2022-05-01 13:25:53 +00:00
# Volatility - CheatSheet
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-10-05 00:11:28 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >
2021-11-30 16:46:07 +00:00
If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility ](https://github.com/carlospolop/autoVolatility )
2020-07-15 15:43:14 +00:00
2020-12-20 19:28:05 +00:00
```bash
2022-09-08 10:19:17 +00:00
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
## Installation
2020-12-19 00:07:03 +00:00
2022-05-01 13:25:53 +00:00
### volatility3
2020-12-19 00:07:03 +00:00
2020-12-19 15:05:05 +00:00
```bash
2020-12-19 00:07:03 +00:00
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h
```
2022-05-01 13:25:53 +00:00
### volatility2
2020-12-19 00:07:03 +00:00
{% tabs %}
{% tab title="Method1" %}
2021-10-18 11:21:18 +00:00
```
2020-12-19 00:07:03 +00:00
Download the executable from https://www.volatilityfoundation.org/26
```
{% endtab %}
{% tab title="Method 2" %}
2020-12-19 15:05:05 +00:00
```bash
2020-12-19 00:07:03 +00:00
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
## Volatility Commands
2021-05-28 17:17:38 +00:00
Access the official doc in [Volatility command reference ](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan )
2022-05-01 13:25:53 +00:00
### A note on “list” vs. “scan” plugins
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of `_EPROCESS` structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.
2020-07-15 15:43:14 +00:00
That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the `_EPROCESS` linked list, it won’ t show up in the Task Manager and neither will it in the pslist.
2022-09-08 10:19:17 +00:00
“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. `psscan` for instance will read the memory and try to make`_EPROCESS` objects out of it (it uses pool-tag scanning, which is searching for 4-byte strings that indicate the presence of a structure of interest). The advantage is that it can dig up processes that have exited, and even if malware tampers with the `_EPROCESS` linked list, the plugin will still find the structure lying around in memory (since it still needs to exist for the process to run). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false positives (a process that exited too long ago and had parts of its structure overwritten by other operations).
2020-07-15 15:43:14 +00:00
From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/ ](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/ )
2022-05-01 13:25:53 +00:00
## OS Profiles
2020-12-19 00:07:03 +00:00
2022-05-01 13:25:53 +00:00
### Volatility3
2020-12-19 00:07:03 +00:00
2021-10-18 11:21:18 +00:00
As explained inside the readme you need to put the **symbol table of the OS** you want to support inside _volatility3/volatility/symbols_ .\
2021-11-30 16:46:07 +00:00
Symbol table packs for the various operating systems are available for **download** at:
2020-12-19 00:07:03 +00:00
* [https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip ](https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip )
* [https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip ](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip )
* [https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip ](https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip )
2022-05-01 13:25:53 +00:00
### Volatility2
2020-12-19 00:07:03 +00:00
2022-05-01 13:25:53 +00:00
#### External Profile
2020-12-19 00:07:03 +00:00
You can get the list of supported profiles doing:
```bash
./volatility_2.6_lin64_standalone --info | grep "Profile"
```
2021-10-18 11:21:18 +00:00
If you want to use a **new profile you have downloaded** (for example a linux one) you need to create somewhere the following folder structure: _plugins/overlays/linux_ and put inside this folder the zip file containing the profile. Then, get the number of the profiles using:
2020-12-19 00:07:03 +00:00
2020-12-20 19:28:05 +00:00
```bash
2020-12-19 00:07:03 +00:00
./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
Volatility Foundation Volatility Framework 2.6
Profiles
--------
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
```
2021-07-04 19:43:29 +00:00
You can **download Linux and Mac profiles** from [https://github.com/volatilityfoundation/profiles ](https://github.com/volatilityfoundation/profiles )
2022-09-08 10:19:17 +00:00
In the previous chunk you can see that the profile is called `LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64` , and you can use it to execute something like:
2020-12-19 00:07:03 +00:00
2020-12-20 19:28:05 +00:00
```bash
2021-07-04 19:43:29 +00:00
./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan
2020-12-19 00:07:03 +00:00
```
2022-05-01 13:25:53 +00:00
#### Discover Profile
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp
```
2022-05-01 13:25:53 +00:00
#### **Differences between imageinfo and kdbgscan**
2020-07-15 15:43:14 +00:00
2022-09-08 10:19:17 +00:00
As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and the number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from [here ](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/ )).
