| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | qc | Module | Description | Owner | Completion | ||||||||||||||||
2 | Linux Support | NOTES | |||||||||||||||||||
3 | linux_arp | Print the ARP table | 100% | arp | |||||||||||||||||
4 | linux_banner | Prints the Linux banner information | 100% | banner | |||||||||||||||||
5 | linux_bash | Recover bash history from bash process memory | 50% | bash | Sometimes doesn't work? Need to check if this is a 32 vs 64bit problem. Have problems in some tests VMs where no strings are found (and I had planted them ;)) | ||||||||||||||||
6 | linux_check_afinfo | Verifies the operation function pointers of network protocols | 100% | check_afinfo | |||||||||||||||||
7 | linux_check_creds | Checks if any processes are sharing credential structures | 100% | check_creds | |||||||||||||||||
8 | linux_check_fop | Check file operation structures for rootkit modifications | 100% | called check_proc_fops | Fixed to interact better with Kernel tha may be swapped ? (VMs) | ||||||||||||||||
9 | linux_check_idt | Checks if the IDT has been altered | 100% | check_idt | fixed, improved a tad, depends on lsmod | ||||||||||||||||
10 | linux_check_modules | Compares module list to sysfs info, if available | 100% | check_modules | depends on lsmod | ||||||||||||||||
11 | linux_check_syscall | Checks if the system call table has been altered | 100% | ||||||||||||||||||
12 | linux_check_tty | Checks tty devices for hooks | 100% | check_ttys | |||||||||||||||||
13 | linux_cpuinfo | Prints info about each active processor | 100% | cpuinfo | Didn't really work on current multicore systems. Fixed | ||||||||||||||||
14 | linux_dentry_cache | Gather files from the dentry cache | Depends on slub | ||||||||||||||||||
15 | linux_dmesg | Gather dmesg buffer | 100% | dmesg | |||||||||||||||||
16 | linux_dump_map | Writes selected memory mappings to disk | 100% | vaddump | |||||||||||||||||
17 | linux_find_file | Recovers tmpfs filesystems from memory | 100% | mls & mcat | Replaced by 2 plugins that, instead, allow you to list and cat any files in memory. | ||||||||||||||||
18 | linux_ifconfig | Gathers active interfaces | 100% | ifconfig | |||||||||||||||||
19 | linux_iomem | Provides output similar to /proc/iomem | 100% | iomem | |||||||||||||||||
20 | linux_keyboard_notifier | Parses the keyboard notifier call chain | 100% | keyboard_notifier_check | |||||||||||||||||
21 | linux_lsmod | Gather loaded kernel modules | 100% | lsmod | |||||||||||||||||
22 | linux_lsof | Lists open files | 100% | lsof | |||||||||||||||||
23 | linux_memmap | Dumps the memory map for linux tasks | 100% | ||||||||||||||||||
24 | linux_moddump | Extract loaded kernel modules | 100% | ||||||||||||||||||
25 | linux_mount | Gather mounted fs/devices | 80% | mount | Ported for 2.6-3.13 kernels, pending support for 3.14 | Will want to add fs-specific flags too | |||||||||||||||
26 | linux_mount_cache | Gather mounted fs/devices from kmem_cache | 0% | slub. Likely unnecessary | |||||||||||||||||
27 | linux_netstat | Lists open sockets | 100% | netstat | Actually, this was broken. Fixed it and changed the output a bit | ||||||||||||||||
28 | linux_pidhashtable | Enumerates processes through the PID hash table | 100% | pidhashtable (times) | Fixed date issue | ||||||||||||||||
29 | linux_pkt_queues | Writes per-process packet queues out to disk | 100% | pkt_queues | Needs a tad more testing | ||||||||||||||||
30 | linux_proc_maps | Gathers process maps for linux | 100% | maps | |||||||||||||||||
31 | linux_psaux | Gathers processes along with full command line and start time | 100% | psaux | |||||||||||||||||
32 | linux_pslist | Gather active tasks by walking the task_struct->task list | 100% | pslist | Fixed date issue | ||||||||||||||||
33 | linux_pslist_cache | Gather tasks from the kmem_cache | 0% | slub | |||||||||||||||||
34 | linux_pstree | Shows the parent/child relationship between processes | pstree | ||||||||||||||||||
35 | linux_psxview | Find hidden processes with various process listings | 100% | ||||||||||||||||||
36 | linux_route_cache | Recovers the routing cache from memory | 0% | slub | |||||||||||||||||
37 | linux_sk_buff_cache | Recovers packets from the sk_buff kmem_cache | 0% | slub | |||||||||||||||||
38 | linux_slabinfo | Mimics /proc/slabinfo on a running machine | 0% | most systems use slub now so this need to be reimplemented | slub | ||||||||||||||||
39 | linux_tmpfs | Recovers tmpfs filesystems from memory | 80% | Replaced by mls | |||||||||||||||||
40 | linux_vma_cache | Gather VMAs from the vm_area_struct cache | 0% | slub? | |||||||||||||||||
