Volatility3 windows插件详解
发现三个系统加起来太tm多了先搞windows剩下的有缘再见banners.Banners识别linux镜像的banner信息不识别windows的镜像isfinfo.IsfInfo确定当前可用的ISF文件具体什么是ISF文件,我也没查到如下layerwriter.LayerWriterRuns the automagics and writes out the primary layer pro
发现三个系统加起来太tm多了
先搞windows
剩下的有缘再见
banners.Banners
识别linux镜像的banner信息
不识别windows的镜像
isfinfo.IsfInfo
确定当前可用的ISF文件
具体什么是ISF文件,我也没查到
如下
layerwriter.LayerWriter
Runs the automagics and writes out the primary layer produced by the stacker.
运行 automagics 并写出堆栈器产生的主层
timeliner.Timeliner
Runs all relevant plugins that provide time related information and orders the results by time.
运行所有提供时间相关信息并按时间排序结果的相关插件,简称,全自动洗衣机
windows.bigpools.BigPools
List big page pools.
咱也看不懂,咱也不敢问
windows.cachedump.Cachedump
Dumps lsa secrets from memory
从内存中转储 lsa 密码
我这是转储失败了
windows.callbacks.Callbacks
Lists kernel callbacks and notification routines.
列出内核回调和通知例程
windows.cmdline.CmdLine
Lists process command line arguments.
列出进程命令行参数
windows.crashinfo.Crashinfo
windows.dlllist.DllList
Lists the loaded modules in a particular windows memory image.
列出加载的dll
windows.driverirp.DriverIrp
List IRPs for drivers in a particular windows memory image.
列出Windows 镜像中驱动程序的 IRP
windows.driverscan.DriverScan
Scans for drivers present in a particular windows memory image.
扫描存在于 Windows 镜像中的驱动程序
windows.dumpfiles.DumpFiles
Dumps cached file contents from Windows memory samples.
从 Windows 内存中转储缓存的文件内容,文件夹要爆了
windows.envars.Envars
Display process environment variables
显示进程环境变量
windows.filescan.FileScan
Scans for file objects present in a particular windows memory image.
扫描文件
windows.getservicesids.GetServiceSIDs
Lists process token sids.
windows.getsids.GetSIDs
Print the SIDs owning each process
列出每个进程的sid
windows.handles.Handles
Lists process open handles.
列出进程打开的句柄
windows.hashdump.Hashdump
Dumps user hashes from memory
获取哈希,都懂的
windows.info.Info
Show OS & kernel details of the memory sample being analyzed.
获取系统内核信息
windows.lsadump.Lsadump
Dumps lsa secrets from memory
从内存中转储 lsa 密码
和cachedump一样的解释,但是执行的结果却不一样
windows.malfind.Malfind
Lists process memory ranges that potentially contain injected code.
列出可能包含注入代码的进程内存范围
windows.memmap.Memmap
Prints the memory map
打印内存映射
windows.modscan.ModScan
Scans for modules present in a particular windows memory image.
扫描 Windows 内存映像中存在的模块
windows.modules.Modules
Lists the loaded kernel modules.
列出加载的内核模块
windows.mutantscan.MutantScan
Scans for mutexes present in a particular windows memory image.
扫描特定 Windows 内存映像中存在的互斥锁,游戏多开用的就是mutex
windows.netscan.NetScan
Scans for network objects present in a particular windows memory image.
扫描存在于 Windows 内存映像中的网络对象
windows.netstat.NetStat
Traverses network tracking structures present in a particular windows memory image.
遍历 Windows 内存映像中存在的网络状态
就像执行了netstat -ano 一样
windows.poolscanner.PoolScanner
A generic pool scanner plugin.
windows.privileges.Privs
Lists process token privileges
windows.pslist.PsList
Lists the processes present in a particular windows memory image.
windows.psscan.PsScan
Scans for processes present in a particular windows memory image.
就像在linux中执行了ps一样
windows.pstree.PsTree
Plugin for listing processes in a tree based on their parent process ID.
根据父进程 ID 在树中列出进程的插件
反正我是没有看出来树形结构体现在哪
windows.registry.certificates.Certificates
Lists the certificates in the registry’s Certificate Store.
列出注册表的证书存储中的证书
windows.registry.hivelist.HiveList
Lists the registry hives present in a particular memory image.
列出内存映像中存在的注册表配置
windows.registry.hivescan.HiveScan
Scans for registry hives present in a particular windows memory image.
扫描 windows 中存在的注册表配置单元
windows.registry.printkey.PrintKey
Lists the registry keys under a hive or specific key value.
列出配置单元或特定键值下的注册表项
windows.registry.userassist.UserAssist
Print userassist registry keys and information.
打印 userassist 注册表项和信息
windows.skeleton_key_check.Skeleton_Key_Check
Looks for signs of Skeleton Key malware
寻找 Skeleton Key 恶意软件的迹象
windows.ssdt.SSDT
Lists the system call table.
列出系统调用表
windows.statistics.Statistics
统计数据
windows.strings.Strings
Reads output from the strings command and indicates which process(es) each string belongs to.
读取 strings 命令的输出并指示每个字符串属于哪个进程
已尽力,卒。
windows.svcscan.SvcScan
Scans for windows services.
服务扫描
windows.symlinkscan.SymlinkScan
Scans for links present in a particular windows memory image.
扫描存在于 Windows 内存映像中的链接
windows.vadinfo.VadInfo
Lists process memory ranges.
列出进程内存范围
windows.verinfo.VerInfo
Lists version information from PE files.
列出 PE 文件的版本信息
windows.virtmap.VirtMap
Lists virtual mapped sections.
列出虚拟映射section
更多推荐
所有评论(0)