Volatility Usage

MEMORY ACQUSITION

WINPMEM/LINPMEM

1. Windows

a. C:\> winpmem_<version>.exe -o F:\mem.aff4

b. C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw

2. Linux

a. ./linpmem_<version>.post4 -o F:\mem.aff4

b. ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw

3. Linux Alt

a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB

VOLATILITY USAGE

  Example usage: ./volatility\_&lt;version&gt;\_lin64\_standalone --profile=&lt;profile name&gt;&lt;command&gt; -f &lt;memory file name&gt;

LISTING AVAILABLE PROFILES

  1. info - Displays a list of profiles

    a. ./volatility_<version>_lin64_standalone --info

ROGUE PROCESS IDENTIFICATION

  1. pslist - High level view of running processes

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>

  2. psscan - Scan memory for EPROCESS blocks

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>

  3. pstree - Display parent-process relationships

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>

ROOTKIT IDENTIFICATION

  1. psxview - Find hidden processes using cross-view

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>

  2. modscan - Scan memory for loaded, unloaded, and

    a. unlinked drivers

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>

  3. apihooks - Find API/DLL function hooks

    a. -p Operate only on specific PIDs

    b. -Q Only scan critical processes and DLLS

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>

  4. ssdt - Hooks in System Service Descriptor Table

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>

  5. driverirp - Identify I/O Request Packet (IRP) hooks

    a. -r Analyze drivers matching REGEX name pattern

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>

  6. idt - Display Interrupt Descriptor Table

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>

NETWORK ARTIFACTS

  1. Connections - List of open TCP connections

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>

  2. connscan - ID TCP connections, including closed

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>

  3. sockets - Print listening sockets (any protocol)

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>

  4. sockscan - ID sockets, including closed/unlinked

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockscan -f <memory file name>

  5. netscan - Scan for connections and sockets

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>

CODE INJECTION IDENTIFICATION

  1. malfind - Find injected code and dump sections

    a. -p Show information only for specific PIDs

    b. -o Provide physical offset of single process to scan

    c. --dump-dir Directory to save memory sections

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> malfind -f <memory file name> --dump-dir ./output_dir

  2. ldrmodules - Detect unlinked DLLs

    a. -p Show information only for specific PIDs

    b. -v Verbose: show full paths from three

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> ldrmodules –p 4 –v -f <memory file name>

REGISTRY KEY ANALYSIS

  1. printkey - Output a registry key, subkeys, and values

    a. -K “Registry key path”

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> printkey –K “Software\Microsoft\Windows\CurrentVersion\Run” -f <memory file name>

HASH DUMP

  1. hivelist - Find and list available registry hives

    a. # ./volatility_<version>_lin64_standalone --profile=<profile name> hivelist -f <memory file name>

  2. hashdump - Dump user NTLM and Lanman hashes

    a. -y Virtual offset of SYSTEM registry hive (from hivelist)

    b. -s Virtual offset of SAM registry hive (from hivelist)

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> hashdump -f <memory file name> –y 0x8781c008 –s 0x87f6b9c8

PROCESSES

  1. procdump - Dump process to executable sample

    a. -p Dump only specific PIDs

    b. -o Specify process by physical memory offset

    c. --dump-dir Directory to save extracted files

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> procmemdump -p 4 -f <memory file name> --dump-dir ./output

  2. memdump - Dump every memory section into a file

    a. -p Dump memory sections from these PIDs

    b. --dump-dir Directory to save extracted files

    i. # ./volatility_<version>_lin64_standalone --profile=<profile name> memdump -p 4 –dump-dir ./output -f <memory file name>

FILES

  1. Filescan - Scan memory for FILE_OBJECT handles

    a. # ./volatility_<version>_lin64_standalone filescan -f <memory file name>

  2. Dumpfiles - Extract FILE_OBJECTs from memory

    a. -Q Dump using physical offset of FILE_OBJECT

    b. -r Extract using a REGEX (add -i for case insensitive)

    c. -n Add original file name to output name

    d. --dump-dir Directory to save extracted files

  3. Example: # v./volatility_<version>_lin64_standalone dumpfiles -n -i -r \.exe -f <memory file name> –dump-dir=./

References

http://www.cydefe.com/podcast/2018/1/30/tools-101-volatility-usage

results matching ""

    No results matching ""