Volatility - CheatSheet

If you want something fast and crazy that will launch several Volatility plugins on parallel you can use: https://github.com/carlospolop/autoVolatility

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)

Installation

volatility3

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h

volatility2

Download the executable from https://www.volatilityfoundation.org/26

Volatility Commands

Access the official doc in Volatility command reference

A note on “list” vs. “scan” plugins

Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of _EPROCESS structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.

That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the _EPROCESS linked list, it won’t show up in the Task Manager and neither will it in the pslist.

“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. psscan for instance will read the memory and try to make out _EPROCESS objects out of it (it uses pool-tag scanning, which is basically searching for 4-byte strings that indicate the presence of a structure of interest). The advantage is that it can dig up processes that have exited, and even if malware tampers with the _EPROCESS linked list, the plugin will still find the structure lying around in memory (since it still needs to exist for the process to run). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false-positives (a process that exited too long ago and had parts of its structure overwritten by other operations).

From: http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/

OS Profiles

Volatility3

As explained inside the readme you need to put the symbol table of the OS you want to support inside volatility3/volatility/symbols. Symbol table packs for the various operating systems are available for download at:

Volatility2

External Profile

You can get the list of supported profiles doing:

If you want to use a new profile you have downloaded (for example a linux one) you need to create somewhere the following folder structure: plugins/overlays/linux and put inside this folder the zip file containing the profile. Then, get the number of the profiles using:

In the previous chunk you can see that the profile is called LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 , and you can use it executing something like:

Discover Profile

Differences between imageinfo and kdbgscan

As opposed to imageinfo which simply provides profile suggestions, kdbgscan is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from here).

Always take a look in the number of procceses that kdbgscan has found. Sometimes imageinfo and kdbgscan can find more than one suitable profile but only the valid one will have some process related (This is because in order to extract processes the correct KDBG address is needed)

KDBG

The kernel debugger block (named KdDebuggerDataBlock of the type _KDDEBUGGER_DATA64, or KDBG by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.

OS Information

The plugin banners.Banners can be used in vol3 to try to find linux banners in the dump.

Hashes/Passwords

Extract SAM hashes, domain cached credentials and lsa secrets.

Memory Dump

The memory dump of a process will extract everything of the current status of the process. The procdump module will only extract the code.

Processes

List processes

Try to find suspicious processes (by name) or unexpected child processes (for example a cmd.exe as a child of iexplorer.exe). It could be interesting to compare the result of pslist with the one of psscan to identify hidden processes.

Dump proc

Command line

Anything suspicious was executed?

Commands entered into cmd.exe are processed by conhost.exe (csrss.exe prior to Windows 7). So even if an attacker managed to kill the cmd.exe prior to us obtaining a memory dump, there is still a good chance of recovering history of the command line session from conhost.exe’s memory. If you find something weird (using the consoles modules), try to dump the memory of the conhost.exe associated process and search for strings inside it to extract the command lines.

Environment

Get the env variables of each running process. There could be some interesting values.

Token privileges

Check for privileges tokens in unexpected services. It could be interesting to list the processes using some privileged token.

SIDs

Check each SSID owned by a process. It could be interesting to list the processes using a privileges SID (and the processes using some service SID).

Handles

Useful to know to which other files, keys, threads, processes... a process has a handle for (has opened)

DLLs

Strings per processes

Volatility allows to check to which process does a string belongs to.

It also allows to search for strings inside a process using the yarascan module:

UserAssist

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.

Services

Network

Registry hive

Print available hives

Get a value

Dump

Filesystem

Mount

Scan/dump

Master File Table

The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From here.

SSL Keys/Certs

Malware

Scanning with yara

Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.

MISC

External plugins

If you want to use an external plugins make sure that the plugins related folder is the first parameter used.

Autoruns

Download it from https://github.com/tomchop/volatility-autoruns

Mutexes

Symlinks

Bash

It's possible to read from memory the bash history. You could also dump the .bash_history file, but it was disabled you will be glad you can use this volatility module

TimeLine

Drivers

Get clipboard

Get IE history

Get notepad text

Screenshot

Master Boot Record (MBR)

The MBR holds the information on how the logical partitions, containing file systems, are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system—usually by passing control over to the loader's second stage, or in conjunction with each partition's volume boot record (VBR). This MBR code is usually referred to as a boot loader. From here.

PreviousMemory dump analysisNextPartitions/File Systems/Carving

Last updated