Description: In this video I will show you Commands of Volatility Framework for Malware and Rootkit analysis
Commands list
./vol.py –f zeus.vmem pslist
To list the processes of a system, use the pslist command.
./vol.py –f zeus.vmem malfind
You can use it to find hidden or injected code/DLLs in user mode memory
./vol.py –f zeus.vmem ldrmodules
To find out the hidden dll
./vol.py –f zeus.vmem apihooks
To find API hooks in user mode or kernel mode
./vol.py –f zeus.vmem idt
IDT (Interrupt Descriptor Table)
./vol.py –f zeus.vmem gdt
Gdt (Global Descriptor Table)
./vol.py –f zeus.vmem threads –L
The command gives you extensive details on threads
./vol.py –f zeus.vmem callbacks
Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events.
./vol.py –f zeus.vmem driverirp
To print a driver's IRP Major Function table
./vol.py –f zeus.vmem devicetree
Windows uses a layered driver architecture
./vol.py –f zeus.vmem psxview
This plugin helps you detect hidden processes.
Source : - http://code.google.com/p/volatility/wiki
Tags: memory , forensics , hacking , hack , volatility ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.