Difference between revisions of "List of Volatility Plugins"

From Forensics Wiki
Jump to: navigation, search
(Malware Detection)
(Data Recovery)
Line 12: Line 12:
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [[http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
 
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [[http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
 
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
 
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
 +
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
 
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
 
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
 
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
 
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
Line 17: Line 18:
 
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
 
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
 
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
 
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexs from the Windows kernel
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexs from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
* [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_symlinkobjscan-current.zip symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  
 
== Process Enumeration ==
 
== Process Enumeration ==

Revision as of 09:37, 6 May 2009

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.

Contents

Command Shell

  • volshell - Creates a python shell can be used with the framework.

Malware Detection

  • malfind (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process

Data Recovery

  • cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
  • moddump (By [Moyix) - Dump out a kernel module (aka driver)
  • Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • Modified Regripper & Glue Code (By Moyix) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
  • getsids (By Moyix) - Get information about what user (SID) started a process.
  • ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
  • objtypescan (By Andreas Schuster) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
  • keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
  • mutantscan (By Andreas Schuster) - Extracts mutexs from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)

Process Enumeration

  • suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

  • pstree - Produces a tree-style listing of processes
  • vol2html - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.