2020-07-15 15:43:14 +00:00
2022-09-08 10:19:17 +00:00
Always take a look at the **number of processes that kdbgscan has found** . Sometimes imageinfo and kdbgscan can find **more than one** suitable **profile** but only the **valid one will have some process related** (This is because to extract processes the correct KDBG address is needed)
2020-07-15 15:43:14 +00:00
2020-12-20 19:28:05 +00:00
```bash
2020-07-15 15:43:14 +00:00
# GOOD
PsActiveProcessHead : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList : 0xfffff8000119aae0 (116 modules)
```
2020-12-20 19:28:05 +00:00
```bash
2020-07-15 15:43:14 +00:00
# BAD
PsActiveProcessHead : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList : 0xfffff80001197ac0 (0 modules)
```
2022-05-01 13:25:53 +00:00
#### KDBG
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG** by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## OS Information
2020-12-20 00:13:08 +00:00
```bash
#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
./vol.py -f file.dmp windows.info.Info
```
2021-11-30 16:46:07 +00:00
The plugin `banners.Banners` can be used in **vol3 to try to find linux banners** in the dump.
2020-12-20 00:13:08 +00:00
2022-05-01 13:25:53 +00:00
## Hashes/Passwords
2020-07-15 15:43:14 +00:00
2022-10-04 23:49:59 +00:00
Extract SAM hashes, [domain cached credentials ](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials ) and [lsa secrets ](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets ).
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
2020-12-19 00:21:32 +00:00
```bash
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM)
volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry
volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets
2020-12-19 15:05:05 +00:00
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Memory Dump
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code** .
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-12-20 19:28:05 +00:00
volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
## Processes
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### List processes
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Try to find **suspicious** processes (by name) or **unexpected** child **processes** (for example a cmd.exe as a child of iexplorer.exe).\
2021-11-30 16:46:07 +00:00
It could be interesting to **compare** the result of pslist with the one of psscan to identify hidden processes.
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
2020-12-19 00:21:32 +00:00
```bash
2020-12-19 15:05:05 +00:00
python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=PROFILE pstree -f file.dmp # Get process tree (not hidden)
volatility --profile=PROFILE pslist -f file.dmp # Get process list (EPROCESS)
volatility --profile=PROFILE psscan -f file.dmp # Get hidden process list(malware)
volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Dump proc
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid < pid > #Dump the .exe and dlls of the process in the current directory
```
{% endtab %}
{% tab title="vol2" %}
```bash
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f file.dmp
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Command line
2020-07-15 15:43:14 +00:00
2020-12-19 16:43:21 +00:00
Anything suspicious was executed?
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line arguments
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-12-20 19:28:05 +00:00
volatility --profile=PROFILE cmdline -f file.dmp #Display process command-line arguments
volatility --profile=PROFILE consoles -f file.dmp #command history by scanning for _CONSOLE_INFORMATION
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-09-08 10:19:17 +00:00
Commands entered into cmd.exe are processed by **conhost.exe** (csrss.exe prior to Windows 7). So even if an attacker managed to **kill the cmd.exe** **prior** to us obtaining a memory **dump** , there is still a good chance of **recovering history** of the command line session from **conhost.exe’ s memory** . If you find **something weird** (using the console's modules), try to **dump** the **memory** of the **conhost.exe associated** process and **search** for **strings** inside it to extract the command lines.
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Environment
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
Get the env variables of each running process. There could be some interesting values.
{% tabs %}
{% tab title="vol3" %}
```bash
python3 vol.py -f file.dmp windows.envars.Envars [--pid < pid > ] #Display process environment variables
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=PROFILE envars -f file.dmp [--pid < pid > ] #Display process environment variables
2020-12-29 15:09:12 +00:00
volatility --profile=PROFILE -f file.dmp linux_psenv [-p < pid > ] #Get env of process. runlevel var means the runlevel where the proc is initated
2020-12-19 15:05:05 +00:00
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Token privileges
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Check for privileges tokens in unexpected services.\
2020-12-19 15:05:05 +00:00
It could be interesting to list the processes using some privileged token.
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
#Get enabled privileges of some processes
python3 vol.py -f file.dmp windows.privileges.Privs [--pid < pid > ]
#Get all processes with interesting privileges
python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
```
{% endtab %}
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-07-15 15:43:14 +00:00
#Get enabled privileges of some processes
volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
#Get all processes with interesting privileges
2020-12-19 15:05:05 +00:00
volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### SIDs
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Check each SSID owned by a process.\
It could be interesting to list the processes using a privileges SID (and the processes using some service SID).