41 | linux_volshell | Shell in the memory image | Deprecated | ||||||||||||||||||
42 | linux_yarascan | Yara Scan over memory | 100% | ||||||||||||||||||
43 | mbrparser | Scans for and parses potential Master Boot Records (MBRs) | 0% | I don't think this plugin is great but it just gives way too many False Positives (the levenstein option maybe is a bit more useful) After reading the article about it, it may be worth porting. I'll give it a shot and maybe improve it a bit | |||||||||||||||||
44 | Address spaces | ||||||||||||||||||||
45 | addrspaces/amd64.py | Standard AMD 64-bit address space. | 100% | ||||||||||||||||||
46 | addrspaces/crash.py | windows Crash Dump format | 100% | ||||||||||||||||||
47 | addrspaces/ewf.py | This Address Space allows us to open ewf files | |||||||||||||||||||
48 | VMWareSnapshotFile | This AS supports VMware snapshot files | |||||||||||||||||||
49 | addrspaces/hibernate.py | Windows hibernation files | Deprecated - Replace with conversion plugin | ||||||||||||||||||
50 | addrspaces/ieee1394.py | Firewire address spaces. | Deprecated | ||||||||||||||||||
51 | addrspaces/intel.py | Standard Intel 32-bit address space. | 100% | ||||||||||||||||||
52 | addrspaces/mmap_address_space.py | an AS which uses an mmap of a file. | 100% | ||||||||||||||||||
53 | addrspaces/standard.py | direct file AS | 100% | ||||||||||||||||||
54 | Support | ||||||||||||||||||||
55 | Windows XP | ||||||||||||||||||||
56 | Windows 7 | ||||||||||||||||||||
57 | Windows 7 64 bit | ||||||||||||||||||||
58 | Windows 8 64 bit | Done Win8 8.1 64 and 32 bits. | |||||||||||||||||||
59 | Windows 2003 | ||||||||||||||||||||
60 | Linux 64bit | ||||||||||||||||||||
61 | |||||||||||||||||||||
62 | Imaging functionality | ||||||||||||||||||||
63 | winpmem.py | Imaging of windows systems (32 and 64 bit) | 100% | ||||||||||||||||||
64 | pmem.c | Imager of linux systems | 100% | ||||||||||||||||||
65 | LMAP | Imager of linux systems | 100% | ||||||||||||||||||
66 | OSX pmem | Imager of OSX systems | 100% | ||||||||||||||||||
67 | Overlays | ||||||||||||||||||||
68 | overlays/linux/linux.py | A Linux profile which works with dwarfdump output files. | 100% | ||||||||||||||||||
69 | overlays/windows/vista.py | Support Vista profiles | |||||||||||||||||||
70 | overlays/windows/win2003.py | Support Win2003 profiles | (Not tested yet) | ||||||||||||||||||
71 | overlays/windows/win7.py | Support Win7 profiles | 100% | ||||||||||||||||||
72 | overlays/windows/windows.py | Common windows profiles | 100% | ||||||||||||||||||
73 | overlays/windows/xp.py | Support XP | 100% | ||||||||||||||||||
74 | Core | ||||||||||||||||||||
75 | volatility/obj.py | Core object parsing framework | 100% | ||||||||||||||||||
76 | volatility/addrspace.py | Baseclass for address spaces | 100% | ||||||||||||||||||
77 | volatility/obj_test.py | Unit tests for object framework | 100% | ||||||||||||||||||
78 | volatility/plugin.py | Baseclass for plugins | 100% | ||||||||||||||||||
79 | volatility/registry.py | Class registry | 100% | ||||||||||||||||||
80 | volatility/scan.py | Scanning framework (Scanner groups, discontiguous scanners) | 100% | ||||||||||||||||||
81 | volatility/session.py | Implementation of the user interactive session. | 100% | ||||||||||||||||||
82 | Documentation | ||||||||||||||||||||
83 | API Documentation | ||||||||||||||||||||
84 | Sample Code | ||||||||||||||||||||
85 | User manual | ||||||||||||||||||||
86 | Screencasts | ||||||||||||||||||||
87 | Darwin Support | ||||||||||||||||||||
88 | mac_arp | Prints the arp table | adamsh | ||||||||||||||||||
89 | mac_check_syscalls | Checks to see if system call table entries are hooked | adamsh | ||||||||||||||||||
90 | mac_check_sysctl | Checks for unknown sysctl handlers | adamsh | ||||||||||||||||||
91 | mac_check_trap_table | Checks to see if mach trap table entries are hooked | adamsh | ||||||||||||||||||
92 | mac_dead_procs | Prints terminated/de-allocated processes | adamsh | ||||||||||||||||||
93 | mac_dmesg | Prints the kernel debug buffer | adamsh | ||||||||||||||||||
94 | mac_dump_maps | Dumps memory ranges of processes | adamsh | ||||||||||||||||||
95 | mac_find_aslr_shift | Find the ASLR shift value for 10.8+ images | adamsh | Not generally useful and its easily printed from the shell. | |||||||||||||||||
96 | mac_ifconfig | Lists network interface information for all devices | adamsh | ||||||||||||||||||
97 | mac_ip_filters | Reports any hooked IP filters | adamsh | ||||||||||||||||||
98 | mac_list_sessions | Enumerates sessions | adamsh | ||||||||||||||||||
99 | mac_list_zones | Prints active zones | adamsh | ||||||||||||||||||
100 | mac_lsmod | Lists loaded kernel modules | adamsh |