179 shaares
3 results
tagged
memory
xubuntu 20.04 - focal
virt-manager
host
<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
<source dir="/vms/share"/>
<target dir="/hostshare"/>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -Rm g:libvirt-qemu:rwx $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpathguest
sudo sh -c 'echo "9p
9pnet
9pnet_virtio" >> /etc/initramfs-tools/modules'
sudo update-initramfs -u
sudo sh -c 'echo "# qemu share
hostshare /share 9p trans=virtio,version=9p2000.L,rw,umask=002 0 0" >> /etc/fstab'global
install
update
sudo apt remove -y gimp* libreoffice-* thunderbird* transmission-gtk
sudo apt update
sudo apt list --upgradable
sudo apt -y dist-upgrade
sudo apt -y autoremovesystem
sudo apt install -y binutils-common bsdmainutils curl debconf-utils exfat git gnupg2 gparted hfsprogs htop kpartx lnav most net-tools p7zip-full p7zip-rar pv rar sysstat testdisk tmux tree unrar vim xsysinfo # openssh-server
sudo apt install -y dconf-editor firefox-locale-fr galculator gpicview meld plank qt5ct qt5-gtk2-platformtheme thunar-media-tags-plugin tumbler-plugins-extraconf
qt5-ct to fusionglobal
sudo swapoff -av && sudo sh -c 'echo vm.swappiness=10 > /etc/sysctl.d/99-swappiness.conf' # limit swap
sudo rm /etc/localtime && sudo ln -sv /usr/share/zoneinfo/Etc/UTC /etc/localtime
software-properties-gtk # add canonical partners
export QT_QPA_PLATFORMTHEME=gtk2
echo "\n# QT\nexport QT_QPA_PLATFORMTHEME=gtk2" >> ~/.profile
echo -e "\n#JAVA\nexport _JAVA_OPTIONS=\"-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel \${_JAVA_OPTIONS}\"" >> ~/.profile
menulibre # edit menu
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &trans
# HOST
path=/vms/share/trans; [ -d ${path} ] || mkdir -p ${path}
cp -r ~/dev/ /vms/share/trans/
# GUEST
path=~/.local/share/icons; [ -d ${path} ] || mkdir -p ${path}
path=~/.local/share/applications; [ -d ${path} ] || mkdir -p ${path}
path=/share/trans/dev
path_conf=${path}/install-desktop/conf
cp ${path_conf}/foralyse/.bashrc ~/
cp ${path_conf}/foralyse/.bash_alias ~/
sudo cp ${path_conf}/foralyse/.bashrc /root/
sudo cp ${path_conf}/foralyse/.bash_alias /root/
cp ${path}/install/conf/foralyse/.vimrc ~/
sudo cp ${path}/install/conf/vim/* /usr/share/vim/vim*/colors/
sudo cp ${path_conf}/soft/meld-dark.xml /usr/share/meld/styles/
sudo cp ${path_conf}/wp/* /usr/share/xfce4/backdrops/
sudo cp ${path_conf}/bash-completion/* /usr/share/bash-completion/completions/
sudo cp ${path_conf}/icons/tmux.svg /usr/share/icons/default/
sudo cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/icons/* ~/.local/share/icons
sudo ln -sv /usr/share/bash-completion/completions/tmux.git /usr/share/bash-completion/completions/tmux
sudo chmod +r /usr/share/icons/default/tmux.svg
sudo chmod +r /usr/share/bash-completion/completions/tmux*
sudo chmod +r /usr/share/xfce4/backdrops/*sublime text
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.licenseforensic
global
# network
sudo apt install -y whois
# pwd & evtx & process
sudo apt install -y john libscca-utils pev radare2
# hive
sudo apt install -y libhivex-bin chntpw reglookup
# gui
sudo apt install -y bless geany ghex gpicview gtkhash wxhexeditorconf
bless
cp /usr/share/bless/*.layout ~/.config/bless/layouts/kali
#sudo sh -c "echo '# kali\ndeb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
#wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add -
#sudo apt update
#sed -i '/^deb/ s|^|#|' /etc/apt/sources.list.d/kali.list
#sudo apt updatepython
sudo apt-get install -y python3 python3-pip
. ~/.profile
sudo apt-get install -y python2 # python2-dev
cd /tmp && curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python2 get-pip.pypip2
python2 -m pip install -U balbuzardpip3
python3 -m pip install -U malcarve regrippybinwalk
dependencies
sudo apt install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools lzop srecord
