发现三个系统加起来太tm多了
先搞windows
剩下的有缘再见

banners.Banners

识别linux镜像的banner信息
不识别windows的镜像

isfinfo.IsfInfo

确定当前可用的ISF文件
具体什么是ISF文件，我也没查到
如下

layerwriter.LayerWriter

Runs the automagics and writes out the primary layer produced by the stacker.
运行 automagics 并写出堆栈器产生的主层

timeliner.Timeliner

Runs all relevant plugins that provide time related information and orders the results by time.
运行所有提供时间相关信息并按时间排序结果的相关插件，简称，全自动洗衣机

windows.bigpools.BigPools

List big page pools.
咱也看不懂，咱也不敢问

windows.cachedump.Cachedump

Dumps lsa secrets from memory
从内存中转储 lsa 密码
我这是转储失败了

windows.callbacks.Callbacks

Lists kernel callbacks and notification routines.
列出内核回调和通知例程

windows.cmdline.CmdLine

Lists process command line arguments.
列出进程命令行参数

windows.crashinfo.Crashinfo

windows.dlllist.DllList

Lists the loaded modules in a particular windows memory image.
列出加载的dll

windows.driverirp.DriverIrp

List IRPs for drivers in a particular windows memory image.
列出Windows 镜像中驱动程序的 IRP

windows.driverscan.DriverScan

Scans for drivers present in a particular windows memory image.
扫描存在于 Windows 镜像中的驱动程序

windows.dumpfiles.DumpFiles

Dumps cached file contents from Windows memory samples.
从 Windows 内存中转储缓存的文件内容，文件夹要爆了

windows.envars.Envars

Display process environment variables
显示进程环境变量

windows.filescan.FileScan

Scans for file objects present in a particular windows memory image.
扫描文件

windows.getservicesids.GetServiceSIDs

Lists process token sids.

windows.getsids.GetSIDs

Print the SIDs owning each process
列出每个进程的sid

windows.handles.Handles

Lists process open handles.
列出进程打开的句柄

windows.hashdump.Hashdump

Dumps user hashes from memory
获取哈希，都懂的

windows.info.Info

Show OS & kernel details of the memory sample being analyzed.
获取系统内核信息

windows.lsadump.Lsadump

Dumps lsa secrets from memory
从内存中转储 lsa 密码
和cachedump一样的解释，但是执行的结果却不一样

windows.malfind.Malfind

Lists process memory ranges that potentially contain injected code.
列出可能包含注入代码的进程内存范围

windows.memmap.Memmap

Prints the memory map
打印内存映射

windows.modscan.ModScan

Scans for modules present in a particular windows memory image.
扫描 Windows 内存映像中存在的模块

windows.modules.Modules

Lists the loaded kernel modules.
列出加载的内核模块

windows.mutantscan.MutantScan

Scans for mutexes present in a particular windows memory image.
扫描特定 Windows 内存映像中存在的互斥锁，游戏多开用的就是mutex

windows.netscan.NetScan

Scans for network objects present in a particular windows memory image.
扫描存在于 Windows 内存映像中的网络对象

windows.netstat.NetStat

Traverses network tracking structures present in a particular windows memory image.
遍历 Windows 内存映像中存在的网络状态
就像执行了netstat -ano 一样

windows.poolscanner.PoolScanner

A generic pool scanner plugin.

windows.privileges.Privs

Lists process token privileges

windows.pslist.PsList

Lists the processes present in a particular windows memory image.

windows.psscan.PsScan

Scans for processes present in a particular windows memory image.
就像在linux中执行了ps一样

windows.pstree.PsTree

Plugin for listing processes in a tree based on their parent process ID.
根据父进程 ID 在树中列出进程的插件
反正我是没有看出来树形结构体现在哪

windows.registry.certificates.Certificates

Lists the certificates in the registry’s Certificate Store.
列出注册表的证书存储中的证书

windows.registry.hivelist.HiveList

Lists the registry hives present in a particular memory image.
列出内存映像中存在的注册表配置

windows.registry.hivescan.HiveScan

Scans for registry hives present in a particular windows memory image.
扫描 windows 中存在的注册表配置单元

windows.registry.printkey.PrintKey

Lists the registry keys under a hive or specific key value.
列出配置单元或特定键值下的注册表项

windows.registry.userassist.UserAssist

Print userassist registry keys and information.
打印 userassist 注册表项和信息

windows.skeleton_key_check.Skeleton_Key_Check

Looks for signs of Skeleton Key malware
寻找 Skeleton Key 恶意软件的迹象

windows.ssdt.SSDT

Lists the system call table.
列出系统调用表

windows.statistics.Statistics

统计数据

windows.strings.Strings

Reads output from the strings command and indicates which process(es) each string belongs to.
读取 strings 命令的输出并指示每个字符串属于哪个进程
已尽力，卒。

windows.svcscan.SvcScan

Scans for windows services.
服务扫描

windows.symlinkscan.SymlinkScan

Scans for links present in a particular windows memory image.
扫描存在于 Windows 内存映像中的链接

windows.vadinfo.VadInfo

Lists process memory ranges.
列出进程内存范围

windows.verinfo.VerInfo

Lists version information from PE files.
列出 PE 文件的版本信息

windows.virtmap.VirtMap

Lists virtual mapped sections.
列出虚拟映射section