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
2020-12-17 15:52:08 +00:00
```bash
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.getsids.GetSIDs [--pid < pid > ] #Get SIDs of processes
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 getsids -f file.dmp #Get the SID owned by each process
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of each service
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Handles
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Useful to know to which other files, keys, threads, processes... a **process has a handle** for (has opened)
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
2020-12-20 19:28:05 +00:00
{% tab title="vol3" %}
2020-12-19 15:05:05 +00:00
```bash
vol.py -f file.dmp windows.handles.Handles [--pid < pid > ]
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=< pid > ]
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### DLLs
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp windows.dlllist.DllList [--pid < pid > ] #List dlls used by each
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid < pid > #Dump the .exe and dlls of the process in the current directory process
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f file.dmp #Get dlls of a proc
volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump dlls of a proc
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Strings per processes
2020-12-19 15:05:05 +00:00
2022-09-08 10:19:17 +00:00
Volatility allows us to check which process a string belongs to.
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2021-01-06 12:24:50 +00:00
strings file.dmp > /tmp/strings.txt
2021-10-31 12:07:56 +00:00
./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt
2020-12-19 15:05:05 +00:00
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2021-01-06 12:24:50 +00:00
strings file.dmp > /tmp/strings.txt
volatility -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt
volatility -f /tmp/file.dmp --profile=Win81U1x64 memdump -p 3532 --dump-dir .
strings 3532.dmp > strings_file
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2020-12-19 16:43:21 +00:00
It also allows to search for strings inside a process using the yarascan module:
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 19:28:05 +00:00
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784
./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://"
2020-12-19 16:43:21 +00:00
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3312,3084,2784
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### UserAssist
2020-12-20 00:13:08 +00:00
2022-09-08 10:19:17 +00:00
**Windows** systems maintain a set of **keys** in the registry database (**UserAssist keys**) to keep track of programs that are executed. The number of executions and last execution date and time is available in these **keys** .
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 19:28:05 +00:00
./vol.py -f file.dmp windows.registry.userassist.UserAssist
2020-12-20 00:13:08 +00:00
```
{% endtab %}
{% tab title="vol2" %}
```
volatility --profile=Win7SP1x86_23418 -f file.dmp userassist
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
## Services
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 19:28:05 +00:00
./vol.py -f file.dmp windows.svcscan.SvcScan #List services
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-07-15 15:43:14 +00:00
#Get services and binary path
2020-12-20 00:13:08 +00:00
volatility --profile=Win7SP1x86_23418 svcscan -f file.dmp
2020-07-15 15:43:14 +00:00
#Get name of the services and SID (slow)
2020-12-20 00:13:08 +00:00
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp
2020-07-15 15:43:14 +00:00
```
2020-12-20 00:13:08 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Network
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 19:28:05 +00:00
./vol.py -f file.dmp windows.netscan.NetScan
2020-12-29 11:08:03 +00:00
#For network info of linux use volatility2
2020-12-19 15:05:05 +00:00
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 netscan -f file.dmp
volatility --profile=Win7SP1x86_23418 connections -f file.dmp#XP and 2003 only
volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections
volatility --profile=Win7SP1x86_23418 sockscan -f file.dmp#Open sockets
volatility --profile=Win7SP1x86_23418 sockets -f file.dmp#Scanner for tcp socket objects
2020-12-29 11:08:03 +00:00
volatility --profile=SomeLinux -f file.dmp linux_ifconfig
volatility --profile=SomeLinux -f file.dmp linux_netstat
volatility --profile=SomeLinux -f file.dmp linux_netfilter
volatility --profile=SomeLinux -f file.dmp linux_arp #ARP table
2021-01-05 15:27:58 +00:00
volatility --profile=SomeLinux -f file.dmp linux_list_raw #Processes using promiscuous raw sockets (comm between processes)
2020-12-29 11:08:03 +00:00
volatility --profile=SomeLinux -f file.dmp linux_route_cache
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Registry hive
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Print available hives
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots
./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeys
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 -f file.dmp hivelist #List roots
volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get initial subkeys
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Get a value
2020-07-15 15:43:14 +00:00
2020-12-19 15:05:05 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f file.dmp
2020-07-15 15:43:14 +00:00
# Get Run binaries registry value
2020-12-20 19:28:05 +00:00
volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\Microsoft\Windows\CurrentVersion\Run'
2020-07-15 15:43:14 +00:00
```
2020-12-19 15:05:05 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Dump
