Plugins de volatility 2

Instalada desde el repo de github:

# Windows

amcache             # Print AmCache information
apihooks            # Detect API hooks in process and kernel memory
atoms               # Print session and window station atom tables
atomscan            # Pool scanner for atom tables
auditpol            # Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools            # Dump the big page pools using BigPagePoolScanner
bioskbd             # Reads the keyboard buffer from Real Mode memory
cachedump           # Dumps cached domain hashes from memory
callbacks           # Print system-wide notification routines
clipboard           # Extract the contents of the windows clipboard
cmdline             # Display process command-line arguments
cmdscan             # Extract command history by scanning for _COMMAND_HISTORY
connections         # Print list of open connections [Windows XP and 2003 Only]
connscan            # Pool scanner for tcp connections
consoles            # Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo           # Dump crash-dump information
deskscan            # Poolscaner for tagDESKTOP (desktops)
devicetree          # Show device tree
dlldump             # Dump DLLs from a process address space
dlllist             # Print list of loaded dlls for each process
driverirp           # Driver IRP hook detection
drivermodule        # Associate driver objects to kernel modules
driverscan          # Pool scanner for driver objects
dumpcerts           # Dump RSA private and public SSL keys
dumpfiles           # Extract memory mapped and cached files
dumpregistry        # Dumps registry files out to disk
editbox             # Displays information about Edit controls. (Listbox experimental.)
envars              # Display process environment variables
eventhooks          # Print details on windows event hooks
evtlogs             # Extract Windows Event Logs (XP/2003 only)
filescan            # Pool scanner for file objects
gahti               # Dump the USER handle type information
gditimers           # Print installed GDI timers and callbacks
gdt                 # Display Global Descriptor Table
getservicesids      # Get the names of services in the Registry and return Calculated SID
getsids             # Print the SIDs owning each process
handles             # Print list of open handles for each process
hashdump            # Dumps passwords hashes (LM/NTLM) from memory
hibinfo             # Dump hibernation file information
hivedump            # Prints out a hive
hivelist            # Print list of registry hives.
hivescan            # Pool scanner for registry hives
hpakextract         # Extract physical memory from an HPAK file
hpakinfo            # Info on an HPAK file
idt                 # Display Interrupt Descriptor Table
iehistory           # Reconstruct Internet Explorer cache / history
imagecopy           # Copies a physical address space out as a raw DD image
imageinfo           # Identify information for the image
impscan             # Scan for calls to imported functions
joblinks            # Print process job link information
kdbgscan            # Search for and dump potential KDBG values
kpcrscan            # Search for and dump potential KPCR values
ldrmodules          # Detect unlinked DLLs
limeinfo            # Dump Lime file format information
lsadump             # Dump (decrypted) LSA secrets from the registry
machoinfo           # Dump Mach-O file format information
malfind             # Find hidden and injected code
mbrparser           # Scans for and parses potential Master Boot Records (MBRs)
memdump             # Dump the addressable memory for a process
memmap              # Print the memory map
messagehooks        # List desktop and thread window message hooks
mftparser           # Scans for and parses potential MFT entries
moddump             # Dump a kernel driver to an executable file sample
modscan             # Pool scanner for kernel modules
modules             # Print list of loaded modules
multiscan           # Scan for various objects at once
mutantscan          # Pool scanner for mutex objects
netscan             # Scan a Vista (or later) image for connections and sockets
notepad             # List currently displayed notepad text
objtypescan         # Scan for Windows object type objects
patcher             # Patches memory based on page scans
poolpeek            # Configurable pool scanner plugin
pooltracker         # Show a summary of pool tag usage
printkey            # Print a registry key, and its subkeys and values
privs               # Display process privileges
procdump            # Dump a process to an executable file sample
pslist              # Print all running processes by following the EPROCESS lists
psscan              # Pool scanner for process objects
pstree              # Print process list as a tree
psxview             # Find hidden processes with various process listings
qemuinfo            # Dump Qemu information
raw2dmp             # Converts a physical memory sample to a windbg crash dump
screenshot          # Save a pseudo-screenshot based on GDI windows
servicediff         # List Windows services (ala Plugx)
sessions            # List details on _MM_SESSION_SPACE (user logon sessions)
shellbags           # Prints ShellBags info
shimcache           # Parses the Application Compatibility Shim Cache registry key
shutdowntime        # Print ShutdownTime of machine from registry
sockets             # Print list of open sockets
sockscan            # Pool scanner for tcp socket objects
ssdt                # Display SSDT entries
strings             # Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan             # Scan for Windows services
symlinkscan         # Pool scanner for symlink objects
thrdscan            # Pool scanner for thread objects
threads             # Investigate _ETHREAD and _KTHREADs
timeliner           # Creates a timeline from various artifacts in memory
timers              # Print kernel timers and associated module DPCs
truecryptmaster     # Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase # TrueCrypt Cached Passphrase Finder
truecryptsummary    # TrueCrypt Summary
unloadedmodules     # Print list of unloaded modules
userassist          # Print userassist registry keys and information
userhandles         # Dump the USER handle tables
vaddump             # Dumps out the vad sections to a file
vadinfo             # Dump the VAD info
vadtree             # Walk the VAD tree and display in tree format
vadwalk             # Walk the VAD tree
vboxinfo            # Dump virtualbox information
verinfo             # Prints out the version information from PE images
vmwareinfo          # Dump VMware VMSS/VMSN information
volshell            # Shell in the memory image
win10cookie         # Find the ObHeaderCookie value for Windows 10
windows             # Print Desktop Windows (verbose details)
wintree             # Print Z-Order Desktop Windows Tree
wndscan             # Pool scanner for window stations
yarascan            # Scan process or kernel memory with Yara signatures

