git clone https://github.com/volatilityfoundation/volatility3.git Then download symbol table packs for the operating systems you need to analyze: https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
Symbol tables zip files must be placed, as named, into the volatility/symbols directory.
I’m using Windows, and this is the result
Now, no longer to need to define a profile.
PSlist : python ./vol.py -f xxx.raw windows.pslist.PsList
Here is the list of modules in 2.19 (Jan 2025)
banners.Banners
configwriter.ConfigWriter
frameworkinfo.FrameworkInfo
isfinfo.IsfInfo
layerwriter.LayerWriter
linux.bash.Bash Recovers bash command history from memory.
linux.boottime.Boottime
Shows the time the system was started
linux.capabilities.Capabilities
Lists process capabilities
linux.check_afinfo.Check_afinfo
Verifies the operation function pointers of network protocols.
linux.check_creds.Check_creds
Checks if any processes are sharing credential structures
linux.check_idt.Check_idt
Checks if the IDT has been altered
linux.check_modules.Check_modules
Compares module list to sysfs info, if available
linux.check_syscall.Check_syscall
Check system call table for hooks.
linux.ebpf.EBPF Enumerate eBPF programs
linux.elfs.Elfs Lists all memory mapped ELF files for all processes.
linux.envars.Envars
Lists processes with their environment variables
linux.graphics.fbdev.Fbdev
Extract framebuffers from the fbdev graphics subsystem
linux.hidden_modules.Hidden_modules
Carves memory to find hidden kernel modules
linux.iomem.IOMem Generates an output similar to /proc/iomem on a running system.
linux.keyboard_notifiers.Keyboard_notifiers
Parses the keyboard notifier call chain
linux.kmsg.Kmsg Kernel log buffer reader
linux.kthreads.Kthreads
Enumerates kthread functions
linux.library_list.LibraryList
Enumerate libraries loaded into processes
linux.lsmod.Lsmod Lists loaded kernel modules.
linux.lsof.Lsof Lists open files for each processes.
linux.malfind.Malfind
Lists process memory ranges that potentially contain injected code.
linux.modxview.Modxview
Centralize lsmod, check_modules and hidden_modules results to efficiently spot modules presence and taints.
linux.mountinfo.MountInfo
Lists mount points on processes mount namespaces
linux.netfilter.Netfilter
Lists Netfilter hooks.
linux.pagecache.Files
Lists files from memory
linux.pagecache.InodePages
Lists and recovers cached inode pages
linux.pidhashtable.PIDHashTable
Enumerates processes through the PID hash table
linux.proc.Maps Lists all memory maps for all processes.
linux.psaux.PsAux Lists processes with their command line arguments
linux.pslist.PsList
Lists the processes present in a particular linux memory image.
linux.psscan.PsScan
Scans for processes present in a particular linux image.
linux.pstree.PsTree
Plugin for listing processes in a tree based on their parent process ID.
linux.ptrace.Ptrace
Enumerates ptrace's tracer and tracee tasks
linux.sockstat.Sockstat
Lists all network connections for all processes.
linux.tty_check.tty_check
Checks tty devices for hooks
linux.vmaregexscan.VmaRegExScan
Scans all virtual memory areas for tasks using RegEx.
linux.vmcoreinfo.VMCoreInfo
Enumerate VMCoreInfo tablesmac.bash.Bash Recovers bash command history from memory.
mac.check_syscall.Check_syscall
Check system call table for hooks.
mac.check_sysctl.Check_sysctl
Check sysctl handlers for hooks.
mac.check_trap_table.Check_trap_table
Check mach trap table for hooks.
mac.dmesg.Dmesg Prints the kernel log buffer.
mac.ifconfig.Ifconfig
Lists network interface information for all devices
mac.kauth_listeners.Kauth_listeners
Lists kauth listeners and their status
mac.kauth_scopes.Kauth_scopes
Lists kauth scopes and their status
mac.kevents.Kevents
Lists event handlers registered by processes
mac.list_files.List_Files
Lists all open file descriptors for all processes.
mac.lsmod.Lsmod Lists loaded kernel modules.
mac.lsof.Lsof Lists all open file descriptors for all processes.
mac.malfind.Malfind
Lists process memory ranges that potentially contain injected code.
mac.mount.Mount A module containing a collection of plugins that produce data typically found in Mac's mount command
mac.netstat.Netstat
Lists all network connections for all processes.
mac.proc_maps.Maps Lists process memory ranges that potentially contain injected code.
mac.psaux.Psaux Recovers program command line arguments.
mac.pslist.PsList Lists the processes present in a particular mac memory image.
mac.pstree.PsTree Plugin for listing processes in a tree based on their parent process ID.
mac.socket_filters.Socket_filters
Enumerates kernel socket filters.
mac.timers.Timers Check for malicious kernel timers.
mac.trustedbsd.Trustedbsd
Checks for malicious trustedbsd modules
mac.vfsevents.VFSevents
Lists processes that are filtering file system eventstimeliner.Timeliner
windows.amcache.Amcache
Extract information on executed applications from the AmCache.
windows.bigpools.BigPools
List big page pools.
windows.callbacks.Callbacks
Lists kernel callbacks and notification routines.
windows.cmdline.CmdLine
Lists process command line arguments.
windows.cmdscan.CmdScan
Looks for Windows Command History lists
windows.consoles.Consoles
Looks for Windows console buffers
windows.crashinfo.Crashinfo
Lists the information from a Windows crash dump.