2020-07-15 15:43:14 +00:00
2020-12-17 15:52:08 +00:00
```bash
2020-07-15 15:43:14 +00:00
#Dump a hive
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
2020-07-15 15:43:14 +00:00
#Dump all hives
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
## Filesystem
2020-12-29 15:09:12 +00:00
2022-05-01 13:25:53 +00:00
### Mount
2020-12-29 15:09:12 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
#See vol2
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=SomeLinux -f file.dmp linux_mount
volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the entire filesystem (if possible)
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Scan/dump
2020-07-15 15:43:14 +00:00
2020-12-19 16:43:21 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump
2020-12-20 19:28:05 +00:00
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr < 0xAAAAA > #Offset from previous command
2020-12-19 16:43:21 +00:00
```
{% endtab %}
{% tab title="vol2" %}
2020-12-17 15:52:08 +00:00
```bash
2020-12-29 15:09:12 +00:00
volatility --profile=Win7SP1x86_23418 filescan -f file.dmp #Scan for files inside the dump
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -f file.dmp #Dump all files
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -Q 0x000000007dcaa620 -f file.dmp
volatility --profile=SomeLinux -f file.dmp linux_enumerate_files
volatility --profile=SomeLinux -f file.dmp linux_find_file -F /path/to/file
volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O /path/to/dump/file
2020-07-15 15:43:14 +00:00
```
2020-12-19 16:43:21 +00:00
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Master File Table
2020-12-19 16:43:21 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 00:13:08 +00:00
# I couldn't find any plugin to extract this information in volatility3
2020-12-19 16:43:21 +00:00
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp
```
{% endtab %}
{% endtabs %}
2021-11-30 16:46:07 +00:00
The NTFS file system contains a file called the _master file table_ , or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. **All information about a file, including its size, time and date stamps, permissions, and data content** , is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From [here ](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table ).
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### SSL Keys/Certs
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
#vol3 allows to search for certificates inside the registry
./vol.py -f file.dmp windows.registry.certificates.Certificates
```
{% endtab %}
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tab title="vol2" %}
```bash
#vol2 allos you to search and dump certificates from memory
#Interesting options for this modules are: --pid, --name, --ssl
volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp
2020-07-15 15:43:14 +00:00
```
2020-12-20 00:13:08 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## Malware
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-21 20:50:30 +00:00
./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]
2020-12-22 00:56:21 +00:00
#Malfind will search for suspicious structures related to malware
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses
2020-12-29 10:53:33 +00:00
./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
2020-12-29 10:59:32 +00:00
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
2020-12-29 11:08:03 +00:00
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks
2020-07-15 15:43:14 +00:00
```
2020-12-20 00:13:08 +00:00
{% endtab %}
{% tab title="vol2" %}
```bash
2020-12-21 20:50:30 +00:00
volatility --profile=Win7SP1x86_23418 -f file.dmp malfind [-D /tmp] #Find hidden and injected code [dump each suspicious section]
2020-12-20 00:13:08 +00:00
volatility --profile=Win7SP1x86_23418 -f file.dmp apihooks #Detect API hooks in process and kernel memory
volatility --profile=Win7SP1x86_23418 -f file.dmp driverirp #Driver IRP hook detection
volatility --profile=Win7SP1x86_23418 -f file.dmp ssdt #Check system call address from unexpected addresses
2020-12-29 10:54:31 +00:00
2020-12-29 11:08:03 +00:00
volatility --profile=SomeLinux -f file.dmp linux_check_afinfo
volatility --profile=SomeLinux -f file.dmp linux_check_creds
volatility --profile=SomeLinux -f file.dmp linux_check_fop
volatility --profile=SomeLinux -f file.dmp linux_check_idt
volatility --profile=SomeLinux -f file.dmp linux_check_syscall
volatility --profile=SomeLinux -f file.dmp linux_check_modules
volatility --profile=SomeLinux -f file.dmp linux_check_tty
2020-12-30 00:43:01 +00:00
volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers
2020-12-20 00:13:08 +00:00
```
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### Scanning with yara
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 ](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 )\
2021-11-30 16:46:07 +00:00
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
#Only Windows
2020-12-21 21:09:09 +00:00
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-file /tmp/malware_rules.yar
2020-12-20 00:13:08 +00:00
#All
2020-12-21 21:09:09 +00:00
./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yar
2020-12-20 00:13:08 +00:00
```
{% endtab %}
{% tab title="vol2" %}
```bash
2020-07-15 15:43:14 +00:00
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | grep "Rule:" | grep -v "Str_Win32" | sort | uniq
```
2020-12-20 00:13:08 +00:00
{% endtab %}
{% endtabs %}
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
## MISC
2020-07-15 15:43:14 +00:00
2022-05-01 13:25:53 +00:00
### External plugins
2020-07-15 15:43:14 +00:00
2022-09-08 10:19:17 +00:00
If you want to use external plugins make sure that the folders related to the plugins are the first parameter used.
