Skip to content

Volatility Guide

Malware Analysis (using Volatility)

Sample Malware Analysis workflow

  1. Run pslist / pstree to identify suspicious processes
  2. Use netscan / connscan to check network connections and verify IPs (e.g., VirusTotal)
  3. Apply malfind to suspected processes to detect code injection
  4. Dump memory regions using vaddump / memdump / procdump and verify
  5. Check registry using printkey for persistence mechanisms
  6. Use filescan + dumpfiles to extract suspicious files
  7. Analyze handles to identify related objects/processes
  8. Investigate mutant (mutex) objects to understand malware behavior

Volatility Plugins

1. pslist / windows.pslist

Command:

  • V2: vol.py -f memory.img --profile=PROFILE pslist
  • V3: vol.py -f memory.img windows.pslist

What it does & principle:
Lists active processes by traversing the EPROCESS linked list maintained by the Windows kernel.

Forensics use:
Identify processes running at capture time.

Example:
A process named svch0st.exe appears → likely masquerading malware.

2. pstree / windows.pstree

Command:

  • V2: pstree
  • V3: windows.pstree

What it does & principle:
Builds process hierarchy using parent-child relationships (PPID).

Forensics use:
Trace execution chain of malware.

Example:
winword.exe → powershell.exe → malware.exe → macro-based attack.

3. psscan / windows.psscan

Command:

  • V2: psscan
  • V3: windows.psscan

What it does & principle:
Scans raw memory for EPROCESS structures using signature-based pool scanning.

Forensics use:
Detect hidden or terminated processes.

Example:
Process not in pslist but present in psscan → hidden/rootkit activity.

4. psxview / windows.psxview

Command:

  • V2: psxview
  • V3: windows.psxview

What it does & principle:
Cross-verifies process presence across multiple OS structures.

Forensics use:
Detect stealth techniques used by malware.

Example:
Process missing from one structure but present in others → strong rootkit indicator.

5. netscan / windows.netscan

Command:

  • V2: netscan
  • V3: windows.netscan

What it does & principle:
Scans memory for network socket structures (TCP/UDP).

Forensics use:
Identify suspicious network connections.

Example:
Connection to unknown external IP on port 4444 → possible C2 server.

6. connscan (Volatility 2 only)

Command:

  • V2: connscan
  • V3: Not available

What it does & principle:
Performs pool scanning for TCP connection objects.

Forensics use:
Recover closed or past connections.

Example:
Previously connected malicious IP found even though connection is no longer active.

7. malfind / windows.malfind

Command:

  • V2: malfind
  • V3: windows.malfind

What it does & principle:
Detects suspicious memory regions by identifying:

  • RWX permissions
  • Non-file-backed executable memory
  • Suspicious VAD entries

Forensics use:
Detect injected code or process hollowing.

Example:
RWX memory inside explorer.exe → injected shellcode.

8. procdump (Volatility 2 only)

Command:

  • V2: procdump -p PID -D output/
  • V3: Not directly available

What it does & principle:
Reconstructs the process executable (PE file) from memory.

Forensics use:
Extract malware binaries.

Example:
Dump suspicious process and scan .exe in VirusTotal.

9. vaddump / windows.vaddump

Command:

  • V2: vaddump -p PID -D output/
  • V3: windows.vaddump

What it does & principle:
Dumps memory regions defined by Virtual Address Descriptors (VADs).

Forensics use:
Extract injected memory segments.

Example:
Dump region flagged by malfind for detailed analysis.

10. memdump

Command:

  • V2: memdump -p PID -D output/
  • V3: Not directly available

What it does & principle:
Dumps the entire process memory space.

Forensics use:
Deep inspection of process memory.

Example:
Recover credentials or embedded configs from malware.

11. printkey / windows.registry.printkey

Command:

  • V2: printkey -K "Registry\\Path"
  • V3: windows.registry.printkey

What it does & principle:
Parses Windows registry hives from memory.

Forensics use:
Detect persistence mechanisms.

Example:
Run key contains path to suspicious executable → auto-start malware.

12. dlllist / windows.dlllist

Command:

  • V2: dlllist -p PID
  • V3: windows.dlllist

What it does & principle:
Reads Process Environment Block (PEB) to list loaded DLLs.

Forensics use:
Detect DLL injection.

Example:
DLL loaded from temp directory → suspicious.

13. hashdump (Volatility 2 only)

Command:

  • V2: hashdump
  • V3: windows.hashdump (limited/depends on plugins)

What it does & principle:
Extracts password hashes from SAM and SYSTEM hives.

Forensics use:
Credential recovery.

Example:
Extracted hashes cracked to reveal weak admin password.

14. filescan / windows.filescan

Command:

  • V2: filescan
  • V3: windows.filescan

What it does & principle:
Scans memory for file object structures.

Forensics use:
Locate hidden or deleted files.

Example:
Find malware executable no longer present on disk.

15. dumpfiles / windows.dumpfiles

Command:

  • V2: dumpfiles -Q OFFSET -D output/
  • V3: windows.dumpfiles

What it does & principle:
Extracts file contents using memory-resident file objects.

Forensics use:
Recover malware artifacts.

Example:
Dump suspicious file and analyze contents.

16. handles / windows.handles

Command:

  • V2: handles -p PID
  • V3: windows.handles

What it does & principle:
Lists handles opened by a process (files, registry, mutex, etc.).

Forensics use:
Understand process interactions.

Example:
Process accessing unusual registry keys and temp files → suspicious behavior.

17. mutantscan / windows.mutantscan

Command:

  • V2: mutantscan
  • V3: windows.mutantscan

What it does & principle:
Scans memory for mutex (mutant) objects.

Forensics use:
Identify malware patterns and families.

Example:
Mutex Global\XYZ123 matches known malware signature.

Mutex in Malware

A mutex (mutual exclusion object) is used to ensure only one instance of a program runs.

How malware uses mutex:

  • Prevents reinfection or duplicate execution
  • Acts as a unique identifier for malware family
  • Used to check if system is already infected

Forensic relevance:

  • Mutex names can be matched with threat intelligence databases
  • Helps attribute malware to known families

Example:

  • Malware creates: Global\DarkCometMutex
  • If found in memory → strong indicator of specific malware family
File Extensions .exe → Executables (procdump output)
  • .dmp → Memory dumps (vaddump, memdump)
  • .dat → Raw extracted files (dumpfiles)
  • .img / .raw → Input memory image