{"id":13511110,"url":"https://github.com/memoryforensics1/VolExp","last_synced_at":"2025-03-30T20:32:36.022Z","repository":{"id":216128775,"uuid":"243988356","full_name":"memoryforensics1/VolExp","owner":"memoryforensics1","description":"volatility explorer","archived":false,"fork":false,"pushed_at":"2020-11-16T23:23:27.000Z","size":1581,"stargazers_count":91,"open_issues_count":1,"forks_count":15,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-23T19:22:55.636Z","etag":null,"topics":["analysis","forensics","memory","plugin","plugins","process-explorer","process-hacker","procexp","python","python27","volatility","volatility-explorer","volatility-framework","volatility-framework-plugin","volatility-plugins","volatilityexplorer","volexp"],"latest_commit_sha":null,"homepage":"https://memoryforensics1.github.io/VolExp/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/memoryforensics1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-02-29T14:59:33.000Z","updated_at":"2025-01-10T07:24:14.000Z","dependencies_parsed_at":"2024-01-13T19:22:24.716Z","dependency_job_id":"a82d2c0e-1156-4372-ad71-eab89fd685dd","html_url":"https://github.com/memoryforensics1/VolExp","commit_stats":null,"previous_names":["memoryforensics1/volexp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVolExp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVolExp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVolExp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memoryforensics1%2FVolExp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/memoryforensics1","download_url":"https://codeload.github.com/memoryforensics1/VolExp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","forensics","memory","plugin","plugins","process-explorer","process-hacker","procexp","python","python27","volatility","volatility-explorer","volatility-framework","volatility-framework-plugin","volatility-plugins","volatilityexplorer","volexp"],"created_at":"2024-08-01T03:00:34.662Z","updated_at":"2025-03-30T20:32:35.672Z","avatar_url":"https://github.com/memoryforensics1.png","language":"Python","readme":"# VolExp\n## Volatility Explorer\n \nThis program allows the user to access a Memory Dump. It can also function as a plugin to the Volatility Framework (\u003chttps://github.com/volatilityfoundation/volatility\u003e).\nThis program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump (or access the real-time memory on the computer using Memtriage).\nThis program can run from Windows, Linux and MacOS machines, but can only use Windows memory images.\n\n## note: volatility explorer for volatility3 \u003chttps://github.com/memoryforensics1/Vol3xp\u003e\n\n### Quick Start\n1. Download the volexp.py file (download the memtriage.py file as well and replace it with your memtriage.py file if you want to use memtriage \u003chttps://github.com/gleeda/memtriage\u003e).\n\n2. Run as a standalone program or as a plugin to Volatility:\n- As a standalone program:\n```shell\n python2 volexp\n ```\n - As a Volatility plugin:\n```shell\n python2 vol.py -f \u003cmemory file path\u003e --profile=\u003cmemory profile\u003e volexp\n ```\n\n\n### Some Features:\n```shell\npython2 memtriage.py --plugins=volexp\n```\n- Some of the information display will not update in real time (except Processes info(update slowly),  real time functions like struct analyzer, PE properties, run real time plugin, etc.).\n![example memtriage, the colors used to identify special processes (serviceses, protected)](https://github.com/memoryforensics1/info/blob/master/Win10Example.GIF)\n\n\n\n- The program also allows to view Loaded dll's, open handles and network connections of each process (Access to a dll's properties is \nalso optional).\n\n![Lower Pane](https://github.com/memoryforensics1/info/blob/master/Win10Handles.png)\n\n\n\n- To present more information of a process, Double-Click (or Left-Click and select Properties) to bring up an information window.\n\n![Process properties](https://github.com/memoryforensics1/info/blob/master/ImageProperties.png)\n\n\n- Or present more information on any PE.\n\n![PE properties](https://github.com/memoryforensics1/info/blob/master/PeProeprties.png)\n\n\n\n- The program allows the user to view the files in the Memory Dump as well as their information. Additionally it allows the user to extract those files (HexDump/strings view is also optional).\n\n![File Explorer](https://github.com/memoryforensics1/info/blob/master/FilesExplorer.png)\n\n\n\n- The program supports viewing of the Windows Objects and files's matadata (MFT). \n\n![Other Explorers (Winobj and MFT explorer)](https://github.com/memoryforensics1/info/blob/master/Explorers.png)\n\n\n\n- The program also support viewing a regview of the memory dump\n\n![RegView](https://github.com/memoryforensics1/info/blob/master/RegView.png)\n\n\n\n- Additionally, the program supports struct analysis. (writing on the memory's struct, running Volatility functions on a struct is available).\n Example of getting all the load modules inside _EPROCESS struct in another struct analyzer window:\n\n![Struct Analyzer](https://github.com/memoryforensics1/info/blob/master/StructAnalyzer.png)\n\n\n\n- The Program is also capable of automatically marking suspicious processes found by another plugin.\nExample of a running threadmap plugin:\n\n![Cmd Plugin run threadmap](https://github.com/memoryforensics1/info/blob/master/threadmapExample.GIF)\n\n\n\n- View memory use of a process.\n\n![Vad Information](https://github.com/memoryforensics1/info/blob/master/VadInformation.png)\n\n\n- Manually marking a certain process and adding a sidenote on it. \n\n- User's actions can be saved on a seperate file for later usage.\n\n### get help: https://github.com/memoryforensics1/VolExp/wiki/VolExp-help:\n![volexp help](https://github.com/memoryforensics1/info/blob/master/help.gif)\n","funding_links":[],"categories":["Volatility 2"],"sub_categories":["Plugins"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmemoryforensics1%2FVolExp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmemoryforensics1%2FVolExp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmemoryforensics1%2FVolExp/lists"}