Jump to content
Praetorian503

Volatility Image Identification And Processes And Dlls Usage

Recommended Posts

Posted



Description: In this video I will show you how to use Volatility Framework for some basic information gathering for the memory.
I will show you how to identify the Image and how to dump suspect file

Commands : -

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 imageinfo
Image Identification

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kpcrscan
Image Identification

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kdbgscan
Image Identification

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pslist
To list the processes of a system

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pstree
To view the process listing in tree form, use the pstree command

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 psscan
To enumerate processes using pool tag scanning

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist
To display a process's loaded DLLs

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist --pid=492
To extract a DLL from a process's memory space and dump it to disk for analysis

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlldump -r kernel32 -D out
To extract a DLL from a process's memory space and dump it to disk for analysis


./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles
To display the open handles in a process, use the handles command.

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles -p 4 -t Key
To display the open handles in a process, use the handles command.

./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 getsids
To view the SIDs (Security Identifiers) associated with a process


CommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project Hosting

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Volatility Image Identification And Processes And Dlls Usage
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...