Difference between revisions of "List of Volatility Plugins"

Revision as of 11:02, 13 December 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Command Shell

• volshell (By Moyix)- Creates a python shell can be used with the framework.

Malware Detection

• IDT (By Michael Hale Ligh) - Prints the Interrupt Descriptor Table (IDT) addresses for one processor
• DriverIRP (By Michael Hale Ligh) - Prints driver IRP function addresses
• kernel_hooks (By Michael Hale Ligh) - Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules
• malfind2 - (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process
• orphan_threads (By Michael Hale Ligh) - Detects hidden system/kernel threads
• usermode_hooks2 (By Michael Hale Ligh) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
• kernel_hooks (By Michael Hale Ligh) - Detect IAT/EAT/Inline hooks in kernel drivers
• Volatility Analyst Pack 0.1 (By Michael Hale Ligh) - A pack which contains updates to many of the listed modules

Data Recovery

• cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
• moddump (By Moyix) - Dump out a kernel module (aka driver)
• Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
• Modified Regripper & Glue Code (By Moyix) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
• getsids (By Moyix) - Get information about what user (SID) started a process.
• ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
• threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
• objtypescan (By Andreas Schuster) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
• keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
• mutantscan (By Andreas Schuster) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)

Process Enumeration

• suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

• pstree (By Scudette) - Produces a tree-style listing of processes
• vol2html (By Jamie Levy AKA Gleeda) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.

Other Helper Tools

Though these are not actual plugins they are helpful tools for obtaining output from the Volatility Framework.

• VolReport(win) (By SAL)
• Volatility Batch File Maker (By Richard McQuown)