Volatility Guide¶
Malware Analysis (using Volatility)¶
Sample Malware Analysis workflow¶
- Run pslist / pstree to identify suspicious processes
- Use netscan / connscan to check network connections and verify IPs (e.g., VirusTotal)
- Apply malfind to suspected processes to detect code injection
- Dump memory regions using vaddump / memdump / procdump and verify
- Check registry using printkey for persistence mechanisms
- Use filescan + dumpfiles to extract suspicious files
- Analyze handles to identify related objects/processes
- Investigate mutant (mutex) objects to understand malware behavior
Volatility Plugins¶
1. pslist / windows.pslist¶
Command:
- V2:
vol.py -f memory.img --profile=PROFILE pslist - V3:
vol.py -f memory.img windows.pslist
What it does & principle:
Lists active processes by traversing the EPROCESS linked list maintained by the Windows kernel.
Forensics use:
Identify processes running at capture time.
Example:
A process named svch0st.exe appears → likely masquerading malware.
2. pstree / windows.pstree¶
Command:
- V2:
pstree - V3:
windows.pstree
What it does & principle:
Builds process hierarchy using parent-child relationships (PPID).
Forensics use:
Trace execution chain of malware.
Example:
winword.exe → powershell.exe → malware.exe → macro-based attack.
3. psscan / windows.psscan¶
Command:
- V2:
psscan - V3:
windows.psscan
What it does & principle:
Scans raw memory for EPROCESS structures using signature-based pool scanning.
Forensics use:
Detect hidden or terminated processes.
Example:
Process not in pslist but present in psscan → hidden/rootkit activity.
4. psxview / windows.psxview¶
Command:
- V2:
psxview - V3:
windows.psxview
What it does & principle:
Cross-verifies process presence across multiple OS structures.
Forensics use:
Detect stealth techniques used by malware.
Example:
Process missing from one structure but present in others → strong rootkit indicator.
5. netscan / windows.netscan¶
Command:
- V2:
netscan - V3:
windows.netscan
What it does & principle:
Scans memory for network socket structures (TCP/UDP).
Forensics use:
Identify suspicious network connections.
Example:
Connection to unknown external IP on port 4444 → possible C2 server.
6. connscan (Volatility 2 only)¶
Command:
- V2:
connscan - V3: Not available
What it does & principle:
Performs pool scanning for TCP connection objects.
Forensics use:
Recover closed or past connections.
Example:
Previously connected malicious IP found even though connection is no longer active.
7. malfind / windows.malfind¶
Command:
- V2:
malfind - V3:
windows.malfind
What it does & principle:
Detects suspicious memory regions by identifying:
- RWX permissions
- Non-file-backed executable memory
- Suspicious VAD entries
Forensics use:
Detect injected code or process hollowing.
Example:
RWX memory inside explorer.exe → injected shellcode.
8. procdump (Volatility 2 only)¶
Command:
- V2:
procdump -p PID -D output/ - V3: Not directly available
What it does & principle:
Reconstructs the process executable (PE file) from memory.
Forensics use:
Extract malware binaries.
Example:
Dump suspicious process and scan .exe in VirusTotal.
9. vaddump / windows.vaddump¶
Command:
- V2:
vaddump -p PID -D output/ - V3:
windows.vaddump
What it does & principle:
Dumps memory regions defined by Virtual Address Descriptors (VADs).
Forensics use:
Extract injected memory segments.
Example:
Dump region flagged by malfind for detailed analysis.
10. memdump¶
Command:
- V2:
memdump -p PID -D output/ - V3: Not directly available
What it does & principle:
Dumps the entire process memory space.
Forensics use:
Deep inspection of process memory.
Example:
Recover credentials or embedded configs from malware.
11. printkey / windows.registry.printkey¶
Command:
- V2:
printkey -K "Registry\\Path" - V3:
windows.registry.printkey
What it does & principle:
Parses Windows registry hives from memory.
Forensics use:
Detect persistence mechanisms.
Example:
Run key contains path to suspicious executable → auto-start malware.
12. dlllist / windows.dlllist¶
Command:
- V2:
dlllist -p PID - V3:
windows.dlllist
What it does & principle:
Reads Process Environment Block (PEB) to list loaded DLLs.
Forensics use:
Detect DLL injection.
Example:
DLL loaded from temp directory → suspicious.
13. hashdump (Volatility 2 only)¶
Command:
- V2:
hashdump - V3:
windows.hashdump(limited/depends on plugins)
What it does & principle:
Extracts password hashes from SAM and SYSTEM hives.
Forensics use:
Credential recovery.
Example:
Extracted hashes cracked to reveal weak admin password.
14. filescan / windows.filescan¶
Command:
- V2:
filescan - V3:
windows.filescan
What it does & principle:
Scans memory for file object structures.
Forensics use:
Locate hidden or deleted files.
Example:
Find malware executable no longer present on disk.
15. dumpfiles / windows.dumpfiles¶
Command:
- V2:
dumpfiles -Q OFFSET -D output/ - V3:
windows.dumpfiles
What it does & principle:
Extracts file contents using memory-resident file objects.
Forensics use:
Recover malware artifacts.
Example:
Dump suspicious file and analyze contents.
16. handles / windows.handles¶
Command:
- V2:
handles -p PID - V3:
windows.handles
What it does & principle:
Lists handles opened by a process (files, registry, mutex, etc.).
Forensics use:
Understand process interactions.
Example:
Process accessing unusual registry keys and temp files → suspicious behavior.
17. mutantscan / windows.mutantscan¶
Command:
- V2:
mutantscan - V3:
windows.mutantscan
What it does & principle:
Scans memory for mutex (mutant) objects.
Forensics use:
Identify malware patterns and families.
Example:
Mutex Global\XYZ123 matches known malware signature.
Mutex in Malware¶
A mutex (mutual exclusion object) is used to ensure only one instance of a program runs.
How malware uses mutex:
- Prevents reinfection or duplicate execution
- Acts as a unique identifier for malware family
- Used to check if system is already infected
Forensic relevance:
- Mutex names can be matched with threat intelligence databases
- Helps attribute malware to known families
Example:
- Malware creates:
Global\DarkCometMutex - If found in memory → strong indicator of specific malware family
File Extensions .exe → Executables (procdump output)¶
.dmp→ Memory dumps (vaddump, memdump).dat→ Raw extracted files (dumpfiles).img / .raw→ Input memory image