Jump to content
Praetorian503

Volatility Process Memory - Kernel Memory And Objects Usage

By Praetorian503, in Tutoriale video

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted



Description: In this video I will show you how to use Volatility Process Memory & Kernel Memory and Objects plugging usage, I will cover how to dump Process exe and Kernel Memory.
Plugging are used

• Process Memory
o memmap
o memdump
o procmemdump
o procexedump
o vadwalk
o vadtree
o vadinfo
o vaddump

• Kernel Memory and Objects
o modules
o modscan
o moddump
o ssdt
o driverscan
o filescan
o mutantscan
o symlinkscan
o thrdscan

memmap
For a brief inspection of the addressable memory pages in a process
memdump
To extract all data from the various memory segments in a process and dump them to a single file
procmemdump
To dump a process's executable (including the slack space), use the procmemdump command.
procexedump
To dump a process's executable
vadwalk
To briefly inspect a process's VAD nodes
vadtree
To display the VAD nodes in a visual tree form
vadinfo
The vadinfo command displays extended information about a process's VAD nodes
vaddump
To extract the data contained within each VAD segment

Kernel Memory and Objects

modules
To view the list of kernel drivers loaded on the system
modscan
To scan physical memory for kernel modules, use the modscan command
moddump
To extract a kernel driver to a file
ssdt
To list the functions in the Native and GUI SSDTs
driverscan
To scan for DRIVER_OBJECTs in physical memory
filescan
To scan physical memory for FILE_OBJECTs
mutantscan
To scan physical memory for KMUTANT objects
symlinkscan
This plugin scans for symbolic link objects and outputs their information.
thrdscan
To scan for ETHREAD objects in physical memory

Source : - CommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project Hosting

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Volatility Process Memory - Kernel Memory And Objects Usage
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...