-
Notifications
You must be signed in to change notification settings - Fork 0
/
volatility.cheat
76 lines (52 loc) · 4.86 KB
/
volatility.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
% memory dump analysis volatility2
## heavely edited but creds go to (https://medium.com/@zemelusa/first-steps-to-volatile-memory-analysis-dcbd4d2d56a1)
$ dump-location: ls *.bin *.mem *.dmp 2>/dev/null | sort -u | tr ' ' '\n'
## base64 encoded data is:
## $ active-profile-options: python3 -c "import os; p = os.popen('volatility2 --info 2> /dev/null');a = p.read(); p.close(); print('\n'.join(a.split('--------')[1].replace(' \n', '\n').split('\n\n')[0].split('\n')[1:]))" | tr -s ' '
## i don't know why it is not working without baseing it. (i hope it's a temp fix. ;) )
## $ active-profile-options: echo L3Vzci9zYmluL3B5dGhvbjMgLWMgImltcG9ydCBvczsgcCA9IG9zLnBvcGVuKCd2b2xhdGlsaXR5MiAtLWluZm8gIDI+IC9kZXYvbnVsbCcpO2EgPSBwLnJlYWQoKTsgcC5jbG9zZSgpOyBwcmludCgnXG4nLmpvaW4oYS5zcGxpdCgnLS0tLS0tLS0nKVsxXS5yZXBsYWNlKCcgXG4nLCAnXG4nKS5zcGxpdCgnXG5cbicpWzBdLnNwbGl0KCdcbicpWzE6XSkpIiB8IHRyIC1zICcgJwo= | base64 -d | sh
## $ active-profile-options: "python3 -c $(printf '\x22')import os; p = os.popen('volatility2 --info 2> /dev/null');a = p.read(); p.close(); print('\n'.join(a.split('\x2D\x2D\x2D\x2D\x2D\x2D\x2D\x2D')[1].replace(' \n', '\n').split('\n\n')[0].split('\n')[1:]))$(printf '\x22') | tr -s ' '"
$ active-profile-options: echo cHl0aG9uMyAtYyAiaW1wb3J0IG9zOyBwID0gb3MucG9wZW4oJ3ZvbGF0aWxpdHkyIC0taW5mbyAgMj4gL2Rldi9udWxsJyk7YSA9IHAucmVhZCgpOyBwLmNsb3NlKCk7IHByaW50KCdcbicuam9pbihhLnNwbGl0KCctLS0tLS0tLScpWzFdLnJlcGxhY2UoJyBcbicsICdcbicpLnNwbGl0KCdcblxuJylbMF0uc3BsaXQoJ1xuJylbMTpdKSkiIHwgdHIgLXMgJyAnCg== | base64 -d | sh
# download and install/make volatality2
lwd="$(pwd)";TMPDIR=$(mktemp -d);cd $TMPDIR;wget https://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_lin64_standalone.zip;unzip vol*;rm *.zip;cd vol*;chmod +x vol*;sudo mv vol* /bin/volatility2 || echo "need sudo to move volatility2 to /bin/";cd $lwd
# make/create .active-profile.txt volatility2
echo "<active-profile-options>" | cut -d ' ' -f 1 > .active-profile.txt
# volatility2 What type of dump am I going to analyze
volatility2 -f <dump-location> imageinfo | tee -a imageinfo.out
# volatility2 Print all running processes by following the EPROCESS lists
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) pslist | tee -a pslist.out
# volatility2 Print process list as a tree
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) pstree | tee -a pstree.out
# volatility2 Find hidden processes with various process listings
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) psxview | tee -a psxview.out
# volatility2 List open TCP/UDP connections
# volatility2 Pool scanner for tcp connections
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) connscan | tee -a connscan.out
# volatility2 Print list of open sockets
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) sockets | tee -a sockets.out
# volatility2 Display process command-line arguments
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) cmdline | tee -a cmdline.out
# volatility2 Extract command history by scanning for _CONSOLE_INFORMATION
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) consoles | tee -a consoles.out
# volatility2 Extract command history by scanning for _COMMAND_HISTORY
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) cmdscan | tee -a cmdscan.out
# volatility2 Dump a process to an executable file sample
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) procdump -p <pid> --dump-dir .
# volatility2 Dump the addressable memory for a process (dump the memory of the proc)
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) memdump -p <pid> --dump-dir .
# volatility2 Print list of registry hives.
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) hivelist | tee -a hivelist.out
# volatility2 Print a registry key, and its subkeys and values
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) printkey -K "<regedit-path>" | tee -a <regedit-path>.out
# volatility2 dump Passwords from a memdump using Mimikatz
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) mimikatz | tee -a Mimikatz.out
# volatility2 Check clipboard for saved things
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) clipboard | tee -a Clipboard.out
# volatility2 Check Environment Variables content of a MemDump
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) envars | tee -a Envars.out
# volatility2 Check Browser history from a memdump
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) iehistory | tee -a iehistory.out
# volatility2 Do a file scan for interesting files in the memdump
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) filescan | tee -a filescan.out
# volatility2 get screenshot from a memdump
volatility2 -f <dump-location> --profile=$(cat .active-profile.txt) screenshot -D .