csababarta/volatility_plugins

语言: Python

git: https://github.com/csababarta/volatility_plugins

作者创建的Volatility插件
Volatility plugins created by the author
README.md (中文)

作者创建的Volatility插件

此处发布的插件可与Volatility v2.4一起使用。

BASELINE插件套件

PROCESSBL一个插件,用于比较2个内存映像中的运行进程                 - 可用于检测新启动的进程                 - 可用于检测新加载的DLL

SERVICESBL一个插件,用于比较2个内存映像中的服务                 - 可用于检测服务配置的修改                 - 可用于检测新安装的服务

DRIVERBL一个插件,用于比较2个内存映像中的内核驱动程序                 - 可用于检测新安装/加载的驱动程序

MALPROCFIND

一个基于预定义规则搜索恶意进程的插件。

输出类型:文本

INDX

一个刻录并解析INDX($ I30)条目的插件

输出类型:文本,正文

USNJRNL

一个插件,用于分析和解析USNJRNL($ J)条目

输出类型:文本,正文

LOGFILE

一个插件,用于分析和解析$ Logfile条目。它将处理 以下条目类型:

  • 更新文件名分配(部分FILENAME属性)
  • 添加指数进入分配(INDX记录)
  • DELETE INDEX ENTRY分配(INDX记录)
  • 初始化文件记录段(MFT FILE0记录)
  • DEALLOCATE FILE RECORD SEGMENT(MFT FILE0 Records)

输出类型:文本,正文

本文使用googletrans自动翻译,仅供参考, 原文来自github.com

en_README.md

Volatility plugins created by the author

The plugins published here can be used with Volatility v2.4.

BASELINE plugin suite

PROCESSBL A plugin that compares the running processes in 2 memory images
- can be used to detect newly started processes
- can be used to detect newly loaded DLLs

SERVICESBL A plugin that compares the services in 2 memory images
- can be used to detect modification of service configuration
- can be used to detect newly installed services

DRIVERBL A plugin that compares the kernel drivers in 2 memory images
- can be used to detect newly installed / loaded drivers

MALPROCFIND

A plugin that searches for malicious processes based predefined rules.

Output types: text

INDX

A plugin that carves for and parses INDX ($I30) entries

Output types: text, body

USNJRNL

A plugin that carves for and parses USNJRNL ($J) entries

Output types: text, body

LOGFILE

A plugin that carves for and parses $Logfile entries. It will process the
following entry types:

  • UPDATE FILENAME ALLOCATION (Partial FILENAME Attributes)
  • ADD INDEX ENTRY ALLOCATION (INDX Records)
  • DELETE INDEX ENTRY ALLOCATION (INDX Records)
  • INITIALIZE FILE RECORD SEGMENT (MFT FILE0 Records)
  • DEALLOCATE FILE RECORD SEGMENT (MFT FILE0 Records)

Output types: text, body