 1 0 2013-02-18 20:54:31 SystemRoot \Device\Harddisk0\Partition1\WINDOWS 0x02a1fe88 1 0 2013-02-18 20:54:16 Root#dmio...91efb8b} \Device\00000003 0x02a3b138 1 0 2013-02-18 20:54:17 multi(0)d...rdisk(0) \Device\Harddisk0\Partition0 0x02a51bd8 1 0 2013-02-18 20:54:16 DmLoader \Device\DmLoader 0x02a591f0 1 0 2013-02-18 20:54:17 multi(0)d...ition(1) \Device\Harddisk0\Partition1 0x02a5b0a0 1 0 2013-02-18 20:54:15 ACPI#Fixe...9062857} \Device\0000003d 0x02a60860 1 0 2013-02-18 20:54:31 IPNAT \Device\IPNAT [REMOVED]
thrdscan
- Description
- Scan physical memory for _ETHREAD objects
- Output example
$ python vol.py -f ~/memdump/spyeye.vmem thrdscan Volatile Systems Volatility Framework 2.2 Offset(P) PID TID Start Address Create Time Exit Time ---------- ------ ------ ------------- ------------------------- ------------------------- 0x01eadb30 2108 2212 0x7c8106f9 2010-11-11 22:03:54 0x01eadda8 2108 2208 0x7c8106f9 2010-11-11 22:03:54 0x01eae7e0 4 584 0xb18859f0 2010-11-11 22:03:54 0x01eb2da8 1068 2636 0x7c8106f9 2011-01-06 14:36:59 0x01eb7020 1008 1824 0x7c8106f9 2010-11-11 22:03:03 0x01eba2a8 1588 1760 0x7c8106f9 2010-11-11 22:03:01 0x01eba520 1588 1756 0x7c8106f9 2010-11-11 22:03:01 0x01ebdda8 1588 1768 0x7c8106f9 2010-11-11 22:03:02 0x01ec1a78 1232 2280 0x7c8106f9 2011-01-06 14:36:52 0x01ec28b8 1252 1328 0x7c8106f9 2010-11-11 22:03:00 0x01ec2b30 1252 1320 0x7c8106f9 2010-11-11 22:03:00 0x01ec2da8 1252 1256 0x7c810705 2010-11-11 22:02:58 0x01ec4578 1068 1688 0x7c8106f9 2010-11-11 22:03:01 0x01ec4da8 1252 1332 0x7c8106f9 2010-11-11 22:03:00 0x01ec77f0 704 2252 0x7c8106f9 2011-01-06 14:36:52 2011-01-06 14:36:52 [REMOVED]
threads
- Description
- Investigate _ETHREAD and _KTHREADs
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -F FILTER, --filter=FILTER
- Tags to filter (comma-separated)
- -L, --listtags
- List all available tags
- Output example
$ python vol.py -f ~/memdump/infected.img threads -p 532 Volatile Systems Volatility Framework 2.2 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... ------ ETHREAD: 0x821ea580 Pid: 532 Tid: 3164 Tags: Created: 2013-02-18 20:56:05 Exited: 1970-01-01 00:00:00 Owning Process: vmtoolsd.exe Attached Process: vmtoolsd.exe State: Waiting:WrLpcReceive BasePriority: 0x8 Priority: 0x9 TEB: 0x7ffdb000 StartAddress: 0x7c810729 UNKNOWN Win32StartAddress: 0x00014fe0 ServiceTable: 0x805530e0 [0] 0x80501bcc [1] 0xbf99e580 [2] 0x00000000 [3] 0x00000000 Win32Thread: 0xe1efceb0 CrossThreadFlags: Eip: 0x7c91e514 eax=0x0019ac98 ebx=0x00000000 ecx=0x001a7d48 edx=0x21380004 esi=0x0018d8b0 edi=0x0018d954 eip=0x7c91e514 esp=0x02c2fe18 ebp=0x02c2ff80 err=0x00000000 cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 efl=0x00000246 dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000 [REMOVED]
timers
- Description
- Print kernel timers and associated module DPCs
- Output example
$ python vol.py -f ~/memdump/infected.img timers Volatile Systems Volatility Framework 2.2 Offset(V) DueTime Period(ms) Signaled Routine Module ---------- ------------------------ ---------- ---------- ---------- ------ 0x81c8d268 0x80000003:0x5e3cd682 0 - 0x80534f48 ntoskrnl.exe 0x8055b380 0x00000008:0x61d9dd2a 0 - 0x80534b2a ntoskrnl.exe 0x8216a978 0x00000003:0xbe8bb404 0 - 0xb253a85a afd.sys 0x81e15f08 0x00000003:0xb9da12d4 0 - 0xb253a85a afd.sys 0x80551850 0x00000003:0xc5c5d4d4 60000 Yes 0x804f3edc ntoskrnl.exe 0x821c7c20 0x00000003:0xc10847e2 0 - 0xb253a85a afd.sys 0xb25dd1c0 0x00000003:0xcf7a2728 60000 Yes 0xb25cd471 ipsec.sys 0xb25dcd08 0x00000003:0xcf7a2728 0 - 0xb25cd3e7 ipsec.sys 0xb25dcd70 0x00000008:0x6ba60702 0 - 0xb25cd3e7 ipsec.sys 0xb2435d60 0x00000003:0xcf83b090 60000 Yes 0xb242d266 ipnat.sys [REMOVED]
userassist
- Description
- Print userassist registry keys and information.
