Here's a list of 25 useful Volatility commands and an example of how to use them:
imageinfo: Displays information about the memory image, including the suggested profile and operating system.
Example: vol.py -f memory_dump.raw imageinfo
pslist: Lists active processes in the memory dump, showing process names, PIDs, and parent-child relationships.
Example: vol.py -f memory_dump.raw pslist
pstree: Presents a hierarchical view of processes, illustrating parent-child relationships.
Example: vol.py -f memory_dump.raw pstree
dlllist: Lists loaded DLLs for each process, helping identify injected or suspicious modules.
Example: vol.py -f memory_dump.raw dlllist -p <PID>
handles: Displays open handles for each process, offering insights into file and resource usage.
Example: vol.py -f memory_dump.raw handles -p <PID>
cmdline: Shows the command-line arguments used to launch each process.
Example: vol.py -f memory_dump.raw cmdline -p <PID>
filescan: Scans for files in memory and provides information about their location and size.
Example: vol.py -f memory_dump.raw filescan
malfind: Detects and lists potentially malicious injected code or code modifications.
Example: vol.py -f memory_dump.raw malfind
sockets: Lists network sockets, aiding in identifying network-related activity.
Example: vol.py -f memory_dump.raw sockets
connections: Displays network connections, including local and remote addresses.
Example: vol.py -f memory_dump.raw connections
svcscan: Lists Windows services and their corresponding process IDs.
Example: vol.py -f memory_dump.raw svcscan
driverscan: Lists loaded kernel drivers, helping identify potential kernel-level rootkits.
Example: vol.py -f memory_dump.raw driverscan
modules: Lists kernel modules loaded in memory.
Example: vol.py -f memory_dump.raw modules
ssdt: Displays the System Service Descriptor Table, which can reveal potential hooking of system functions.
Example: vol.py -f memory_dump.raw ssdt
mutantscan: Lists mutant objects (synchronization primitives), helping identify hidden or malicious objects.
Example: vol.py -f memory_dump.raw mutantscan
autoruns: Lists autostart locations, including Registry keys.
Example: vol.py -f memory_dump.raw autoruns
timeliner: Creates a timeline of activity by various processes and events.
Example: vol.py -f memory_dump.raw timeliner
apihooks: Lists API hooks, revealing modifications to system calls.
Example: vol.py -f memory_dump.raw apihooks
idt: Displays the Interrupt Descriptor Table, revealing potential modifications indicating rootkit activity.
Example: vol.py -f memory_dump.raw idt
gdt: Shows the Global Descriptor Table, useful for identifying changes indicating kernel-level attacks.
Example: vol.py -f memory_dump.raw gdt
userhandles: Lists user-mode handles, helping identify objects and resources held by processes.
Example: vol.py -f memory_dump.raw userhandles -p <PID>
clipboard: Retrieves content from the system clipboard.
Example: vol.py -f memory_dump.raw clipboard
deskscan: Lists desktop objects, providing insights into processes interacting with graphical interfaces.
Example: vol.py -f memory_dump.raw deskscan
atomscan: Lists global atom tables, useful for identifying hidden or malicious atoms.
Example: vol.py -f memory_dump.raw atomscan
shellbags: Extracts information from Windows Explorer shellbags, revealing folder and file access history.
Example: vol.py -f memory_dump.raw shellbags
These examples showcase how to use each command with a memory dump file (memory_dump.raw). Remember to replace <PID> with the actual process ID when required.
No comments:
Post a Comment