python3 -m pip install -U nose coverage pycryptodome pyqtgraph capstone matplotlib
. ~/.profilegithub
# Install sasquatch to extract non-standard SquashFS images
sudo apt install -y zlib1g-dev liblzma-dev liblzo2-dev
cd /tmp && git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh
# Install jefferson to extract JFFS2 file systems
python3 -m pip install -U cstruct
cd /tmp && git clone https://github.com/sviehb/jefferson
cd jefferson && sudo python3 setup.py install
# Install ubi_reader to extract UBIFS file systems
sudo apt install -y liblzo2-dev
python3 -m pip install -U python-lzo
cd /tmp && git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader && sudo python3 setup.py install
# Install yaffshiv to extract YAFFS file systems
cd /tmp && git clone https://github.com/devttys0/yaffshiv
cd yaffshiv && sudo python3 setup.py install
# Install unstuff (closed source) to extract StuffIt archive files
cd /tmp && curl -sS http://downloads.tuxfamily.org/sdtraces/stuffit520.611linux-i386.tar.gz | tar -zxv
sudo cp bin/unstuff /usr/local/bin/pandoc
# sudo apt install pandoc texlive-latex-base texlive-latex-recommended texlive-latex-extra
# pandoc -s -o $fileout $fileinbinwalk
cd /tmp && git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py installregripper
sudo apt-get install -y libparse-win32registry-perl
path=$(find /usr/share -name Win32Registry)
cd /usr/share && sudo git clone https://github.com/keydet89/RegRipper3.0.git
sudo mv RegRipper3.0 regripper
for file in WinNT/File.pm WinNT/Key.pm Base.pm; do sudo mv ${path}/${file} ${path}/${file}.$(date +%s); sudo ln -sv /usr/share/regripper/${file##*/} ${path}/${file}; done
cd regripper
sudo cp -a rip.pl rip.pl.$(date +%s)
sudo sed -i '/^my @alerts = ();/a my \$plugindir = "/usr/share/regripper/plugins/";' rip.pl
sudo sed -i "1c #! $(which perl)\nuse lib qw(/usr/lib/perl5/);" rip.pl
sudo chmod +x rip.pl
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/regripper
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/ripvolatility
volatility3
python3 -m pip install -U pefile yara-python capstone pycryptodome jsonschema leechcorepyc python-snappy
python3 -m pip install -U volatility3
cd ~/.local/bin && ln -sv vol vol3volatility2
https://github.com/volatilityfoundation/volatility/wiki/Installation
sudo apt -y install pcregrep libpcre++-dev python-dev
python2 -m pip install distorm3 ipython openpyxl pycrypto pytz ujson yara-pythonlibforensic1394
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
sudo ln -sv /usr/local/lib/libforensic1394.so.0.3.0 /usr/lib/libforensic1394.so.2
cd
sudo rm -fR /tmp/libforensic1394
sudo apt remove cmake
sudo apt autoremovevolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hwireshark
sudo add-apt-repository -y ppa:wireshark-dev/stable
sudo apt update
sudo apt install -y tshark wiresharkautopsy
global
path_share=/share
sudo apt-get update
sudo apt install -y afflib-tools testdisk ewf-tools xmount fdupes java-common
sudo apt-get install -y imagemagick libde265-0 libheif1java
java_file=$(ls ${path_share}/jdk-8*linux-x64.tar.gz)
file=/usr/local/bin/oracle-java-installer.sh
sudo curl -sS https://raw.githubusercontent.com/labcif/oracle-java-installer/master/oracle-java-installer.sh -o ${file}
#sudo sed -i s'/update-java-alternatives -a/update-alternatives --auto java/' /usr/local/bin/oracle-java-installer.sh
#sudo sed -i s'/update-java-alternatives -l/update-alternatives --list java/' /usr/local/bin/oracle-java-installer.sh
sudo sed -i 's|tar -xvzf|tar -xzf|' /usr/local/bin/oracle-java-installer.sh
sudo chmod +x ${file}
sudo ${file} --install ${java_file}
. /etc/profile.d/jdk.sh
${file} --status ${java_file}base64sha
file=/usr/local/bin/b64sha
sudo curl -sS https://raw.githubusercontent.com/labcif/Base64SHA/master/b64sha -o ${file}
sudo chmod +x ${file}sleuthkit
sleuthkit_file=$(ls ${path_share}/sleuthkit-java_*_amd64.deb)
read sleuthkit_version_major sleuthkit_version_minor <<<$(echo ${sleuthkit_file}|sed 's|^.*/sleuthkit-java_\([0-9_\.]\+\)-\([0-9]\)_amd64.deb|\1 \2|')
