Difference between revisions of "List of Volatility Plugins"
From Forensics Wiki
m (corrected information about objtypescan) |
(→Process Enumeration) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
== Malware Detection == | == Malware Detection == | ||
| − | * [http:// | + | * [http://mhl-malware-scripts.googlecode.com/files/malfind.py malfind] (By [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html Michael Hale Ligh]) - Automates the process of finding and extracting (usually malicious) code injected into another process |
| + | * [http://mhl-malware-scripts.googlecode.com/files/usermode_hooks.py usermode_hooks] (By [http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html Michael Hale Ligh]) - Detect IAT/EAT/Inline rootkit hooks in usermode processes | ||
== Data Recovery == | == Data Recovery == | ||
| − | * [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [ | + | * [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [[Jesse Kornblum]]) - Finds [[TrueCrypt]] passphrases |
| − | * [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By | + | * [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver) |
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys. | * [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys. | ||
* [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux. | * [http://www.cc.gatech.edu/%7Ebrendan/volatility/dl/volrip-0.1.tar.gz Modified Regripper & Glue Code] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux. | ||
| Line 25: | Line 26: | ||
== Process Enumeration == | == Process Enumeration == | ||
| − | * [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [ | + | * [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [[Jesse Kornblum]]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious. |
== Output Formatting == | == Output Formatting == | ||
Revision as of 08:51, 27 May 2009
The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
Contents |
Command Shell
Malware Detection
- malfind (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process
- usermode_hooks (By Michael Hale Ligh) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
Data Recovery
- cryptoscan (By Jesse Kornblum) - Finds TrueCrypt passphrases
- moddump (By Moyix) - Dump out a kernel module (aka driver)
- Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
- Modified Regripper & Glue Code (By Moyix) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
- getsids (By Moyix) - Get information about what user (SID) started a process.
- ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
- threadqueues (By Moyix) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
- objtypescan (By Andreas Schuster) - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
- keyboardbuffer (By Andreas Schuster) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
- mutantscan (By Andreas Schuster) - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- symlinkobjscan (By Andreas Schuster) - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- driverscan (By Andreas Schuster) - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
- fileobjscan (By Andreas Schuster) - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
Process Enumeration
- suspicious (By Jesse Kornblum) - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.
Output Formatting
- pstree (By Scudette) - Produces a tree-style listing of processes
- vol2html (By Jamie Levy AKA Gleeda) - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
