Check for Signs of a Rootkit
Getting Started with Volatility™
Review Network Artifacts
Getting Help
- Find hidden processes using cross-view
psxview
Connections - [XP] List of open TCP connections
# vol.py –h (show options and supported plugins)
# vol.py psxview
# vol.py connections
# vol.py plugin –h (show plugin usage)
modscan
- Scan memory for loaded, unloaded, and
- [XP] ID TCP connections, including closed
connscan
# vol.py plugin --info (show available OS profiles)
unlinked drivers
# vol.py connscan
# vol.py modscan
Sample Command Line
- [XP] Print listening sockets (any protocol)
sockets
# vol.py -f image --profile=profile plugin
- Find API/DLL function hooks
apihooks
# vol.py sockets
Operate only on specific PIDs
-p
Identify System Profile
- [XP] ID sockets, including closed/unlinked
-Q
Only scan critical processes and DLLS
sockscan
imageinfo - Display memory image metadata
# vol.py apihooks
# vol.py sockscan
# vol.py –f mem.img imageinfo
ssdt
- Hooks in System Service Descriptor Table
- [Win7] Scan for connections and sockets
netscan
Using Environment Variables
# vol.py ssdt | egrep –v ‘(ntoskrnl|win32k)’
# vol.py netscan
Set name of memory image (takes place of -f )
driverirp - Identify I/O Request Packet (IRP) hooks
# export
VOLATILITY_LOCATION=file:///images/mem.img
Analyze drivers matching REGEX name pattern
-r
Set profile type (takes place of --profile= )
# vol.py driverirp –r tcpip
Dump Suspicious Processes and Drivers
# export VOLATILITY_PROFILE=WinXPSP3x86
- Display Interrupt Descriptor Table
idt
# vol.py idt
- Extract DLLs from specific processes
dlldump
Identify Rogue Processes
Dump DLLs only for specific PIDs
-p
- High level view of running processes
pslist
Dump DLLs from process at physical memory offset
-b
Analyze Process DLLs and Handles
-r
Dump DLLs matching REGEX name
# vol.py pslist
--dump-dir Directory to save extracted files
- List of loaded dlls by process
dlllist
- Scan memory for EPROCESS blocks
psscan
# vol.py dlldump --dump-dir ./output –r metsrv
Show information only for specific process identifiers
-p
# vol.py psscan
(PIDs)
moddump
- Extract kernel drivers
# vol.py dlllist –p 4,868
- Display parent-process relationships
pstree
-o
Dump driver using offset address (from modscan)
# vol.py pstree
getsids
- Print process security identifiers
-r
Dump drivers matching REGEX name
Directory to save extracted files
--dump-dir
-p
Show information only for specific PIDs
# vol.py moddump --dump-dir ./output –r gaopdx
# vol.py getsids –p 868
Look for Evidence of Code Injection
procmemdump - Dump process to executable sample
- List of open handles for each process
handles
- Find injected code and dump sections
malfind
-p
Dump only specific PIDs
Show information only for specific PIDs
-p
Show information only for specific PIDs
-p
Specify process by physical memory offset
-o
-t
Display only handles of a certain type
Provide physical offset of single process to scan
-o
--dump-dir
Directory to save extracted files
{Process, Thread, Key, Event, File, Mutant, Token, Port}
--dump-dir
Directory to save memory sections
# vol.py procmemdump --dump-dir ./output –p 868
# vol.py handles –p 868 –t Process,Mutant
# vol.py malfind --dump-dir ./output_dir
- Dump every memory section into a file
memdump
filescan
‐ Scan memory for FILE_OBJECT handles
ldrmodules - Detect unlinked DLLs
Dump memory sections from these PIDs
-p
# vol.py filescan
Show information only for specific PIDs
-p
--dump-dir
Directory to save extracted files
-v
Verbose: show full paths from three DLL lists
- Scan for Windows Service information
svcscan
# vol.py memdump –dump-dir ./output –p 868
# vol.py svcscan
# vol.py ldrmodules –p 868 -v