Volatility - Malware And Rootkits Command Usage

[Praetorian503]

Description: In this video I will show you Commands of Volatility Framework for Malware and Rootkit analysis
Commands list

./vol.py –f zeus.vmem pslist

To list the processes of a system, use the pslist command.

./vol.py –f zeus.vmem malfind

You can use it to find hidden or injected code/DLLs in user mode memory

./vol.py –f zeus.vmem ldrmodules

To find out the hidden dll

./vol.py –f zeus.vmem apihooks

To find API hooks in user mode or kernel mode

./vol.py –f zeus.vmem idt

IDT (Interrupt Descriptor Table)

./vol.py –f zeus.vmem gdt

Gdt (Global Descriptor Table)

./vol.py –f zeus.vmem threads –L

The command gives you extensive details on threads

./vol.py –f zeus.vmem callbacks

Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.

./vol.py –f zeus.vmem driverirp

To print a driver's IRP Major Function table

./vol.py –f zeus.vmem devicetree

Windows uses a layered driver architecture

./vol.py –f zeus.vmem psxview

This plugin helps you detect hidden processes.

Source : - Wiki Pages - volatility - An advanced memory forensics framework - Google Project Hosting

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Volatility - Malware And Rootkits Command Usage