# Linux
linux_apihooks             # Checks for userland apihooks
linux_arp                  # Print the ARP table
linux_aslr_shift           # Automatically detect the Linux ASLR shift
linux_banner               # Prints the Linux banner information
linux_bash                 # Recover bash history from bash process memory
linux_bash_env             # Recover a process' dynamic environment variables
linux_bash_hash            # Recover bash hash table from bash process memory
linux_check_afinfo         # Verifies the operation function pointers of network protocols
linux_check_creds          # Checks if any processes are sharing credential structures
linux_check_evt_arm        # Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop            # Check file operation structures for rootkit modifications
linux_check_idt            # Checks if the IDT has been altered
linux_check_inline_kernel  # Check for inline kernel hooks
linux_check_modules        # Compares module list to sysfs info, if available
linux_check_syscall        # Checks if the system call table has been altered
linux_check_syscall_arm    # Checks if the system call table has been altered
linux_check_tty            # Checks tty devices for hooks
linux_cpuinfo              # Prints info about each active processor
linux_dentry_cache         # Gather files from the dentry cache
linux_dmesg                # Gather dmesg buffer
linux_dump_map             # Writes selected memory mappings to disk
linux_dynamic_env          # Recover a process' dynamic environment variables
linux_elfs                 # Find ELF binaries in process mappings
linux_enumerate_files      # Lists files referenced by the filesystem cache
linux_find_file            # Lists and recovers files from memory
linux_getcwd               # Lists current working directory of each process
linux_hidden_modules       # Carves memory to find hidden kernel modules
linux_ifconfig             # Gathers active interfaces
linux_info_regs            # It's like 'info registers' in GDB. It prints out all the
linux_iomem                # Provides output similar to /proc/iomem
linux_kernel_opened_files  # Lists files that are opened from within the kernel
linux_keyboard_notifiers   # Parses the keyboard notifier call chain
linux_ldrmodules           # Compares the output of proc maps with the list of libraries from libdl
linux_library_list         # Lists libraries loaded into a process
linux_librarydump          # Dumps shared libraries in process memory to disk
linux_list_raw             # List applications with promiscuous sockets
linux_lsmod                # Gather loaded kernel modules
linux_lsof                 # Lists file descriptors and their path
linux_malfind              # Looks for suspicious process mappings
linux_memmap               # Dumps the memory map for linux tasks
linux_moddump              # Extract loaded kernel modules
linux_mount                # Gather mounted fs/devices
linux_mount_cache          # Gather mounted fs/devices from kmem_cache
linux_netfilter            # Lists Netfilter hooks
linux_netscan              # Carves for network connection structures
linux_netstat              # Lists open sockets
linux_pidhashtable         # Enumerates processes through the PID hash table
linux_pkt_queues           # Writes per-process packet queues out to disk
linux_plthook              # Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps            # Gathers process memory maps
linux_proc_maps_rb         # Gathers process maps for linux through the mappings red-black tree
linux_procdump             # Dumps a process's executable image to disk
linux_process_hollow       # Checks for signs of process hollowing
linux_psaux                # Gathers processes along with full command line and start time
linux_psenv                # Gathers processes along with their static environment variables
linux_pslist               # Gather active tasks by walking the task_struct->task list
linux_pslist_cache         # Gather tasks from the kmem_cache
linux_psscan               # Scan physical memory for processes
linux_pstree               # Shows the parent/child relationship between processes
linux_psxview              # Find hidden processes with various process listings
linux_recover_filesystem   # Recovers the entire cached file system from memory
linux_route_cache          # Recovers the routing cache from memory
linux_sk_buff_cache        # Recovers packets from the sk_buff kmem_cache
linux_slabinfo             # Mimics /proc/slabinfo on a running machine
linux_strings              # Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads              # Prints threads of processes
linux_tmpfs                # Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase # Recovers cached Truecrypt passphrases
linux_vma_cache            # Gather VMAs from the vm_area_struct cache
linux_volshell             # Shell in the memory image
linux_yarascan             # A shell in the Linux memory image