sudo apt install ${sleuthkit_file}autopsy
file=$(ls ${path_share}/autopsy-*.zip)
path=${file%.zip} && path=/opt/${path##*/}
sudo unzip -q -d /opt/ ${file}
sudo chown -R ${USER}:${USER} ${path}
cd /opt && sudo ln -sv ${path##*/} autopsy
cd ${path}
sh unix_setup.sh
ln -sv ${path}/bin/autopsy ~/.local/bin/autopsy
autopsy --nosplashlauncher
echo "[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/opt/autopsy/icon.ico
Name=Autopsy
Exec=autopsy" > ~/.local/share/applications/autopsy.desktopaddons
ReportModules / ForensicExpertWitnessReport
https://github.com/chriswipat/forensic_expert_witness_report_module
IngestModules / FileHistory
https://medium.com/@markmckinnon_80619/windows-file-history-plugin-a6208da4efa5
IngestModules / Volatility
https://markmckinnon-80619.medium.com/volatility-autopsy-plugin-module-8beecea6396
install
python3 -m pip install -U pip
python3 -m pip install -U volatility3
cd /usr/local/bin && sudo ln -sv vol vol3; cdhelp
volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]]
plugin ...An open-source memory forensics framework
-c CONFIG, --config CONFIG # Load the configuration from a json file
--parallelism [{processes,threads,off}] # Enables parallelism (defaults to off if no argument given)
-e EXTEND, --extend EXTEND # Extend the configuration with a new (or changed) setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS # Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS # Semi-colon separated list of paths to find symbols
-v, --verbosity # Increase output verbosity
-l LOG, --log LOG # Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR # Directory in which to output any generated files
-q, --quiet # Remove progress feedback
-r RENDERER, --renderer RENDERER # Determines how to render the output (quick, csv, pretty, json, jsonl)
-f FILE, --file FILE # Shorthand for --single-location=file:// if single-location is not defined
--write-config # Write configuration JSON file out to config.json
--clear-cache # Clears out all short-term cached items
--cache-path CACHE_PATH # Change the default path (/home/tsurugi/.cache/volatility3) used to store the cache
--offline # Do not search online for additional JSON files
--single-location SINGLE_LOCATION # Specifies a base location on which to stack
--stackers [STACKERS [STACKERS ...]] # List of stackers
--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]] # Specifies a list of swap layer URIs for use with single-locationwindows
windows.bigpools.BigPools # List big page pools
windows.cachedump.Cachedump # Dumps lsa secrets from memory
windows.callbacks.Callbacks # Lists kernel callbacks and notification routines
windows.cmdline.CmdLine # Lists process command line arguments
windows.crashinfo.Crashinfo
windows.dlllist.DllList # Lists the loaded modules in a particular windows memory image
windows.driverirp.DriverIrp # List IRPs for drivers in a particular windows memory image
windows.driverscan.DriverScan # Scans for drivers present in a particular windows memory image
windows.dumpfiles.DumpFiles # Dumps cached file contents from Windows memory samples
windows.envars.Envars # Display process environment variables
windows.filescan.FileScan # Scans for file objects present in a particular windows memory image
windows.getservicesids.GetServiceSIDs # Lists process token sids
windows.getsids.GetSIDs # Print the SIDs owning each process
windows.handles.Handles # Lists process open handles
windows.hashdump.Hashdump # Dumps user hashes from memory
windows.info.Info # Show OS & kernel details of the memory sample being analyzed
windows.lsadump.Lsadump # Dumps lsa secrets from memory
windows.malfind.Malfind # Lists process memory ranges that potentially contain injected code
windows.memmap.Memmap # Prints the memory map
windows.modscan.ModScan # Scans for modules present in a particular windows memory image.
