Plugins

A plugin is a software component that adds a specific feature to an existing computer program. When a program supports plugins, it enables customization. In volatility along with the profile, we give the plugins as the input to get the desired output. Here are some of the core plugins and how we can use them.

Core Plugins

imageinfo

This particular command is most often used to identify the operating system, service pack, and hardware architecture (32 or 64 bit).

The imageinfo output tells you the suggested profile that you should pass as the parameter to --profile=PROFILE when using other plugins. There may be more than the one suggested profile and we must be careful to select the correct one.

Usage

$ volatility -f memory.dump imageinfo

As you can see this command helps you to know the suggested profiles, the date and time dump image were created and no of processors.

pslist

This is a significantly used plugin which helps in listing the details of the processes which were running when the dump was taken. It shows the offset, process name, process ID(PID), the parent process ID(PPID), number of threads, number of handles, and date/time when the process started and exited.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 pslist

However, pslist fails to show hidden/terminated processes. The plugin which solves this problem is psscan. Try it out!!

pstree

To view the process listing in tree form, use the pstree command. This plugin uses the same approach as pslist hence it'll not display the hidden/terminated processes.

But the one advantage that this plugin gives is that we can easily identify the parent & child processes.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 pstree

cmdscan

The cmdscan plugin searches the memory for conhost.exe on Windows 7 Operating systems. This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe

This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks.

To put it simply, you can see the content that the attacker typed in the command prompt.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 cmdscan

By default, the value in MAXHistory is set to 50. We can change that. Also, cmdscan can print up to 50 commands. We can increase that by adding  --max_history=NUMBER along with the plugin command.

consoles

To put it quite simply, consoles display the same content as cmdscan.

However, the advantage that consoles gives is that it also prints the output which was displayed for a specific instruction given in the command prompt.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 consoles

filescan

This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 filescan

dumpfiles

An important concept that everyone who has worked on the study of Operating Systems is the idea of caching. Files are cached in memory for system performance as they are accessed and used. This makes cache an important source for collecting valuable info.

The dumpfiles plugin has many options. Let us have a look at what they are:

-r REGEX, --regex=REGEX
                        Dump files matching REGEX
  -i, --ignore-case     Ignore case in pattern match
  -o OFFSET, --offset=OFFSET
                        Dump files for Process with physical address OFFSET
  -Q PHYSOFFSET, --physoffset=PHYSOFFSET
                        Dump File Object at physical address PHYSOFFSET
  -D DUMP_DIR, --dump-dir=DUMP_DIR
                        Directory in which to dump extracted files
  -S SUMMARY_FILE, --summary-file=SUMMARY_FILE
                        File where to store summary information
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)
  -n, --name            Include extracted filename in output file path
  -u, --unsafe          Relax safety constraints for more data
  -F FILTER, --filter=FILTER
                        Filters to apply (comma-separated)

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 dumpfiles -Q <Offset> -D <dump folder>

envars

To display a process’s environment variables, use the envars plugin. Typically this will show the number of CPUs installed and the hardware architecture, the process’s current directory, temporary directory, session name, computer name, username, and various other interesting artifacts.

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 envars

hashdump

So here's the fun and exciting part. You can literally get the hashes of the domain credentials stored in the registry using hashdump. What I mean to say is that you can actually get the passwords of the users. These are NTLM hashes. These hashes can be cracked using online NTLM crackers like crackstation.net

Usage

$ volatility -f memory.dump --profile=Win7SP1x86 hashdump

Listing out other plugins

Volatility is capable of doing a lot of things. Some of them include but not limited to:

• Detect active connections
• Detect potential malware in the memory dump
• List all the open files in the system
  • If they aren’t paged out, you can even extract the files.
• Dump registry hives
• Extract browser history
• List loaded drivers etc…

This is just a small list of what volatility can do. If you would like to know more details you can try executing this on your memory dump and volatility will list out all the plugins supported for the profile you mentioned.

$ volatility -f memory.dmp --profile=WinXPSP2x86 -h

Browser History plugins

For extracting the browser history, volatility doesn't come with those plugins for extracting history from Memory dumps. You need to clone/download these additional plugins from this github repo and provide the path where you download these additional plugins.

$ volatility --plugins=/Path/to/the/cloned/repo -f memory.dmp --profile=WinXPSP2x86 -h

On executing the above command by replacing the /Path/to/the/cloned/repo to your path, you can see the additional plugins listed in the list of plugins you see.

If you want to know more about different plugins, Volatility has a command reference based on the memory dump's OS.

• Windows - Command Reference
• Linux - Command Reference
• Mac OSX - Command Reference