- Output example
$ python vol.py -f ~/memdump/infected.img userassist Volatile Systems Volatility Framework 2.2 ---------------------------- Registry: \Device\HarddiskVolume1\Documents and Settings\pilou\NTUSER.DAT Key name: Count Last updated: 2013-02-18 21:17:42 Subkeys: Values: REG_BINARY UEME_CTLSESSION : 0x00000000 e2 b7 6f 0e 28 00 00 00 ..o.(... REG_BINARY UEME_CTLCUACount:ctor : ID: 1 Count: 2 Last updated: 1970-01-01 00:00:00 0x00000000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ REG_BINARY UEME_RUNPATH : ID: 40 Count: 249 Last updated: 2013-02-18 21:17:42 0x00000000 28 00 00 00 fe 00 00 00 d0 cc 4a 63 1d 0e ce 01 (.........Jc.... REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe : ID: 40 Count: 51 Last updated: 2013-02-18 21:17:42 0x00000000 28 00 00 00 38 00 00 00 d0 cc 4a 63 1d 0e ce 01 (...8.....Jc.... REG_BINARY UEME_RUNPATH:C:\Program Files\Internet Explorer\iexplore.exe : ID: 36 Count: 22 Last updated: 2012-12-22 14:22:12 0x00000000 24 00 00 00 1b 00 00 00 00 ea 18 bc 4f e0 cd 01 $...........O... [REMOVED]
userhandles
- Description
- Dump the USER handle tables
- Options
- -p PID, --pid=PID
- Pid filter
- -t TYPE, --type=TYPE
- Handle type
- -F, --free
- Include free handles
- Output example
$ python vol.py -f ~/memdump/infected.img userhandles -p 532 Volatile Systems Volatility Framework 2.2 ************************************************** SharedInfo: 0xbf9af820, SessionId: 0 Shared delta: 0 aheList: 0xbbd10000, Table size: 0x2000, Entry size: 0xc Object(V) Handle bType Flags Thread Process ---------- ---------- -------------------- -------- -------- ------- 0xbbe6dc40 0x2d003f TYPE_INPUTCONTEXT 0 3340 532 0xbbe3e7a0 0x200a0 TYPE_HOOK 0 536 532 0xbbe55cb8 0x20d00a1 TYPE_INPUTCONTEXT 0 2680 532 0xbbe3b190 0x200a6 TYPE_WINDOW 0 536 532 0xbbe3afd8 0x200a8 TYPE_WINDOW 0 536 532 0xbbe3af10 0x200aa TYPE_WINDOW 0 536 532 0xbbe3ad80 0x200ac TYPE_WINDOW 0 536 532 0xbbe3ac00 0x200ae TYPE_WINDOW 0 536 532 0xbbe3aae8 0x200b0 TYPE_WINDOW 0 536 532 0xbbe5bad8 0x200b2 TYPE_WINDOW 0 536 532 0xbbe3b270 0x200b6 TYPE_WINDOW 0 536 532 0xbbe46d78 0x300cb TYPE_INPUTCONTEXT 0 536 532 0xbbe3e830 0x20102 TYPE_WINDOW 0 536 532 0xbbe3d668 0xc0108 TYPE_WINDOW 0 536 532 [REMOVED]
vaddump
- Description
- Dumps out the vad sections to a file
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump the VAD files
- Output example
$ python vol.py -f ~/memdump/infected.img vaddump -p 532 -D output/
Volatile Systems Volatility Framework 2.2
Pid Process Start End Result
---------- -------------------- ---------- ---------- ------
532 vmtoolsd.exe 0x05270000 0x0536ffff output/vmtoolsd.exe.21015d0.0x05270000-0x0536ffff.dmp
532 vmtoolsd.exe 0x03140000 0x04172fff output/vmtoolsd.exe.21015d0.0x03140000-0x04172fff.dmp
532 vmtoolsd.exe 0x022e0000 0x022e0fff output/vmtoolsd.exe.21015d0.0x022e0000-0x022e0fff.dmp
532 vmtoolsd.exe 0x02090000 0x02090fff output/vmtoolsd.exe.21015d0.0x02090000-0x02090fff.dmp
532 vmtoolsd.exe 0x01f50000 0x0204ffff output/vmtoolsd.exe.21015d0.0x01f50000-0x0204ffff.dmp
532 vmtoolsd.exe 0x01ef0000 0x01efdfff output/vmtoolsd.exe.21015d0.0x01ef0000-0x01efdfff.dmp
532 vmtoolsd.exe 0x01470000 0x01d9afff output/vmtoolsd.exe.21015d0.0x01470000-0x01d9afff.dmp
[REMOVED]
vadinfo
