{"id":20827647,"url":"https://github.com/bonifield/volatilitygrapher","last_synced_at":"2025-11-04T03:03:53.854Z","repository":{"id":212220918,"uuid":"92613624","full_name":"bonifield/volatilityGrapher","owner":"bonifield","description":"Force-Directed Graph Generator for Volatility Ouputs","archived":false,"fork":false,"pushed_at":"2019-03-03T00:19:34.000Z","size":6930,"stargazers_count":26,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-07T21:04:56.838Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bonifield.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-05-27T17:27:07.000Z","updated_at":"2021-08-18T14:42:27.000Z","dependencies_parsed_at":"2023-12-13T06:23:39.778Z","dependency_job_id":"e807c842-bcdb-47d0-a7b6-2137028c1da0","html_url":"https://github.com/bonifield/volatilityGrapher","commit_stats":null,"previous_names":["bonifield/volatilitygrapher"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2FvolatilityGrapher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2FvolatilityGrapher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2FvolatilityGrapher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2FvolatilityGrapher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bonifield","download_url":"https://codeload.github.com/bonifield/volatilityGrapher/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252954432,"owners_count":21830903,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T23:12:36.308Z","updated_at":"2025-11-04T03:03:53.820Z","avatar_url":"https://github.com/bonifield.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# volatilityGrapher\nForce-directed graph generator for Volatility visualizations\n- Requires Python 3, GraphViz, and Volatility\n- v1.5.4 (01 Mar 2019)\n\t- added apihooks, connscan support (for pre-Vista network connections)\n\t- fixed an issue where red malfind nodes could be converted back to orange\n\t- re-enabled showing the first few malfind bytes\n- v1.5.3 (15 Oct 2018)\n\t- added cmdline support, fixed this description\n- v1.5.2 (09 Oct 2018)\n\t- totally re-written for Python 3\n\t- absolutely requires JSON input from Volatility\n\t- supports Volatility's netscan module\n\t- no longer requires pslist; everything will be blue if you don't include it though\n\t- ezVolGraph.sh is a quick-and-dirty way to automate the JSON and graph-making process (see below under Usage)\n\t- fixed a bug where PIDs wouldn't display properly on nodes\n\n## Supports visualizing JSON output from the following Volatility modules (note - this is NOT a Volatility plugin!)\npslist, psscan, envars, malfind, netscan (Vista+), connscan (XP/2k3), cmdline, apihooks\n- the module name MUST be somewhere in the input filename\n\n## Workflow Concept\n- collect memory --\u003e run Volatility modules specifying JSON output --\u003e send module output through volGraph.py\n\n## volGraph.py Overview\n- blue lines and cyan nodes mean the relationship was found in psscan, but not pslist (future:  psxview usage)\n- yellow nodes mean that process was found in apihooks as having one module that hooked another\n- orange nodes mean the process was in malfind, without MZ\n- red nodes mean the process was in malfind, with MZ (4d5a)\n- Colorization is purely based on what's found in psscan, apihooks, and malfind outputs\n\n## To get JSON output from Volatility:\nAdd these switches: ```--output=json [module] --output-file=[module]-[youroutputname].json```\n\n## Usage\n### The module name for each JSON file MUST be somewhere in the filename!\n- Basic with only pslist ```volGraph.py pslist.json```\n- With supported inputs:  ```volGraph.py pslist.json envars.json psscan.json ... ```\n- Glob input:  ```volGraph.py *.json```\n- Easy mode, use the provided Bash script with a memory capture and a Volatility profile to generate all of the necessary files:  ```ezVolGraph.sh somefile.dmp profile```\n### Note that cmdline might make the nodes very large (they will be linewrapped... eventually)\n\n\n## TODO:  \n- dedup code, better classes, subgrouping, modules\n- add psxview support\n\n## Example output:\n### Powershell Empire on Win7:\n![volGraph.py](https://github.com/bonifield/volatilityGrapher/blob/master/sampledata/volGraph-1551571181-dot.png)\n### Meterpreter on WinXP:\n![volGraph.py](https://github.com/bonifield/volatilityGrapher/blob/master/sampledata/volGraph-1551571385-dot.png)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Fvolatilitygrapher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbonifield%2Fvolatilitygrapher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Fvolatilitygrapher/lists"}