Home

Awesome

volatility_plugins

A collection of plugins for the Volatility Memory Framework

Please see individual folders for details.

Vol3

ZoneID3

Scans memory for ZoneIdentifier 3 ADS streams assocaited with files downloaded from the internet

$ vol -r pretty -p ~/github/volatility_plugins -f Win10Dev-Snapshot1.vmem zoneid3
Volatility 3 Framework 2.5.0
Formatting...0.00               PDB scanning finished
  | ZoneID |                                                                             Host URL |                                            Referrer Url
* |      3 |                                   https://download.sysinternals.com/files/Sysmon.zip | https://learn.microsoft.com/
* |      3 | https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml | NotPresent
* |      3 |                  https://download.splunk.com/products/universalforwarder/release.msi | NotPresent
* |      3 |                                           https://mh-nexus.de/downloads/HxDSetup.zip | https://mh-nexus.de/en/downloads.php?product=HxD20
* |      3 |                                                                           NotPresent | C:\Users\User\Downloads\PE-bear_0.6.1_x64_win_vs13.zip

Cobalt Strike

Scans process memory for each process to identify CobaltStrike config and prints the config elements

❯ vol  -r pretty -p ~/github/volatility_plugins -f Server16-CobaltStrike.raw cobaltstrike
Volatility 3 Framework 2.5.0
Formatting...0.00               PDB scanning finished                        
  |  PID |        Process | Port | Sleep | Jitter |            Server |   POST_PATH |               x86 Install_Path |                x64 Install_Path |                Pipe | License ID
* | 4396 | ShellExperienc | 4444 | 10000 |      0 |                   |             | %windir%\syswow64\rundll32.exe | %windir%\sysnative\rundll32.exe | \\.\pipe\msagent_89 | 1234567890
* | 4396 | ShellExperienc | 4444 | 10000 |      0 |                   |             | %windir%\syswow64\rundll32.exe | %windir%\sysnative\rundll32.exe | \\.\pipe\msagent_89 | 1234567890
* | 4604 |   rundll32.exe |  443 |  5000 |      0 | 54.170.175.43,/ca | /submit.php | %windir%\syswow64\rundll32.exe | %windir%\sysnative\rundll32.exe |                     | 1234567890

Password Managers

Extracts cached passwords from browser process memory. Supports:

$ vol -p ~/github/volatility_plugins -f Win7-Analysis-1d23dece.vmem passwordmanager 
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished                                                                                              
PID     Process Username        Password        Domain

3400    chrome.exe      Not found       mt5JwaPvLctWFzBj        https://www.demodomain.co.uk/
3400    chrome.exe      Not found       Not found       https://leakforums.net/
3400    chrome.exe      Not found       rmH61LVBqHSVJ9a2        https://leakforums.net/
3400    chrome.exe      Not found       Not found       https://leakforums.net/

Rich Header

Prints the XOR Key and Rich Header Hash for all process executables.

$ vol -p ~/github/volatility_plugins -f Server16-CobaltStrike.raw richheader
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished                        
PID     Process XOR Key Rich Header Hash

380     smss.exe        e8fbb614        b4da76d938693e03d2d455ef37561772
512     csrss.exe       fba319c1        e4971216867bfffb7beb058dca378a84
592     csrss.exe       fba319c1        e4971216867bfffb7beb058dca378a84
608     wininit.exe     75318913        f8116f1336d2c70bd16b01ad8be7bb6d
644     winlogon.exe    4bc258ac        c4f0d2eedff3968a8af33cf724e22790
716     services.exe    b05eb20c        75daeb432ccb73aa5349c09bd00c2945
728     lsass.exe       631ad1fb        5a2611fd92fa692a9663952ec838d57b
800     svchost.exe     fdedd411        bdf4caf91c4d0776c4021998c204944a
852     svchost.exe     fdedd411        bdf4caf91c4d0776c4021998c204944a

Vol2

These plugins are no longer activly maintained and will be / have been ported to Volatilty V3

USBSTOR

Parses the USBSTOR and other registry values from memory to identify USB Devices connected to the system

LastPass

Read browser memory space and attempt to recover any resident artefacts