- Description
- Dump the VAD info
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img vadinfo -p 532 Volatile Systems Volatility Framework 2.2 ************************************************************************ Pid: 532 VAD node @ 0x81cd22b0 Start 0x05270000 End 0x0536ffff Tag VadS Flags: CommitCharge: 2, PrivateMemory: 1, Protection: 4 Protection: PAGE_READWRITE VAD node @ 0x81e06320 Start 0x03140000 End 0x04172fff Tag VadS Flags: CommitCharge: 4147, MemCommit: 1, PrivateMemory: 1, Protection: 6 Protection: PAGE_EXECUTE_READWRITE VAD node @ 0x81ecdaa8 Start 0x022e0000 End 0x022e0fff Tag Vadl Flags: CommitCharge: 1, MemCommit: 1, NoChange: 1, PrivateMemory: 1, Protection: 4 Protection: PAGE_READWRITE First prototype PTE: 00000000 Last contiguous PTE: 00000000 Flags2: LongVad: 1, OneSecured: 1 VAD node @ 0x81ec33d8 Start 0x02090000 End 0x02090fff Tag VadS Flags: CommitCharge: 1, PrivateMemory: 1, Protection: 4 Protection: PAGE_READWRITE [REMOVED]
vadtree
- Description
- Walk the VAD tree and display in tree format
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img vadtree -p 532
Volatile Systems Volatility Framework 2.2
************************************************************************
Pid: 532
0x05270000 - 0x0536ffff
0x03140000 - 0x04172fff
0x022e0000 - 0x022e0fff
0x02090000 - 0x02090fff
0x01f50000 - 0x0204ffff
0x01ef0000 - 0x01efdfff
0x01470000 - 0x01d9afff
0x00f40000 - 0x00f40fff
0x00e10000 - 0x00e4ffff
0x00900000 - 0x00bfffff
0x00400000 - 0x00410fff
0x00030000 - 0x0012ffff
0x00010000 - 0x00010fff
0x00020000 - 0x00020fff
0x00140000 - 0x00140fff
0x00130000 - 0x00132fff
0x00250000 - 0x0025ffff
[REMOVED]
vadwalk
- Description
- Walk the VAD tree
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
$ python vol.py -f ~/memdump/infected.img vadwalk -p 532 Volatile Systems Volatility Framework 2.2 ************************************************************************ Pid: 532 Address Parent Left Right Start End Tag ---------- ---------- ---------- ---------- ---------- ---------- ---- 0x81cd22b0 0x00000000 0x81e06320 0x81f01d90 0x05270000 0x0536ffff VadS 0x81e06320 0x81cd22b0 0x81ecdaa8 0x8227c3e8 0x03140000 0x04172fff VadS 0x81ecdaa8 0x81e06320 0x81ec33d8 0x81f43938 0x022e0000 0x022e0fff Vadl 0x81ec33d8 0x81ecdaa8 0x81e05040 0x822008f8 0x02090000 0x02090fff VadS 0x81e05040 0x81ec33d8 0x823195b0 0x81e53b70 0x01f50000 0x0204ffff VadS 0x823195b0 0x81e05040 0x82171b18 0x8220b768 0x01ef0000 0x01efdfff Vad 0x82171b18 0x823195b0 0x821d2a78 0x82229ea8 0x01470000 0x01d9afff Vad 0x821d2a78 0x82171b18 0x8215b788 0x81e5ec00 0x00f40000 0x00f40fff Vad 0x8215b788 0x821d2a78 0x81f06870 0x822e1ed8 0x00e10000 0x00e4ffff Vad [REMOVED]
volshell
- Description
- Interactive shell to explore a memory image, offering an interface similar to WinDbg:
- List processes
- Switch into a process's context
- Display types of structures/objects
- Overlay a type over a given address
- Walk linked lists
- Disassemble code at a given address
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS Offset (in hex) in kernel address space
- -n IMNAME, --imname=IMNAME
- Operate on these Process IDs (comma-separated)
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- Output example
