{"id":13612401,"url":"https://github.com/TazWake/volatility-plugins","last_synced_at":"2025-04-13T11:32:03.563Z","repository":{"id":216714242,"uuid":"115936532","full_name":"TazWake/volatility-plugins","owner":"TazWake","description":"Learning volatility plugins.","archived":false,"fork":false,"pushed_at":"2021-02-16T18:29:06.000Z","size":96,"stargazers_count":19,"open_issues_count":2,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-07T20:42:03.865Z","etag":null,"topics":["memory-forensics","python","volatility-plugins"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TazWake.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-01T18:09:41.000Z","updated_at":"2024-07-31T00:40:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"74958a9b-8b33-42db-96f2-261056839245","html_url":"https://github.com/TazWake/volatility-plugins","commit_stats":null,"previous_names":["tazwake/volatility-plugins"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TazWake%2Fvolatility-plugins","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TazWake%2Fvolatility-plugins/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TazWake%2Fvolatility-plugins/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TazWake%2Fvolatility-plugins/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TazWake","download_url":"https://codeload.github.com/TazWake/volatility-plugins/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248705759,"owners_count":21148586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["memory-forensics","python","volatility-plugins"],"created_at":"2024-08-01T20:00:29.344Z","updated_at":"2025-04-13T11:32:03.556Z","avatar_url":"https://github.com/TazWake.png","language":"Python","readme":"# Volatility-Plugins - Learning area\nI am in the process of learning how to create volatility plugins. This repo will be used as a storage platform for them.\n\nThe majority of ideas will come from [The Art of Memory Forensics](https://www.wiley.com/en-us/The+Art+of+Memory+Forensics%3A+Detecting+Malware+and+Threats+in+Windows%2C+Linux%2C+and+Mac+Memory-p-9781118825099), which is possibly the best single source of knowledge on this topic.\n\n## RAMSCAN\nThe first volatility plugin is `ramscan.py`. \nThis plugin lists running processes with PID and Parent PID, Command Line used to invoke the process and a check to see what the VAD settings are. If the VAD is set to Read, Write, Execute it is marked as suspicious.\n\n### How to use ramscan.py\n1. Download the plugin to a folder on your local machine.\n2. Invoke volatility calling the plugins folder before anything else. eg: `python vol.py --plugins={path/to/plugins} --profile={profile for memory image} -f {path to image} ramscan`\n3. A more useable method is to set an output format and output file as the data presented by this plugin can quickly fill a console window.\n\n*recommended use*\n\n`python vol.py --plugins={path/to/plugins} --profile={profile for memory image} -f {path to image} ramscan --output=html --output-file=ramscan.html`\n\n### Example output\n\n```\nName           PID  Parent Command Line   VAD               \nconhost.exe    6248    748 \\??\\C:\\WINDOWS\\system32\\conhost.exe \"9131723291973856416-156581232056986786412445124951738786652-244451647283318875 Suspicious RWX VAD\nscPopup.exe    6284   4616 \"C:\\Program Files\\Xerox\\scPopup.exe\" /s /k /t /g Suspicious RWX VAD\nGROOVE.EXE     6384   4616 \"C:\\Program Files\\Microsoft Office 15\\root\\office15\\GROOVE.EXE\" /RunFolderSync /TrayOnly  Suspicious RWX VAD\nmobsync.exe    6672    936 C:\\WINDOWS\\System32\\mobsync.exe -Embedding Suspicious RWX VAD\nucmapi.exe     5748    936 \"C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\UcMapi.exe\" -Embedding Suspicious RWX VAD\npowershell.exe 5772   6188 powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoACgAbgBlAHcALQBvAGIA...ACcAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQA6ADUAMgA4ADAAOAAvACcAKQApAA== Suspicious RWX VAD\n```\n### IR Notes\n* Look for command execution from unusual locations\n* Look for suspicious command execution: Eg encoded Powershell\n* Look for memory sections which allow read-write-execute\n\n## CMDCHECK\n\nThis volatility plugin scans memory for `cmd.exe` execution and checks the standard handles.