https://github.com/citronneur/volatility-wnf
Browse and dump Windows Notification Facilities
https://github.com/citronneur/volatility-wnf
Last synced: 10 months ago
JSON representation
Browse and dump Windows Notification Facilities
- Host: GitHub
- URL: https://github.com/citronneur/volatility-wnf
- Owner: citronneur
- Created: 2019-01-15T14:16:04.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2019-01-15T14:33:51.000Z (over 7 years ago)
- Last Synced: 2025-04-13T03:12:20.384Z (about 1 year ago)
- Language: Python
- Size: 5.86 KB
- Stars: 15
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-forensics - **13**星
- awesome-csirt - volatility-wnf
README
# volatility-wnf
Browse and dump Windows Notification Facilities
This plugin is based on work of Alex Ionescu and Gabrielle Viala.
* https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html
* https://www.blackhat.com/us-18/briefings/schedule/#the-windows-notification-facility-peeling-the-onion-of-the-most-undocumented-kernel-attack-surface-yet-11626
* https://www.youtube.com/watch?v=MybmgE95weo
This plugin just walk through all process, or by filter one, and dump all subscribers.
Additionnaly, it can dump associated data from a subscriber.
## Install
Please put *wnf.py* in your volatility plugin folder.
## Use
To dump all subscribers of all process
```
python vol.py -f your_dump --profile=your_profile wnf
```
To dump all subscriber of a particular process
```
python vol.py -f your_dump --profile=your_profile wnf --pid PID
```
To dump data associated to a particular subscriber
```
python vol.py -f your_dump --profile=your_profile wnfdata -s ADRESS_OF_SUBSCRIBER
```
ADRESS_OF_SUBSCRIBER is the first field dump from wnf command.