Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/memoryforensics1/VolExp
volatility explorer
https://github.com/memoryforensics1/VolExp
analysis forensics memory plugin plugins process-explorer process-hacker procexp python python27 volatility volatility-explorer volatility-framework volatility-framework-plugin volatility-plugins volatilityexplorer volexp
Last synced: 2 days ago
JSON representation
volatility explorer
- Host: GitHub
- URL: https://github.com/memoryforensics1/VolExp
- Owner: memoryforensics1
- License: gpl-3.0
- Created: 2020-02-29T14:59:33.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-11-16T23:23:27.000Z (almost 4 years ago)
- Last Synced: 2024-10-13T09:21:15.940Z (22 days ago)
- Topics: analysis, forensics, memory, plugin, plugins, process-explorer, process-hacker, procexp, python, python27, volatility, volatility-explorer, volatility-framework, volatility-framework-plugin, volatility-plugins, volatilityexplorer, volexp
- Language: Python
- Homepage: https://memoryforensics1.github.io/VolExp/
- Size: 1.51 MB
- Stars: 90
- Watchers: 7
- Forks: 15
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-volatility - Volatility Explorer - This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump (Volatility 2 / Plugins)
README
# VolExp
## Volatility Explorer
This program allows the user to access a Memory Dump. It can also function as a plugin to the Volatility Framework ().
This program functions similarly to Process Explorer/Hacker, but additionally it allows the user access to a Memory Dump (or access the real-time memory on the computer using Memtriage).
This program can run from Windows, Linux and MacOS machines, but can only use Windows memory images.
## note: volatility explorer for volatility3
### Quick Start
1. Download the volexp.py file (download the memtriage.py file as well and replace it with your memtriage.py file if you want to use memtriage ).
2. Run as a standalone program or as a plugin to Volatility:
- As a standalone program:
```shell
python2 volexp
```
- As a Volatility plugin:
```shell
python2 vol.py -f --profile= volexp
```
### Some Features:
```shell
python2 memtriage.py --plugins=volexp
```
- Some of the information display will not update in real time (except Processes info(update slowly), real time functions like struct analyzer, PE properties, run real time plugin, etc.).
- The program also allows to view Loaded dll's, open handles and network connections of each process (Access to a dll's properties is
also optional).
- To present more information of a process, Double-Click (or Left-Click and select Properties) to bring up an information window.
- Or present more information on any PE.
- The program allows the user to view the files in the Memory Dump as well as their information. Additionally it allows the user to extract those files (HexDump/strings view is also optional).
- The program supports viewing of the Windows Objects and files's matadata (MFT).
- The program also support viewing a regview of the memory dump
- Additionally, the program supports struct analysis. (writing on the memory's struct, running Volatility functions on a struct is available).
Example of getting all the load modules inside _EPROCESS struct in another struct analyzer window:
- The Program is also capable of automatically marking suspicious processes found by another plugin.
Example of a running threadmap plugin:
- View memory use of a process.
- Manually marking a certain process and adding a sidenote on it.
- User's actions can be saved on a seperate file for later usage.
### get help: https://github.com/memoryforensics1/VolExp/wiki/VolExp-help:
