git clone https://github.com/volatilityfoundation/volatility3.git Then download symbol table packs for the operating systems you need to analyze: https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
Symbol tables zip files must be placed, as named, into the volatility/symbols directory.
I’m using Windows, and this is the result
Now, no longer to need to define a profile.
PSlist : python ./vol.py -f xxx.raw windows.pslist.PsList
Here is the list of modules in Beta2.0
banners.Banners
configwriter.ConfigWriter
frameworkinfo.FrameworkInfo
isfinfo.IsfInfo
layerwriter.LayerWriter
linux.bash.Bash
linux.check_afinfo.Check_afinfo
linux.check_creds.Check_creds
linux.check_idt.Check_idt
linux.check_modules.Check_modules
linux.check_syscall.Check_syscall
linux.elfs.Elfs
linux.keyboard_notifiers.Keyboard_notifiers
linux.lsmod.Lsmod
linux.lsof.Lsof
linux.malfind.Malfind
linux.proc.Maps
linux.pslist.PsList
linux.pstree.PsTree
linux.tty_check.tty_check
mac.bash.Bash
mac.check_syscall.Check_syscall
mac.check_sysctl.Check_sysctl
mac.check_trap_table.Check_trap_table
mac.ifconfig.Ifconfig
mac.kauth_listeners.Kauth_listeners
mac.kauth_scopes.Kauth_scopes
mac.kevents.Kevents
mac.list_files.List_Files
mac.lsmod.Lsmod
mac.lsof.Lsof
mac.malfind.Malfind
mac.mount.Mount
mac.netstat.Netstat
mac.proc_maps.Maps
mac.psaux.Psaux
mac.pslist.PsList
mac.pstree.PsTree
mac.socket_filters.Socket_filters
mac.timers.Timers
mac.trustedbsd.Trustedbsd
mac.vfsevents.VFSevents
timeliner.Timeliner
windows.bigpools.BigPools
windows.cmdline.CmdLine
windows.dlllist.DllList
windows.driverirp.DriverIrp
windows.driverscan.DriverScan
windows.envars.Envars
windows.filescan.FileScan
windows.getservicesids.GetServiceSIDs
windows.getsids.GetSIDs
windows.handles.Handles
windows.info.Info
windows.malfind.Malfind
windows.memmap.Memmap
windows.modscan.ModScan
windows.modules.Modules
windows.mutantscan.MutantScan
windows.netscan.NetScan
windows.poolscanner.PoolScanner
windows.privileges.Privs
windows.pslist.PsList
windows.psscan.PsScan
windows.pstree.PsTree
windows.registry.certificates.Certificates
windows.registry.hivelist.HiveList
windows.registry.hivescan.HiveScan
windows.registry.printkey.PrintKey
windows.registry.userassist.UserAssist
windows.ssdt.SSDT
windows.statistics.Statistics
windows.strings.Strings
windows.symlinkscan.SymlinkScan
windows.vadinfo.VadInfo
windows.verinfo.VerInfo
windows.virtmap.VirtMap
If you install the yara-python (pip install yara-python ) (if on C++ it requires Microsoft C++ 14 )
then you have the additional modules :
windows.callbacks.Callbacks
windows.svcscan.SvcScan
windows.vadyarascan.VadYaraScan
yarascan.YaraScan
Once Volatility3 is installed, how do you print the list of plugins? This would be helpful. Also, once all the symbols files have been copied, is there a way to print the list of OS versions supported by these symbol files?
A simple python vol.py -h will show you all the available commands, as for supported OS versions, I’m not sure.
Regards