Comments (2)
Hmm all you should need to do is this:
$ svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
$ cd volatility-read-only
$ python vol.py -h
Volatile Systems Volatility Framework 2.1_alpha
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/Users/mhl/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/Users/mhl/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--cache-dtb Cache virtual to physical mappings
--use-old-as Use the legacy address spaces
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
Supported Plugin Commands:
apihooks
bioskbd Reads the keyboard buffer from Real Mode memory
callbacks Print system-wide notification routines
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP Only]
connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
envars Display process environment variables
filescan Scan Physical memory for _FILE_OBJECT pool allocations
gdt Display Global Descriptor Table
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
idt Display Interrupt Descriptor Table
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
malfind Find hidden and injected code
memdump Dump the addressable memory for a process
memmap Print the memory map
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan for symbolic link objects
thrdscan Scan physical memory for _ETHREAD objects
threads Investigate _ETHREAD and _KTHREADs
timers Print kernel timers and associated module DPCs
userassist Print userassist registry keys and information
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
volshell Shell in the memory image
yarascan Scan process or kernel memory with Yara signatures
Original comment by [email protected]
on 23 Jun 2012 at 5:01
from malwarecookbook.
I'll assume this works for you now and close the issue. Feel free to re-open if
there's still a problem.
Original comment by [email protected]
on 24 Jun 2012 at 11:01
- Changed state: Invalid
from malwarecookbook.
Related Issues (20)
- ApiHooks plugin takes too long time to scan (I think) HOT 1
- list tasks prob with malware.py r94 HOT 1
- list of apihooks possibly incomplete HOT 2
- issue with impscan HOT 1
- clamav_to_yara.py creates lots of invalid jumps e.g. [4-4] HOT 6
- typo in pescanner.py wrt clamscan status code HOT 1
- Add --physical-offset option to psxview to synchronize eprocess offsets HOT 1
- IOError: [Errno 22] Invalid argument when running malfind.py HOT 3
- malware2.1_alpha.py Error HOT 3
- avsubmit.py & VT API 2.0
- volatility 2.1 alpha && malware2.1_alpha.py trunk psxview command bug HOT 1
- ssdeep_proc.py not showing the results on windows 7 x64 machir
- malfind option error HOT 6
- dbmgr.py has a gramatical error which halts processing HOT 2
- av_multiscan indent error HOT 1
- peid_to_yara.py HOT 1
- Patch for /trunk/3/8/pescanner.py
- Seeing lots of [invalid skip in string "$a1"] when running a Yara Scan with ClamAV Converted Signatures HOT 9
- Patch for /trunk/3/5/capabilities.yara
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from malwarecookbook.