windows.debugregisters.DebugRegisters
windows.devicetree.DeviceTree
Listing tree based on drivers and attached devices in a particular windows memory image.
windows.dlllist.DllList
Lists the loaded DLLs in a particular windows memory image.
windows.driverirp.DriverIrp
List IRPs for drivers in a particular windows memory image.
windows.drivermodule.DriverModule
Determines if any loaded drivers were hidden by a rootkit
windows.driverscan.DriverScan
Scans for drivers present in a particular windows memory image.
windows.dumpfiles.DumpFiles
Dumps cached file contents from Windows memory samples.
windows.envars.Envars
Display process environment variables
windows.filescan.FileScan
Scans for file objects present in a particular windows memory image.
windows.getservicesids.GetServiceSIDs
Lists process token sids.
windows.getsids.GetSIDs
Print the SIDs owning each process
windows.handles.Handles
Lists process open handles.
windows.hollowprocesses.HollowProcesses
Lists hollowed processes
windows.iat.IAT Extract Import Address Table to list API (functions) used by a program contained in external libraries
windows.info.Info Show OS & kernel details of the memory sample being analyzed.
windows.joblinks.JobLinks
Print process job link information
windows.kpcrs.KPCRs
Print KPCR structure for each processor
windows.ldrmodules.LdrModules
Lists the loaded modules in a particular windows memory image.
windows.malfind.Malfind
Lists process memory ranges that potentially contain injected code.
windows.mbrscan.MBRScan
Scans for and parses potential Master Boot Records (MBRs)
windows.memmap.Memmap
Prints the memory map
windows.modscan.ModScan
Scans for modules present in a particular windows memory image.
windows.modules.Modules
Lists the loaded kernel modules.
windows.mutantscan.MutantScan
Scans for mutexes present in a particular windows memory image.
windows.netscan.NetScan
Scans for network objects present in a particular windows memory image.
windows.netstat.NetStat
Traverses network tracking structures present in a particular windows memory image.
windows.orphan_kernel_threads.Threads
Lists process threads
windows.pe_symbols.PESymbols
Prints symbols in PE files in process and kernel memory
windows.pedump.PEDump
Allows extracting PE Files from a specific address in a specific address space
windows.poolscanner.PoolScanner
A generic pool scanner plugin.
windows.privileges.Privs
Lists process token privileges
windows.processghosting.ProcessGhosting
Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0
windows.pslist.PsList
Lists the processes present in a particular windows memory image.
windows.psscan.PsScan
Scans for processes present in a particular windows memory image.
windows.pstree.PsTree
Plugin for listing processes in a tree based on their parent process ID.
windows.psxview.PsXView
Lists all processes found via four of the methods described in "The Art of Memory Forensics" which may help identify processes that are trying to hide
themselves.
windows.registry.certificates.Certificates
Lists the certificates in the registry's Certificate Store.
windows.registry.getcellroutine.GetCellRoutine
Reports registry hives with a hooked GetCellRoutine handler
windows.registry.hivelist.HiveList
Lists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScan
Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey
Lists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssist
Print userassist registry keys and information.
windows.scheduled_tasks.ScheduledTasks
Decodes scheduled task information from the Windows registry, including information about triggers, actions, run times, and creation times.
windows.sessions.Sessions
lists Processes with Session information extracted from Environmental Variables
windows.shimcachemem.ShimcacheMem
Reads Shimcache entries from the ahcache.sys AVL tree
windows.skeleton_key_check.Skeleton_Key_Check
Looks for signs of Skeleton Key malware
windows.ssdt.SSDT Lists the system call table.
windows.statistics.Statistics
Lists statistics about the memory space.
windows.strings.Strings
Reads output from the strings command and indicates which process(es) each string belongs to.
windows.suspended_threads.SuspendedThreads
Enumerates suspended threads.
windows.suspicious_threads.SuspiciousThreads
Lists suspicious userland process threads
windows.svcdiff.SvcDiff
Compares services found through list walking versus scanning to find rootkits
windows.svclist.SvcList
Lists services contained with the services.exe doubly linked list of services
windows.svcscan.SvcScan
Scans for windows services.
windows.symlinkscan.SymlinkScan
Scans for links present in a particular windows memory image.
windows.thrdscan.ThrdScan
Scans for windows threads.
windows.threads.Threads
Lists process threads
windows.timers.Timers
Print kernel timers and associated module DPCs
windows.truecrypt.Passphrase
TrueCrypt Cached Passphrase Finder
windows.unhooked_system_calls.unhooked_system_calls
Looks for signs of Skeleton Key malware
windows.unloadedmodules.UnloadedModules
Lists the unloaded kernel modules.
windows.vadinfo.VadInfo
Lists process memory ranges.
windows.vadregexscan.VadRegExScan
Scans all virtual memory areas for tasks using RegEx.
windows.vadwalk.VadWalk
Walk the VAD tree.
windows.verinfo.VerInfo
Lists version information from PE files.
windows.virtmap.VirtMap
Lists virtual mapped sections.If you install the yara-python (pip install yara-python ) (if on C++ it requires Microsoft C++ 14 )
then you have the additional modules :
windows.callbacks.Callbacks
windows.svcscan.SvcScan
windows.vadyarascan.VadYaraScan
yarascan.YaraScan
Once Volatility3 is installed, how do you print the list of plugins? This would be helpful. Also, once all the symbols files have been copied, is there a way to print the list of OS versions supported by these symbol files?
A simple python vol.py -h will show you all the available commands, as for supported OS versions, I’m not sure.
Regards