$ python vol.py -f ~/memdump/infected.img volshell Volatile Systems Volatility Framework 2.2 Current context: process System, pid=4, ppid=0 DTB=0x31e000 Welcome to volshell! Current memory image is: file:///Users/sebastiendamaye/memdump/infected.img To get help, type 'hh()' >>> hh() ps() : Print a process listing. dq(address, length=128, space=None) : Print qwords at address. cc(offset=None, pid=None, name=None) : Change current shell context. dd(address, length=128, space=None) : Print dwords at address. list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY. db(address, length=128, space=None) : Print bytes as canonical hexdump. dt(objct, address=None, address_space=None) : Describe an object or show type info. hh(cmd=None) : Get help on a command. dis(address, length=128, space=None, mode=None) : Disassemble code at a given address. For help on a specific command, type 'hh(<command>)' >>> ps() Name PID PPID Offset System 4 0 0x823c8830 smss.exe 412 4 0x81e0b4b0 csrss.exe 772 412 0x82164020 winlogon.exe 796 412 0x81eee548 services.exe 840 796 0x81f13958 lsass.exe 852 796 0x821ecda0 vmacthlp.exe 1028 840 0x81e219a0 svchost.exe 1052 840 0x81e57500 svchost.exe 1120 840 0x81eae808 svchost.exe 1364 840 0x82190658 svchost.exe 1412 840 0x82236020 [REMOVED]
windows
- Description
- Print Desktop Windows (verbose details)
- Output example
$ python vol.py -f ~/memdump/infected.img windows Volatile Systems Volatility Framework 2.2 ************************************************** Window context: 0\SAWinSta\SADesktop Window Handle: #10020 at 0xbc130818, Name: ClassAtom: 0xc035, Class: msctls_progress32 SuperClassAtom: 0xc035, SuperClass: msctls_progress32 pti: 0xe16ef510, Tid: 860 at 0x821e66e8 ppi: 0xe199b008, Process: csrss.exe, Pid: 772 Visible: No Left: 0, Top: 0, Bottom: 100, Right: 100 Style Flags: WS_CLIPCHILDREN,WS_OVERLAPPED,WS_POPUP,WS_CLIPSIBLINGS ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0xbf80d28d Window Handle: #10022 at 0xbc130940, Name: ClassAtom: 0x8000, Class: - SuperClassAtom: 0x8000, SuperClass: - pti: 0xe16ef510, Tid: 860 at 0x821e66e8 ppi: 0xe199b008, Process: csrss.exe, Pid: 772 Visible: No Left: 3, Top: 3, Bottom: 97, Right: 97 Style Flags: WS_BORDER,WS_OVERLAPPED,WS_POPUP,WS_CLIPSIBLINGS ExStyle Flags: WS_EX_LTRREADING,WS_EX_TOOLWINDOW,WS_EX_RIGHTSCROLLBAR,WS_EX_DLGMODALFRAME,WS_EX_WINDOWEDGE,WS_EX_LEFT Window procedure: 0xbf860ffc [REMOVED]
wintree
- Description
- Print Z-Order Desktop Windows Tree
- Output example
$ python vol.py -f ~/memdump/infected.img wintree Volatile Systems Volatility Framework 2.2 ************************************************** Window context: 0\SAWinSta\SADesktop #10020 csrss.exe:772 msctls_progress32 .#10022 csrss.exe:772 - .OleMainThreadWndName svchost.exe:1364 msctls_hotkey32 #1001e csrss.exe:772 - .#6016c svchost.exe:1364 Tapi32WndClass .SYSTEM AGENT COM WINDOW svchost.exe:1364 SAGEWINDOWCLASS .internal window svchost.exe:1364 Bits .BadApplicationNotificationWindow svchost.exe:1364 BadApplicationNotificationWindowClass .ModemDeviceChange svchost.exe:1364 MdmDevChg .#401d6 svchost.exe:1364 HidPhoneNotifClass #1002c csrss.exe:772 msctls_progress32 .#1002e csrss.exe:772 - #2002a csrss.exe:772 - #10032 csrss.exe:772 msctls_progress32 .#10034 csrss.exe:772 - #20030 csrss.exe:772 - .#100fc svchost.exe:1428 BthServClass #1006c csrss.exe:772 msctls_progress32 .#1006e csrss.exe:772 - #5006a csrss.exe:772 - [REMOVED]
