Volatility Usage
MEMORY ACQUSITION
WINPMEM/LINPMEM
1. Windows
a. C:\> winpmem_<version>.exe -o F:\mem.aff4
b. C:\> winpmem_<version>.exe F:\mem.aff4 -e PhysicalMemory -o mem.raw
2. Linux
a. ./linpmem_<version>.post4 -o F:\mem.aff4
b. ./linpmem_<version>.post4 F:\mem.aff4 -e PhysicalMemory -o mem.raw
3. Linux Alt
a. sudo dd if=/dev/fmem of=/tmp/memory.raw bs=1MB
VOLATILITY USAGE
Example usage: ./volatility\_<version>\_lin64\_standalone --profile=<profile name><command> -f <memory file name>
LISTING AVAILABLE PROFILES
info - Displays a list of profiles
a. ./volatility_<version>_lin64_standalone --info
ROGUE PROCESS IDENTIFICATION
pslist - High level view of running processes
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pslist -f <memory file name>
psscan - Scan memory for EPROCESS blocks
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psscan -f <memory file name>
pstree - Display parent-process relationships
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> pstree -f <memory file name>
ROOTKIT IDENTIFICATION
psxview - Find hidden processes using cross-view
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> psxview -f <memory file name>
modscan - Scan memory for loaded, unloaded, and
a. unlinked drivers
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> modscan -f <memory file name>
apihooks - Find API/DLL function hooks
a. -p Operate only on specific PIDs
b. -Q Only scan critical processes and DLLS
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> apihooks -f <memory file name>
ssdt - Hooks in System Service Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> ssdt | egrep –v ‘(ntoskrnl|win32k)’ -f <memory file name>
driverirp - Identify I/O Request Packet (IRP) hooks
a. -r Analyze drivers matching REGEX name pattern
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> driverirp –r tcpip -f <memory file name>
idt - Display Interrupt Descriptor Table
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> idt -f <memory file name>
NETWORK ARTIFACTS
Connections - List of open TCP connections
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connections -f <memory file name>
connscan - ID TCP connections, including closed
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> connscan -f <memory file name>
sockets - Print listening sockets (any protocol)
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockets -f <memory file name>
sockscan - ID sockets, including closed/unlinked
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> sockscan -f <memory file name>
netscan - Scan for connections and sockets
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> netscan -f <memory file name>
CODE INJECTION IDENTIFICATION
malfind - Find injected code and dump sections
a. -p Show information only for specific PIDs
b. -o Provide physical offset of single process to scan
c. --dump-dir Directory to save memory sections
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> malfind -f <memory file name> --dump-dir ./output_dir
ldrmodules - Detect unlinked DLLs
a. -p Show information only for specific PIDs
b. -v Verbose: show full paths from three
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> ldrmodules –p 4 –v -f <memory file name>
REGISTRY KEY ANALYSIS
printkey - Output a registry key, subkeys, and values
a. -K “Registry key path”
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> printkey –K “Software\Microsoft\Windows\CurrentVersion\Run” -f <memory file name>
HASH DUMP
hivelist - Find and list available registry hives
a. # ./volatility_<version>_lin64_standalone --profile=<profile name> hivelist -f <memory file name>
hashdump - Dump user NTLM and Lanman hashes
a. -y Virtual offset of SYSTEM registry hive (from hivelist)
b. -s Virtual offset of SAM registry hive (from hivelist)
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> hashdump -f <memory file name> –y 0x8781c008 –s 0x87f6b9c8
PROCESSES
procdump - Dump process to executable sample
a. -p Dump only specific PIDs
b. -o Specify process by physical memory offset
c. --dump-dir Directory to save extracted files
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> procmemdump -p 4 -f <memory file name> --dump-dir ./output
memdump - Dump every memory section into a file
a. -p Dump memory sections from these PIDs
b. --dump-dir Directory to save extracted files
i. # ./volatility_<version>_lin64_standalone --profile=<profile name> memdump -p 4 –dump-dir ./output -f <memory file name>
FILES
Filescan - Scan memory for FILE_OBJECT handles
a. # ./volatility_<version>_lin64_standalone filescan -f <memory file name>
Dumpfiles - Extract FILE_OBJECTs from memory
a. -Q Dump using physical offset of FILE_OBJECT
b. -r Extract using a REGEX (add -i for case insensitive)
c. -n Add original file name to output name
d. --dump-dir Directory to save extracted files
Example: # v./volatility_<version>_lin64_standalone dumpfiles -n -i -r \.exe -f <memory file name> –dump-dir=./
References
http://www.cydefe.com/podcast/2018/1/30/tools-101-volatility-usage