# MAC
mac_adium                  # Lists Adium messages
mac_apihooks               # Checks for API hooks in processes
mac_apihooks_kernel        # Checks to see if system call and kernel functions are hooked
mac_arp                    # Prints the arp table
mac_bash                   # Recover bash history from bash process memory
mac_bash_env               # Recover bash's environment variables
mac_bash_hash              # Recover bash hash table from bash process memory
mac_calendar               # Gets calendar events from Calendar.app
mac_check_fop              # Validate File Operation Pointers
mac_check_mig_table        # Lists entires in the kernel's MIG table
mac_check_syscall_shadow   # Looks for shadow system call tables
mac_check_syscalls         # Checks to see if system call table entries are hooked
mac_check_sysctl           # Checks for unknown sysctl handlers
mac_check_trap_table       # Checks to see if mach trap table entries are hooked
mac_compressed_swap        # Prints Mac OS X VM compressor stats and dumps all compressed pages
mac_contacts               # Gets contact names from Contacts.app
mac_dead_procs             # Prints terminated/de-allocated processes
mac_dead_sockets           # Prints terminated/de-allocated network sockets
mac_dead_vnodes            # Lists freed vnode structures
mac_devfs                  # Lists files in the file cache
mac_dmesg                  # Prints the kernel debug buffer
mac_dump_file              # Dumps a specified file
mac_dump_maps              # Dumps memory ranges of process(es)
mac_dyld_maps              # Gets memory maps of processes from dyld data structures
mac_find_aslr_shift        # Find the ASLR shift value for 10.8+ images
mac_get_profile            # Automatically detect Mac profiles
mac_ifconfig               # Lists network interface information for all devices
mac_interest_handlers      # Lists IOKit Interest Handlers
mac_ip_filters             # Reports any hooked IP filters
mac_kernel_classes         # Lists loaded c++ classes in the kernel
mac_kevents                # Show parent/child relationship of processes
mac_keychaindump           # Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules             # Compares the output of proc maps with the list of libraries from libdl
mac_librarydump            # Dumps the executable of a process
mac_list_files             # Lists files in the file cache
mac_list_kauth_listeners   # Lists Kauth Scope listeners
mac_list_kauth_scopes      # Lists Kauth Scopes and their status
mac_list_raw               # List applications with promiscuous sockets
mac_list_sessions          # Enumerates sessions
mac_list_zones             # Prints active zones
mac_lsmod                  # Lists loaded kernel modules
mac_lsmod_iokit            # Lists loaded kernel modules through IOkit
mac_lsmod_kext_map         # Lists loaded kernel modules
mac_lsof                   # Lists per-process opened files
mac_machine_info           # Prints machine information about the sample
mac_malfind                # Looks for suspicious process mappings
mac_memdump                # Dump addressable memory pages to a file
mac_moddump                # Writes the specified kernel extension to disk
mac_mount                  # Prints mounted device information
mac_netstat                # Lists active per-process network connections
mac_network_conns          # Lists network connections from kernel network structures
mac_notesapp               # Finds contents of Notes messages
mac_notifiers              # Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_orphan_threads         # Lists threads that don't map back to known modules/processes
mac_pgrp_hash_table        # Walks the process group hash table
mac_pid_hash_table         # Walks the pid hash table
mac_print_boot_cmdline     # Prints kernel boot arguments
mac_proc_maps              # Gets memory maps of processes
mac_procdump               # Dumps the executable of a process
mac_psaux                  # Prints processes with arguments in user land (**argv)
mac_psenv                  # Prints processes with environment in user land (**envp)
mac_pslist                 # List Running Processes
mac_pstree                 # Show parent/child relationship of processes
mac_psxview                # Find hidden processes with various process listings
mac_recover_filesystem     # Recover the cached filesystem
mac_route                  # Prints the routing table
mac_socket_filters         # Reports socket filters
mac_strings                # Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks                  # List Active Tasks
mac_threads                # List Process Threads
mac_threads_simple         # Lists threads along with their start time and priority
mac_timers                 # Reports timers set by kernel drivers
mac_trustedbsd             # Lists malicious trustedbsd policies
mac_version                # Prints the Mac version
mac_vfsevents              # Lists processes filtering file system events
mac_volshell               # Shell in the memory image
mac_yarascan               # Scan memory for yara signatures

@NiPeGun

Técnico superior ASIR. Frente al teclado desde MS-DOS 6.22.

Más sobre mí (serio), aquí.

Más sobre mí (no serio ), aquí