windows.modules.Modules # Lists the loaded kernel modules
windows.mutantscan.MutantScan # Scans for mutexes present in a particular windows memory image
windows.netscan.NetScan # Scans for network objects present in a particular windows memory image
windows.netstat.NetStat # Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner # A generic pool scanner plugin
windows.privileges.Privs # Lists process token privileges
windows.pslist.PsList # Lists the processes present in a particular windows memory image
windows.psscan.PsScan # Scans for processes present in a particular windows memory image
windows.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
windows.registry.certificates.Certificates # Lists the certificates in the registry's Certificate Store
windows.registry.hivelist.HiveList # Lists the registry hives present in a particular memory image
windows.registry.hivescan.HiveScan # Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey # Lists the registry keys under a hive or specific key value
windows.registry.userassist.UserAssist # Print userassist registry keys and information
windows.skeleton_key_check.Skeleton_Key_Check # Looks for signs of Skeleton Key malware
windows.ssdt.SSDT # Lists the system call table
windows.statistics.Statistics
windows.strings.Strings # Reads output from the strings command and indicates which process(es) each string belongs to
windows.svcscan.SvcScan # Scans for windows services
windows.symlinkscan.SymlinkScan # Scans for links present in a particular windows memory image
windows.vadinfo.VadInfo # Lists process memory ranges
windows.vadyarascan.VadYaraScan # Scans all the Virtual Address Descriptor memory maps using yara
windows.verinfo.VerInfo # Lists version information from PE files
windows.virtmap.VirtMap # Lists virtual mapped sectionslinux
linux.bash.Bash # Recovers bash command history from memory
linux.check_afinfo.Check_afinfo # Verifies the operation function pointers of network protocols
linux.check_creds.Check_creds # Checks if any processes are sharing credential structures
linux.check_idt.Check_idt # Checks if the IDT has been altered
linux.check_modules.Check_modules # Compares module list to sysfs info, if available
linux.check_syscall.Check_syscall # Check system call table for hooks
linux.elfs.Elfs # Lists all memory mapped ELF files for all processes
linux.keyboard_notifiers.Keyboard_notifiers # Parses the keyboard notifier call chain
linux.kmsg.Kmsg # Kernel log buffer reader
linux.lsmod.Lsmod # Lists loaded kernel modules
linux.lsof.Lsof # Lists all memory maps for all processes
linux.malfind.Malfind # Lists process memory ranges that potentially contain injected code
linux.proc.Maps # Lists all memory maps for all processes
linux.pslist.PsList # Lists the processes present in a particular linux memory image
linux.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
linux.tty_check.tty_check # Checks tty devices for hooksmac
mac.bash.Bash # Recovers bash command history from memory
mac.check_syscall.Check_syscall # Check system call table for hooks
mac.check_sysctl.Check_sysctl # Check sysctl handlers for hooks
mac.check_trap_table.Check_trap_table # Check mach trap table for hooks
mac.ifconfig.Ifconfig # Lists loaded kernel modules
mac.kauth_listeners.Kauth_listeners # Lists kauth listeners and their status
mac.kauth_scopes.Kauth_scopes # Lists kauth scopes and their status
mac.kevents.Kevents # Lists event handlers registered by processes
mac.list_files.List_Files # Lists all open file descriptors for all processes
mac.lsmod.Lsmod # Lists loaded kernel modules
mac.lsof.Lsof # Lists all open file descriptors for all processes
mac.malfind.Malfind # Lists process memory ranges that potentially contain injected code
mac.mount.Mount # A module containing a collection of plugins that produce data typically foundin Mac's mount command
mac.netstat.Netstat # Lists all network connections for all processes
mac.proc_maps.Maps # Lists process memory ranges that potentially contain injected code
mac.psaux.Psaux # Recovers program command line arguments
mac.pslist.PsList # Lists the processes present in a particular mac memory image
mac.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
mac.socket_filters.Socket_filters # Enumerates kernel socket filters
mac.timers.Timers # Check for malicious kernel timers
mac.trustedbsd.Trustedbsd # Checks for malicious trustedbsd modules
mac.vfsevents.VFSevents # Lists processes that are filtering file system eventsothers
banners.Banners # Attempts to identify potential linux banners in an image
configwriter.ConfigWriter # Runs the automagics and both prints and outputs configuration in the output directory
frameworkinfo.FrameworkInfo # Plugin to list the various modular components of Volatility
