Volatility - CheatSheet

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

⛓️ External Link

https://www.rootedcon.com/

If you want something fast and crazy that will launch several Volatility plugins on parallel you can use: https://github.com/carlospolop/autoVolatility

bash

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)

Installation

volatility3

bash

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h

volatility2

Volatility Commands

Access the official doc in Volatility command reference

A note on “list” vs. “scan” plugins

Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of _EPROCESS structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.

That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the _EPROCESS linked list, it won’t show up in the Task Manager and neither will it in the pslist.

“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. psscan for instance will read the memory and try to make_EPROCESS objects out of it (it uses pool-tag scanning, which is searching for 4-byte strings that indicate the presence of a structure of interest). The advantage is that it can dig up processes that have exited, and even if malware tampers with the _EPROCESS linked list, the plugin will still find the structure lying around in memory (since it still needs to exist for the process to run). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false positives (a process that exited too long ago and had parts of its structure overwritten by other operations).

From: http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/

OS Profiles

Volatility3

As explained inside the readme you need to put the symbol table of the OS you want to support inside volatility3/volatility/symbols.
Symbol table packs for the various operating systems are available for download at:

Volatility2

External Profile

You can get the list of supported profiles doing:

bash

./volatility_2.6_lin64_standalone --info | grep "Profile"

If you want to use a new profile you have downloaded (for example a linux one) you need to create somewhere the following folder structure: plugins/overlays/linux and put inside this folder the zip file containing the profile. Then, get the number of the profiles using:

bash

./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
VistaSP0x64                                   - A Profile for Windows Vista SP0 x64
VistaSP0x86                                   - A Profile for Windows Vista SP0 x86

You can download Linux and Mac profiles from https://github.com/volatilityfoundation/profiles

In the previous chunk you can see that the profile is called LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64, and you can use it to execute something like:

bash

./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan

Discover Profile

volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp

Differences between imageinfo and kdbgscan

From here: As opposed to imageinfo which simply provides profile suggestions, kdbgscan is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and the number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it from .

Always take a look at the number of processes that kdbgscan has found. Sometimes imageinfo and kdbgscan can find more than one suitable profile but only the valid one will have some process related (This is because to extract processes the correct KDBG address is needed)

bash

# GOOD
PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)

bash

# BAD
PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)

KDBG

The kernel debugger block, referred to as KDBG by Volatility, is crucial for forensic tasks performed by Volatility and various debuggers. Identified as KdDebuggerDataBlock and of the type _KDDEBUGGER_DATA64, it contains essential references like PsActiveProcessHead. This specific reference points to the head of the process list, enabling the listing of all processes, which is fundamental for thorough memory analysis.

OS Information

bash

#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
./vol.py -f file.dmp windows.info.Info

The plugin banners.Banners can be used in vol3 to try to find linux banners in the dump.

Hashes/Passwords

Extract SAM hashes, domain cached credentials and lsa secrets.

Memory Dump

The memory dump of a process will extract everything of the current status of the process. The procdump module will only extract the code.

volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/

⛓️ External Link

https://www.rootedcon.com/

Processes

List processes

Try to find suspicious processes (by name) or unexpected child processes (for example a cmd.exe as a child of iexplorer.exe).
It could be interesting to compare the result of pslist with the one of psscan to identify hidden processes.

Dump proc

Command line

Anything suspicious was executed?

Commands executed in cmd.exe are managed by conhost.exe (or csrss.exe on systems before Windows 7). This means that if cmd.exe is terminated by an attacker before a memory dump is obtained, it's still possible to recover the session's command history from the memory of conhost.exe. To do this, if unusual activity is detected within the console's modules, the memory of the associated conhost.exe process should be dumped. Then, by searching for strings within this dump, command lines used in the session can potentially be extracted.

Environment

Get the env variables of each running process. There could be some interesting values.

Token privileges

Check for privileges tokens in unexpected services.
It could be interesting to list the processes using some privileged token.

SIDs

Check each SSID owned by a process.
It could be interesting to list the processes using a privileges SID (and the processes using some service SID).

Handles

Useful to know to which other files, keys, threads, processes... a process has a handle for (has opened)

DLLs

Strings per processes

Volatility allows us to check which process a string belongs to.

It also allows to search for strings inside a process using the yarascan module:

UserAssist

Windows keeps track of programs you run using a feature in the registry called UserAssist keys. These keys record how many times each program is executed and when it was last run.

⛓️ External Link

https://www.rootedcon.com/

Services

Network

Registry hive

Print available hives

Get a value

Dump

bash

#Dump a hive
volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
#Dump all hives
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp

Filesystem

Mount

Scan/dump

Master File Table

The NTFS file system uses a critical component known as the master file table (MFT). This table includes at least one entry for every file on a volume, covering the MFT itself too. Vital details about each file, such as size, timestamps, permissions, and actual data, are encapsulated within the MFT entries or in areas external to the MFT but referenced by these entries. More details can be found in the official documentation.

SSL Keys/Certs

Malware

Scanning with yara

Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.

MISC

External plugins

If you want to use external plugins make sure that the folders related to the plugins are the first parameter used.

Autoruns

Download it from https://github.com/tomchop/volatility-autoruns

 volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns

Mutexes

Symlinks

Bash

It's possible to read from memory the bash history. You could also dump the .bash_history file, but it was disabled you will be glad you can use this volatility module

TimeLine

Drivers

Get clipboard

bash

#Just vol2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp

Get IE history

bash

#Just vol2
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp

Get notepad text

bash

#Just vol2
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp

Screenshot

bash

#Just vol2
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp

Master Boot Record (MBR)

bash

volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp

The Master Boot Record (MBR) plays a crucial role in managing the logical partitions of a storage medium, which are structured with different file systems. It not only holds partition layout information but also contains executable code acting as a boot loader. This boot loader either directly initiates the OS's second-stage loading process (see second-stage boot loader) or works in harmony with the volume boot record (VBR) of each partition. For in-depth knowledge, refer to the MBR Wikipedia page.

References

⛓️ External Link

https://www.rootedcon.com/

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

Volatility - CheatSheet

Installation

volatility3

volatility2

Volatility Commands

A note on “list” vs. “scan” plugins

OS Profiles

Volatility3

Volatility2

External Profile

Discover Profile

Differences between imageinfo and kdbgscan

KDBG

OS Information

Hashes/Passwords

Memory Dump

Processes

List processes

Dump proc