wndscan
- Description
- Pool scanner for tag WINDOWSTATION (window stations)
- Output example
$ python vol.py -f ~/memdump/infected.img wndscan Volatile Systems Volatility Framework 2.2 ************************************************** WindowStation: 0x205c318, Name: Service-0x0-3e5$, Next: 0x81f03ce8 SessionId: 0, AtomTable: 0xe19b3c18, Interactive: False Desktops: Default ptiDrawingClipboard: pid - tid - spwndClipOpen: 0x0, spwndClipViewer: 0x0 cNumClipFormats: 0, iClipSerialNumber: 0 pClipBase: 0x0, Formats: ************************************************** WindowStation: 0x2103ce8, Name: SAWinSta, Next: 0x0 SessionId: 0, AtomTable: 0xe1ee5278, Interactive: False Desktops: SADesktop ptiDrawingClipboard: pid - tid - spwndClipOpen: 0x0, spwndClipViewer: 0x0 cNumClipFormats: 0, iClipSerialNumber: 0 pClipBase: 0x0, Formats: [REMOVED]
yarascan
- Description
- Scan process or kernel memory with Yara signatures
- Requires
- Yara (http://code.google.com/p/yara-project/)
- Options
- -o OFFSET, --offset=OFFSET
- EPROCESS offset (in hex) in the physical address space
- -p PID, --pid=PID
- Operate on these Process IDs (comma-separated)
- -K, --kernel
- Scan kernel modules
- -W, --wide
- Match wide (unicode) strings
- -Y YARA_RULES, --yara-rules=YARA_RULES
- Yara rules (as a string)
- -y YARA_FILE, --yara-file=YARA_FILE
- Yara rules (rules file)
- -D DUMP_DIR, --dump-dir=DUMP_DIR
- Directory in which to dump the files
- Output example
Let's create a yara signature as follows:
$ cat ~/pentest/yara-sigs/sality.yara
rule sality
{
strings:
$a = "mirc1.net"
$b = "elaswany.com"
$c = "logos.gif"
condition:
any of them
}
Let's identify process matching the yard signature;
$ python vol.py -f ~/memdump/infected.img yarascan -y ~/pentest/yara-sigs/sality.yara Volatile Systems Volatility Framework 2.2 Rule: sality Owner: Process vmtoolsd.exe Pid 532 0x0315919d 6d 69 72 63 31 2e 6e 65 74 2f 6c 6f 67 6f 73 2e mirc1.net/logos. 0x031591ad 67 69 66 00 68 74 74 70 3a 2f 2f 77 77 77 2e 64 gif.http://www.d 0x031591bd 6f 67 75 73 2d 70 6c 61 73 74 69 6b 2e 63 6f 6d ogus-plastik.com 0x031591cd 2f 6c 6f 67 6f 73 2e 67 69 66 00 68 74 74 70 3a /logos.gif.http: Rule: sality Owner: Process vmtoolsd.exe Pid 532 0x031591a7 6c 6f 67 6f 73 2e 67 69 66 00 68 74 74 70 3a 2f logos.gif.http:/ 0x031591b7 2f 77 77 77 2e 64 6f 67 75 73 2d 70 6c 61 73 74 /www.dogus-plast 0x031591c7 69 6b 2e 63 6f 6d 2f 6c 6f 67 6f 73 2e 67 69 66 ik.com/logos.gif 0x031591d7 00 68 74 74 70 3a 2f 2f 6d 61 63 65 64 6f 6e 69 .http://macedoni Rule: sality Owner: Process vmtoolsd.exe Pid 532 0x031591ce 6c 6f 67 6f 73 2e 67 69 66 00 68 74 74 70 3a 2f logos.gif.http:/ 0x031591de 2f 6d 61 63 65 64 6f 6e 69 61 2e 6d 79 31 2e 72 /macedonia.my1.r 0x031591ee 75 2f 6d 61 69 6e 68 2e 67 69 66 00 68 74 74 70 u/mainh.gif.http 0x031591fe 3a 2f 2f 67 69 7a 61 65 64 75 2e 6f 72 67 2f 6d ://gizaedu.org/m [REMOVED]
Examples
- From AlienVault SIEM alarms to the identification of infected files on a compromised machine.
- Retrieve the hostname from a memory dump
- Retrieve the user password from a memory dump