isfinfo.IsfInfo # Determines information about the currently available ISF files, or a specific one
layerwriter.LayerWriter # Runs the automagics and writes out the primary layer produced by the stacker
timeliner.Timeliner # Runs all relevant plugins that provide time related information and orders the results by time
yarascan.YaraScan # Scans kernel memory using yara rules (string or file)install
see foralyse in https://code.ambau.fr
info
variables
file=/share/memory/dump
profile=Win7SP0x86
vol2 -f $file --profile $profile
# Options
--output dot/greptext/html/json/sqlite/text/xlsxvol2 --info # get all informations from volatility
vol2 --info|sed -n '/^Profiles/,/^$/ p' # available profiles
vol2 --info|sed -n '/^Address/,/^$/ p' # available address spaces
vol2 --info|sed -n '/^Scanner/,/^$/ p' # available scanner
vol2 --info|sed -n '/^Plugins/,/^$/ p' # available plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep -v '^mac_\|^linux_' # windows plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^linux_' # linux plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^mac_' # mac pluginsspecial
hash
vol2 hashdump -f ${dump} --profile=${profile} -y ${offset_system} -s ${offset_sam}plugins
cmd
clipboard # Extract the contents of the windows clipboard
cmdline # Display process command-line arguments
cmdscan # Extract command history by scanning for _COMMAND_HISTORY
consoles # Extract command history by scanning for _CONSOLE_INFORMATIONdevice
devicetree # Show device tree
mbrparser # Scans for and parses potential Master Boot Records (MBRs)dll
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dlllist # Print list of loaded dlls for each process
-p PID # specify a process by his PID
ldrmodules # Detect unlinked DLLsdump
cachedump # Dumps cached domain hashes from memory
dumpcerts # Dump RSA private and public SSL keys
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dumpfiles # Extract memory mapped and cached files
hashdump # Dumps passwords hashes (LM/NTLM) from memory
hivedump # Prints out a hive
lsadump # Dump (decrypted) LSA secrets from the registry
procdump # Dump a process to an executable file sample
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-p PID, --pid=PID # Operate on these Process IDs (comma-separated)
-n NAME, --name=NAME # Operate on these process names (regex)
-D DUMP_DIR, --dump-dir=DUMP_DIR # Directory in which to dump executable filesexecutable
impscan # Scan for calls to imported functions
-p PID, --pid=PID # Process ID (leave off to scan kernel memory)
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-b BASE, --base=BASE # Base address in process memory if --pid is supplied, otherwise an address in kernel space
-s SIZE, --size=SIZE # Size of memory to scan
joblinks # Print process job link information
malfind # Find hidden and injected code
privs # Display process privileges
shimcache # Parses the Application Compatibility Shim Cache registry key
verinfo # Prints out the version information from PE imagesfile
dumpfiles # Extract memory mapped and cached files
filescan # Pool scanner for file objects
mftparser # Scans for and parses potential Master Boot Records (MBRs)
notepad # List currently displayed notepad texthive
amcache # Print AmCache information
hivescan # Pool scanner for registry hives
hivedump # Prints out a hive
hivelist # Print list of registry hives
printkey # Print a registry key, and its subkeys and values
shimcache # Parses the Application Compatibility Shim Cache registry key
shutdowntime # Print ShutdownTime of machine from registry
userassist # Print userassist registry keys and informationhook
apihooks # Detect API hooks in process and kernel memory
driverirp # Driver IRP hook detection
eventhooks # Print details on windows event hooks
messagehooks # List desktop and thread window message hooksimage
imageinfo # get info from OS and profiles
kdbgscan # Search for and dump potential KDBG valuesmemory
bigpools # Dump the big page pools using BigPagePoolScanner
cachedump # Dumps cached domain hashes from memory
hpakextract # Extract physical memory from an HPAK file
hpakinfo # Info on an HPAK file
memdump # Dump the addressable memory for a process
memmap # Print the memory map
patcher # Patches memory based on page scans
raw2dmp # Converts a physical memory sample to a windbg crash dumpmodule
drivermodule # Associate driver objects to kernel modules
moddump # Dump a kernel driver to an executable file sample
modscan # Pool scanner for kernel modules
modules # Print list of loaded modules
timers # Print kernel timers and associated module DPCs
unloadedmodules # Print list of unloaded modulesnetwork
connections # Print list of open connections [Windows XP and 2003 Only]
connscan # Pool scanner for tcp connections
