This page contains links to the latest versions of various plugins I've written for Volatility, a framework for memory analysis written in Python. These plugins have been announced at various times through my blog, Push the Red Button, but are collected here for centralization and ease of maintenance.
Unfortunately, many of these tools lack standalone documentation. However, I have attempted to provide basic usage instructions in the blog post that accompanies each plugin; if you need help, check out the blog post first. If you're still confused, drop by #volatility on irc.freenode.com or shoot me an e-mail.
|GDI Utilities||Extract information about graphical windows.||[tar/gz] [zip]||[Coming Soon]|
|GetSids||Extract information about the user accounts that own processes.||getsids.py||Linking Processes to Users|
|Lists||A library for walking LIST_ENTRYs. Install to forensics/win32/.||lists.py||N/A|
|ModDump||Dump kernel modules (drivers). Similar to Volatility's procdump, but in kernel-land.||moddump.py||Plugin Post: Moddump|
|PsScan3||Scan for processes, using a method that is more resistant to evasion (based on research presented at CCS 2009).||psscan3.py||Plugin Post: Robust Process Scanner|
|SSDT||Examine the system call tables, and show what module the function pointer belongs to (can be used to detect syscall hooks).||ssdt.py||Auditing the System Call Table|
|ThreadQueues||Analyze queued messages for threads with a GUI component.||threadqueues.py||Window Messages as a Forensic Resource|
|VolReg||A suite of tools for accessing registry data stored in memory dumps. Research presented at DFRWS 2008.||[tar/gz] [zip] [older versions]||Memory Registry Tools!|
|VolRip||A wrapper around VolReg that provides an interface identical to Parse::Win32Registry, and a modified RegRipper that can run reports on registry data contained in memory.||[tar/gz] [zip]||RegRipper and Volatility Prototype|
|VolShell||A Python shell customized for working with memory images. Presented at OMFW 2008. Note: this is mainly geared towards enabling memory analysis research.||volshell.py||Introducing Volshell|