Scribd
Upload
19 views2 pages

Cheatsheet-Volatility v3

memory

Uploaded by

Leandro Sant'Anna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views2 pages

Cheatsheet-Volatility v3

memory

Uploaded by

Leandro Sant'Anna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Volatility 3.

0 Windows Cheat Sheet


by BpDZone via cheatography.com/200201/cs/42321/

Instal​lation Enviro​nment Variables Services

1) Install Visual Studio C++ build tools (both #Display process enviro​nment variables #Lists process token sids.
64 and 32 bit) py vol.py -f "​fil​ena​me" window​s.e​nva​rs.E​‐ py vol.py -f "​fil​ena​me" window​s.g​ets​erv​ice​‐
2) Clone the latest Volatility version nvars sid​s.G​etS​erv​iceSIDs
git clone https:​//g​ith​ub.c​om​/vo​lat​ili​tyf​oun​dat​‐
ion​/vo​lat​ili​ty3.git Symlinks Drivers

3) As of 02.2024 the plugin yara-p​ython is #Scans for links present in a particular #List IRPs for drivers in a particular
not yet updated so make sure to delete it windows memory image. windows memory image.
from requir​eme​nts.txt before installing. py vol.py -f "​fil​ena​me" window​s.s​yml​ink​sca​‐ py vol.py -f "​fil​ena​me" window​s.d​riv​eri​rp.D​‐
py -m pip install -r requir​eme​nts.txt n.S​yml​inkScan ri​verIrp

4) Download symbol tables and put and #Scans for drivers present in a particular
Network windows memory image.
extract inside "volatility3\symbols":
Windows #Scans for network objects present in a py vol.py -f "​fil​ena​me" window​s.d​riv​ers​‐
Mac particular windows memory image. can.Dr​ive​rScan
Linux py vol.py -f "​fil​ena​me" window​s.n​etscan
Processes
5) Start the instal​lation by entering the #Traverses network tracking structures
following commands in this order. present in a particular windows memory #Get process list (EPROCESS)
py setup.py build image. py vol.py -f "​fil​ena​me" window​s.p​slist
py setup.py install py vol.py -f "​fil​ena​me" window​s.n​etstat #Get hidden process list(malware)
Once the last commands finishes work py vol.py -f "​fil​ena​me" window​s.p​sscan
Volatility will be ready for use. Registry
#Get processes tree (not hidden)
#Lists the registry hives present in a py vol.py -f "​fil​ena​me" window​s.p​stree
OS Inform​ation
particular memory image.
#Dumps cached file contents from memory
#Show OS & kernel details of the memory py vol.py -f "​fil​ena​me" window​s.r​egi​str​y.h​‐
samples
sample being analyzed. ivelist
py vol.py -f "​fil​ena​me" -o "​out​put​/di​r"
py vol.py -f "​fil​ena​me" window​s.info #Scans for registry hives present in a window​s.d​ump​files --pid <PI​D>
particular windows memory image.
#Prints the memory map
Hashes py vol.py -f "​fil​ena​me" window​s.r​egi​str​y.h​‐
py vol.py -f "​fil​ena​me" -o "​out​put​/di​r"
#Dumps user hashes from memory ivescan
window​s.m​emmap --dump --pid <PI​D>
py vol.py -f "​fil​ena​me" window​s.h​ash​dum​‐ #Lists the registry keys under a hive or
#Lists process open handles.
p.H​ashdump specific key value.
py vol.py -f "​fil​ena​me" window​s.h​andles --
py vol.py -f "​fil​ena​me" window​s.r​egi​str​y.p​‐
pid <PI​D>
Cache rin​tke​y.P​rintKey --key <KE​Y>
#Lists the loaded modules in a particular
#Dumps lsa secrets from memory
windows memory image.
py vol.py -f "​fil​ena​me" window​s.c​ach​edu​‐ Command line arguments
py vol.py -f "​fil​ena​me" window​s.d​lllist --pid
mp.C​ac​hedump #Lists process command line arguments. <PI​D>
py vol.py -f "​fil​ena​me" window​s.c​mdl​‐
#Lists process token privileges
ine.Cm​dLine
py vol.py -f "​fil​ena​me" window​s.p​riv​ile​‐
ges.Privs

By BpDZone Not published yet. Sponsored by CrosswordCheats.com


cheatography.com/bpdzone/ Last updated 7th February, 2024. Learn to solve cryptic crosswords!
Page 1 of 2. http://crosswordcheats.com
Volatility 3.0 Windows Cheat Sheet
by BpDZone via cheatography.com/200201/cs/42321/

Files

#Scans for file objects present in a


particular windows memory image.
py vol.py -f "​fil​ena​me" window​s.f​ilescan
#Dumps cached file contents from Windows
memory samples.
py vol.py -f -o "​out​put​/di​r" "​fil​ena​me"
window​s.d​ump​files

Malware General

#Lists process memory ranges that potent​‐


ially contain injected code.
py vol.py -f "​fil​ena​me" window​s.m​alf​ind.Ma​‐
lfind
#Lists the system call table.
py vol.py -f "​fil​ena​me" window​s.s​sdt.SSDT

By BpDZone Not published yet. Sponsored by CrosswordCheats.com


cheatography.com/bpdzone/ Last updated 7th February, 2024. Learn to solve cryptic crosswords!
Page 2 of 2. http://crosswordcheats.com

You might also like