netscan # list of connections
sockets # Print list of open sockets
sockscan # Pool scanner for tcp socket objectspassword
dumpcerts # Dump RSA private and public SSL keys
hashdump # Dumps passwords hashes (LM/NTLM) from memory
truecryptmaster # Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase # TrueCrypt Cached Passphrase Finder
truecryptsummary # TrueCrypt Summaryprocess
envars # Display process environment variables
getsids # Print the SIDs owning each process
handles # Print list of open handles for each process
privs # Display process privileges
procdump # Dump a process to an executable file sample
pslist # Print all running processes by following the EPROCESS lists
-P # print for physical offset
psscan # Pool scanner for process objects
pstree # Print process list as a tree
psxview # Find hidden processes with various process listings
thrdscan # Pool scanner for thread objects
threads # Investigate _ETHREAD and _KTHREADsservice
getservicesids # Get the names of services in the Registry and return Calculated SID
servicediff # List Windows services (ala Plugx)
svcscan # Scan for Windows servicessystem
auditpol # Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bioskbd # Reads the keyboard buffer from Real Mode memory
callbacks # Print system-wide notification routines
crashinfo # Dump crash-dump information
driverirp # Driver IRP hook detection
driverscan # Pool scanner for driver objects
envars # Display process environment variables
evtlogs # Extract Windows Event Logs (XP/2003 only)
kpcrscan # Search for and dump potential KPCR values
machoinfo # Dump Mach-O file format information
mutantscan # Pool scanner for mutex objects
objtypescan # Scan for Windows object type objects
screenshot # Save a pseudo-screenshot based on GDI windows (require PIL)
shutdowntime # Print ShutdownTime of machine from registry
symlinkscan # Pool scanner for symlink objectstimeline
timeliner # Creates a timeline from various artifacts in memory
timers # Print kernel timers and associated module DPCsuser
atoms # Print session and window station atom tables
atomscan # Pool scanner for atom tables
clipboard # Extract the contents of the windows clipboard
deskscan # Poolscaner for tagDESKTOP (desktops)
gahti # Dump the USER handle type information
sessions # List details on _MM_SESSION_SPACE (user logon sessions)
userassist # Print userassist registry keys and information
userhandles # Dump the USER handle tablesvad
vaddump # Dumps out the vad sections to a file
vadinfo # Dump the VAD info
vadtree # Walk the VAD tree and display in tree format
vadwalk # Walk the VAD treevirtual
qemuinfo # Dump Qemu information
vboxinfo # Dump virtualbox information
vmwareinfo # Dump VMware VMSS/VMSN informationvolshell
Use addrspace() for Kernel/Virtual AS
Use addrspace().base for Physical AS
Use proc() to get the current process object
proc().get_process_address_space() for the current process AS
proc().get_load_modules() for the current process DLLs
addrspace() # Get the current kernel/virtual address space.
cc(offset=None, pid=None, name=None, physical=False) # Change current shell context.
db(address, length=128, space=None) # Print bytes as canonical hexdump.
dd(address, length=128, space=None) # Print dwords at address.
dis(address, length=128, space=None, mode=None) # Disassemble code at a given address.
dq(address, length=128, space=None) # Print qwords at address.
dt(objct, address=None, space=None, recursive=False, depth=0) # Describe an object or show type info.
find(needle, max=1, shift=0, skip=0, count=False, length=128)
getmods() # Generator for kernel modules (scripting).
getprocs() # Generator of process objects (scripting).
hh(cmd=None) # Get help on a command.
list_entry(head, objname, offset=-1, fieldname=None, forward=True, space=None) # Traverse a _LIST_ENTRY.
modules() # Print loaded modules in a table view.
proc() # Get the current process object.
ps() # Print active processes in a table view.
sc() # Show the current context.
For help on a specific command, type 'hh(<command>)'windows
windows # Print Desktop Windows (verbose details)
wintree # Print Z-Order Desktop Windows Tree
wndscan # Pool scanner for window stationsothers
editbox # Displays information about Edit controls. (Listbox experimental.)
gditimers # Print installed GDI timers and callbacks
gdt # Display Global Descriptor Table
idt # Display Interrupt Descriptor Table
hibinfo # Dump hibernation file information
imagecopy --profile $profile $file -O $file-converted
iehistory # Reconstruct Internet Explorer cache / history
poolpeek # Configurable pool scanner plugin
shellbags # Prints ShellBags info
strings # Match physical offsets to virtual addresses (may take a while, VERY verbo
yarascan # Scan process or kernel memory with Yara signatures