{"id":13511141,"url":"https://github.com/memoryforensics1/Vol3xp","last_synced_at":"2025-03-30T20:32:37.284Z","repository":{"id":216128776,"uuid":"293352390","full_name":"memoryforensics1/Vol3xp","owner":"memoryforensics1","description":"Volatility Explorer Suit","archived":false,"fork":false,"pushed_at":"2023-01-03T09:16:36.000Z","size":3558,"stargazers_count":63,"open_issues_count":1,"forks_count":12,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-20T08:12:36.673Z","etag":null,"topics":["analysis","forensics","memory","memory-dump","plugin","process-explorer","process-hacker","procexp","sysinternals","sysinternals-volatility","vol3xp","volatility","volatility-explorer","volatility-framework","volatility-master","volatility-plugin","volatility-plugins","volatility-sysinternals","volatilityexplorer","volexp"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/memoryforensics1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-09-06T19:59:09.000Z","updated_at":"2025-02-19T16:31:41.000Z","dependencies_parsed_at":"2024-01-13T19:22:27.060Z","dependency_job_id":"f996cf56-2ba6-4c31-835c-c4c296dab1ad","html_url":"https://github.com/memoryforensics1/Vol3xp","commit_stats":null,"previous_names":["memoryforensics1/vol3xp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVol3xp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVol3xp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVol3xp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVol3xp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/memoryforensics1","download_url":"https://codeload.github.com/memoryforensics1/Vol3xp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","forensics","memory","memory-dump","plugin","process-explorer","process-hacker","procexp","sysinternals","sysinternals-volatility","vol3xp","volatility","volatility-explorer","volatility-framework","volatility-master","volatility-plugin","volatility-plugins","volatility-sysinternals","volatilityexplorer","volexp"],"created_at":"2024-08-01T03:00:35.498Z","updated_at":"2025-03-30T20:32:36.877Z","avatar_url":"https://github.com/memoryforensics1.png","language":"Python","readme":"# Vol3xp, Volatility 3 Explorer Plugins\n\n### WinObj -\u003e Windows Kernel Objects Explorer an improve of \u003chttps://github.com/kslgroup/WinObj\u003e for volatility 3 (winobj.py)\nWinObj (very similar to WinObj [sysinternals]) Also supports Struct Analyzer and [WinObjGui](#11) from VolExp.\n\n### RAMMap -\u003e Physical Address Mapping (pfn.py)\nRAMMap (very similar to Rammap [SysInternals]), but additonally it marks any suspicious pages (for more information read the pdf).\nThis module contains 3 plugins:\n1. P2V - Converts physical address to virtual address using PfnDatabase and finds the owning process of a page (if any).\n2. PFNInfo - Gives information about a physical page from the PfnDatabase, the use of the page, file name, and much more.\n3. RAMMap - Uses both of the plugins above. Displays a RamMap-like UI for all the physical pages, and colors suspicious pages.\n[You can see far more detailed information about the plugins in the pdf]\n\n### And the main event -\u003e Volatilty Explorer (volexp.py)\n\nThis program allows the user to upload a memory dump and navigate through it with ease using a graphical interface.\nIt can also function as a plugin to the Volatility Framework (\u003chttps://github.com/volatilityfoundation/volatility3\u003e).\nThis program functions similarly to Process Explorer/Hacker, but allows the user to analyze a Memory Dump.\nThis program can run from Windows, Linux and MacOS machines, but only accepts Windows memory images.\n\n## note: volatility explorer for volatility2 -\u003e \u003chttps://github.com/memoryforensics1/VolExp\u003e\n\n### Quick Start\n1. Download the volexp.py file (download the ).\n\n2. Run as a standalone program or as a plugin to Volatility:\n- As a standalone program:\n```shell\n python3 volexp\n ```\n - As a Volatility plugin:\n```shell\n python3 vol.py -f \u003cmemory file path\u003e windows.volexp.volexp\n ```\n\n\n### Some Features:\n```shell\npython3 volexp.py\n```\n- Some of the information display will not update in real time (except Processes info(update slowly),  real time functions like struct analyzer, PE properties, run real time plugin, etc.).\n![example vol3xp, the colors used to identify special processes (serviceses, protected)](https://github.com/memoryforensics1/info/blob/master/Win10Example.GIF)\n\n\n\n- The program also allows to view Loaded dll's, open handles and network connections of each process (Access to a dll's properties is also optional).\n\n![Lower Pane](https://github.com/memoryforensics1/info/blob/master/Win10Handles.png)\n\n\n\n- To present more information of a process, Double-Click (or Left-Click and select Properties) to bring up an information window.\n\n![Process properties](https://github.com/memoryforensics1/info/blob/master/ImageProperties.png)\n\n\n- Or present more information on any PE.\n\n![PE properties](https://github.com/memoryforensics1/info/blob/master/PeProeprties.png)\n\n\n\n- The program allows the user to view the files in the Memory Dump as well as their information. Additionally it allows the user to extract those files (HexDump/strings view is also optional). \u003ca name=\"22\"\u003e\u003c/a\u003e\n\n![File Explorer](https://github.com/memoryforensics1/info/blob/master/FilesExplorer.png)\n\n\n\n- The program supports viewing of the Windows Objects and files's matadata (MFT).\u003ca name=\"11\"\u003e\u003c/a\u003e\n\n![Other Explorers (Winobj and MFT explorer)](https://github.com/memoryforensics1/info/blob/master/Explorers.png)\n\n\n\n- The program also support viewing a regview of the memory dump\n\n![RegView](https://github.com/memoryforensics1/info/blob/master/RegView.png)\n\n\n\n- Additionally, the program supports struct analysis. (writing on the memory's struct, running Volatility functions on a struct is available).\n Example of getting all the load modules inside _EPROCESS struct in another struct analyzer window:\n\n![Struct Analyzer](https://github.com/memoryforensics1/info/blob/master/StructAnalyzer.png)\n\n\n\n- The Program is also capable of automatically marking suspicious processes found by another plugin.\nExample of a running threadmap plugin:\n\n![Cmd Plugin run threadmap](https://github.com/memoryforensics1/info/blob/master/threadmapExample.GIF)\n\n\n\n- View memory use of a process.\n\n![Vad Information](https://github.com/memoryforensics1/info/blob/master/VadInformation.png)\n\n\n- Manually marking a certain process and adding a sidenote on it. \n\n- User's actions can be saved on a seperate file for later usage.\n\n### get help: https://github.com/memoryforensics1/VolExp/wiki/VolExp-help:\n![volexp help](https://github.com/memoryforensics1/info/blob/master/help.gif)\n","funding_links":[],"categories":["Volatility 3"],"sub_categories":["GUI"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmemoryforensics1%2FVol3xp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmemoryforensics1%2FVol3xp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmemoryforensics1%2FVol3xp/lists"}