\n\nIf cmd.exe is being used for data exfiltration (or other unwanted activity) it is likely that the handles will change. This is a good way to check for backdoors / modification (Pages 230 - 232 of The Art of Memory Forensics).\n\n### Use\n\n1. Download the plugin to a local filesystem\n2. Run the plugin against a memory image: `python vol.py --plugins={path/to/plugin} --profile={image profile} -f {memory.img} cmdcheck`\n3. Any deviation from the norm will be annotated with **!*!**\n4. Note: *This does not work if the process has exited memory*\n\n### IR Notes\n\n* Modified handles in cmd.exe is an indicator of malice.\n\n## Fast VAD Scan\n\nThis is a volatility plugin, similar to malfind, which looks at the number of pages committed and the VAD settings. It **does not** extract files so may run faster.\n\nWhen executed this plugin will return the process name and PID for any process which has more than 30 pages committed and RWX set.\n\n### How to use Fast VAD Scan\n\n1. Download the plugin to a local filesystem location\n2. Run volatility calling the plugin: `python vol.py --plugins={path/to/plugins} --profile={image profile} -f {filename} fastvadscan`\n3. Review output and determine if any files warrant further investigation\n\n### IR Notes\n\n* This is a triage tool and works best if you have suspicious files\n* It can narrow down files for further analysis\n* If file extraction is required, run malfind\n\n## Path Check\n\nThis plugin scans the capture and identifies an executables which appear to have been loaded from a temp, download or user location. The choice of locations is arbritrary and can be adjusted to suit the investigation.\nThe location matching is case insensitive so will match `temp`, `Temp` and `TEMP` in a path.\n\n### How to use Path Check\n\n1. Download the plugin to a local files store\n2. Invoke volatility (with the plugins folder before anything else) calling pathcheck. For example: `python vol.py --plugins={path/to/plugins} --profile={profile for memory image} -f {path to image} pathcheck`\n3. Review the output - processes executed from temp / download or user locations are more likely to be malware and should be subject to further investigation.\n\n### IR Use\n\nThis tool is best used as part of the triage process to get a quick feel for what suspicious activity is on the system.\n\nAlternatively, it can be used as part of a threat hunting review via a remote access agent (such as F-Response)\n\n## Triagecheck\n\nThis volatility plugin is designed to quickly parse the process list and identify some **obvious** signs of malicious activity. It is not designed to act as an indepth assessment tool and works best for investigators looking to triage multiple platforms quickly. \n\nThe plugin highlights the following events:\n+ SMSS - there should only be one instance and it runs from system 32\n+ CSRSS - should be running from system32\n+ SERVICES - this should be running from system32\n+ SVCHOST - check for impersonation (e.g. scvhost / svch0st etc)\n+ LSASS - there should only be one instance and it should be running from system32\n+ DLLHOST - check for impersonataion (e.g. dl1host.exe)\n+ SHORT FILE NAMES - look for 1 or 2 character file names (e.g. a.exe)\n+ UNUSUAL EXTENSIONS - look for non exe files running in memory (e.g. c99shell.php)\n\n### How to use triagecheck\n1. Download the file to a local plugin store.\n2. Invoke volatility calling the plugin. Eg `python vol.py --plugins={path/to/plugins} --profile={profile for memory image} -f {path to image} triagecheck`\n3. Where the plugin generates a warning message, prioritise this for further investigation\n\n### IR Notes\nThis tool is a high level triage for some obvious attacks. It is ideally used if you are trying to triage multiple systems or believe there is a risk that malware may be impersonating legitimate critical processes.\n","funding_links":[],"categories":["Volatility plugins"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTazWake%2Fvolatility-plugins","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTazWake%2Fvolatility-plugins","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTazWake%2Fvolatility-plugins/lists"}