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py --plugin-dirs "/tmp/plugins/" [...]
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatilitye --plugins="/tmp/plugins/" [...]
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
#### Autoruns
2020-07-15 15:43:14 +00:00
Download it from [https://github.com/tomchop/volatility-autoruns ](https://github.com/tomchop/volatility-autoruns )
2021-10-18 11:21:18 +00:00
```
2020-12-20 00:13:08 +00:00
volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Mutexes
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
2021-10-18 11:21:18 +00:00
```
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.mutantscan.MutantScan
```
{% endtab %}
2020-12-19 16:43:21 +00:00
2020-12-20 00:13:08 +00:00
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 mutantscan -f file.dmp
2021-01-06 12:24:50 +00:00
volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p < PID > -t mutant
2020-12-20 00:13:08 +00:00
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Symlinks
2020-12-19 16:43:21 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.symlinkscan.SymlinkScan
2020-12-19 16:43:21 +00:00
```
{% endtab %}
{% tab title="vol2" %}
```bash
2020-12-20 00:13:08 +00:00
volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan
2020-12-19 16:43:21 +00:00
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Bash
2020-12-29 10:42:57 +00:00
2021-10-31 12:07:56 +00:00
It's possible to **read from memory the bash history.** You could also dump the _.bash\_history_ file, but it was disabled you will be glad you can use this volatility module
2020-12-29 10:42:57 +00:00
{% tabs %}
{% tab title="vol3" %}
2021-10-18 11:21:18 +00:00
```
2020-12-29 10:42:57 +00:00
./vol.py -f file.dmp linux.bash.Bash
```
{% endtab %}
{% tab title="vol2" %}
```
volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### TimeLine
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
```bash
./vol.py -f file.dmp timeLiner.TimeLiner
```
{% endtab %}
{% tab title="vol2" %}
```
volatility --profile=Win7SP1x86_23418 -f timeliner
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Drivers
2020-12-20 00:13:08 +00:00
{% tabs %}
{% tab title="vol3" %}
2021-10-18 11:21:18 +00:00
```
2020-12-20 00:13:08 +00:00
./vol.py -f file.dmp windows.driverscan.DriverScan
```
{% endtab %}
{% tab title="vol2" %}
```bash
volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan
```
{% endtab %}
{% endtabs %}
2022-05-01 13:25:53 +00:00
### Get clipboard
2020-12-20 00:13:08 +00:00
```bash
#Just vol2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Get IE history
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
```bash
#Just vol2
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Get notepad text
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
```bash
#Just vol2
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Screenshot
2020-07-15 15:43:14 +00:00
2020-12-20 00:13:08 +00:00
```bash
#Just vol2
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp
2020-07-15 15:43:14 +00:00
```
2022-05-01 13:25:53 +00:00
### Master Boot Record (MBR)
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-12-20 19:28:05 +00:00
volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp
2020-07-15 15:43:14 +00:00
```
2021-10-31 12:07:56 +00:00
The MBR holds the information on how the logical partitions, containing [file systems ](https://en.wikipedia.org/wiki/File\_system ), are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system—usually by passing control over to the loader's [second stage ](https://en.wikipedia.org/wiki/Second-stage\_boot\_loader ), or in conjunction with each partition's [volume boot record ](https://en.wikipedia.org/wiki/Volume\_boot\_record ) (VBR). This MBR code is usually referred to as a [boot loader ](https://en.wikipedia.org/wiki/Boot\_loader ). From [here ](https://en.wikipedia.org/wiki/Master\_boot\_record ).
2020-07-15 15:43:14 +00:00
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-10-05 00:11:28 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >