Memory

Last updated 2 years ago

Memory

Download:
Symbol files for mac and linux:

Plugins

# Get info about a memory dump. Good when you dont know host OS
vol -f 'dump.vmem' windows.info
vol -f 'dump.vmem' linux.info
vol -f 'dump.vmem' mac.info

# Get process list. PSSCAN can find unlinked malware
vol -f 'dump.vmem' windows.pslist
vol -f 'dump.vmem' windows.psscan
vol -f 'dump.vmem' windows.pstree

# Network Information. Can be unstable, use bulk extractor for pcap.
# https://tools.kali.org/forensics/bulk-extractor
vol -f 'dump.vmem' windows.netstat

# Get a list of DLLS
vol -f 'dump.vmem' windows.dlllist

# Basic malware scan
vol -f 'dump.vmem' windows.malfind
vol -f 'dump.vmem' windows.yarascan

# Advanced hunting techniques
vol -f 'dump.vmem' windows.ssdt
vol -f 'dump.vmem' windows.modules
vol -f 'dump.vmem' windows.driverscan
vol -f 'dump.vmem' windows.modscan
vol -f 'dump.vmem' windows.callbacks
vol -f 'dump.vmem' windows.idt
vol -f 'dump.vmem' windows.apihooks
vol -f 'dump.vmem' windows.moddump
vol -f 'dump.vmem' windows.handles

# Dump process using PID
vol.py -f <dump> -o /dir/to/store_dump/ windows.memmap.Memmap --pid <suspicious PID> --dump

# Get Path of PID
vol -f 'dump.vmem' windows.dlllist | grep <pid>

PreviousStego NextTools/Resources

Last updated 2 years ago