| ▼Ncontrib | |
| ►Nplugins | |
| ►Naspaces | |
| ►Newf | |
| CEWFAddressSpace | An EWF capable address space |
| Cewffile | A file like object to provide access to the ewf file |
| ►Nenumfunc | |
| CEnumFunc | Enumerate imported/exported functions |
| ►Nexample | |
| CDateTime | A simple example plugin that gets the date/time information from a Windows image |
| ►Nmalware | |
| ►Npoisonivy | |
| CPICONFIG | Class for Poison Ivy Configuration Block |
| CPIHOST | Class for Poison Ivy Host/Proxy |
| CPoisonIvyConfig | |
| CPoisonIvyScan | |
| CPoisonIvyTypesx86 | Modification for Poison Ivy |
| ►Npsempire | |
| CPSEmpire | A plugin detecting the presence of PowerShell Empire |
| ►Nzeusscan | |
| CCitadelScan1345 | Locate and Decrypt Citadel 1.3.4.5 Configs |
| CZeusScan1 | Locate and Decrypt Zeus > 1.20 and < 2.0 Configs |
| CZeusScan2 | Locate and Decrypt Zeus >= 2.0 Configs |
| CZeusVTypes | |
| ►Npagecheck | |
| CPageCheck | Reads the available pages and reports if any are inaccessible |
| ►Npsdispscan | |
| CCheckDTBAligned | Checks that _EPROCESS.Pcb.DirectoryTableBase is aligned to 0x20 |
| CCheckSynchronization | Checks that _EPROCESS.WorkingSetLock and _EPROCESS.AddressCreationLock look valid |
| CCheckThreadList | Checks that _EPROCESS thread list points to the kernel Address Space |
| CDispatchHeaderCheck | A very fast check for an _EPROCESS.Pcb.Header |
| CPSDispScan | Scan Physical memory for _EPROCESS objects based on their Dispatch Headers |
| CPSDispScanner | This scanner carves things that look like _EPROCESS structures |
| ►Nsaveconfig | |
| CSaveConfig | Generates Volatility configuration files |
| ►Nscanprof | |
| CScanProfInstance | |
| ▼Nconvert | |
| CDWARFParser | A parser for DWARF files |
| ▼Nvolatility | |
| ►Naddrspace | |
| CAbstractDiscreteAllocMemory | A class based on memory stored as discrete allocations |
| CAbstractRunBasedMemory | |
| CAbstractVirtualAddressSpace | Base Ancestor for all Virtual address spaces, as determined by astype |
| CASAssertionError | |
| CBaseAddressSpace | This is the base class of all Address Spaces |
| CBufferAddressSpace | This is a specialised AS for use internally - Its used to provide transparent support for a string buffer so types can be instantiated off the buffer |
| ►Ncache | |
| CBlockingNode | Node that fails on all cache attempts and no-ops on cache storage attempts |
| CCacheContainsGenerator | Exception raised when the cache contains a generator |
| CCacheDecorator | This decorator will memoise a function in the cache |
| CCacheNode | Base class for Cache nodes |
| CCacheStorage | The base class for implementation storing the cache |
| CCacheTree | An abstract structure which represents the cache tree |
| CInvalidator | The Invalidator encapsulates program state to control invalidation of the cache |
| CInvalidCache | Exception raised when the cache item is determined to be invalid |
| CTestable | This is a mixin that makes a class response to the unit tests |
| CTestDecorator | This decorator is just like a CacheDecorator, but will always cache fully |
| ►Ncommands | |
| CCommand | Base class for each plugin command |
| ►Nconf | |
| CConfObject | This is a singleton class to manage the configuration |
| CDummyConfig | |
| CPyFlagOptionParser | |
| ►Ndwarf | |
| CDWARFParser | A parser for DWARF files |
| ►Nexceptions | |
| CAddrSpaceError | Address Space Exception, so we can catch and deal with it in the main program |
| CCacheRelativeURLException | Exception for gracefully not saving Relative URLs in the cache |
| CVolatilityException | Generic Volatility Specific exception, to help differentiate from other exceptions |
| ►Nfmtspec | |
| CFormatSpec | |
| ►Nobj | |
| CArray | An array of objects of the same size |
| CBaseObject | |
| CBitField | A class splitting an integer into a bunch of bit |
| Cclassproperty | |
| CCType | A CType is an object which represents a c struct |
| CInvalidOffsetError | Simple placeholder to identify invalid offsets |
| CNativeType | |
| CNoneObject | A magical object which is like None but swallows bad dereferences, getattribute, iterators etc to return itself |
| CNumericProxyMixIn | This MixIn implements the numeric protocol |
| CPointer | |
| CPointer32 | |
| CProfile | This must live here, otherwise there are circular dependency issues |
| CProfileModification | Class for modifying profiles for additional functionality |
| CVoid | |
| CVolatilityMagic | Class to contain Volatility Magic value |
| ►Nplugins | |
| ►Naddrspaces | |
| ►Namd64 | |
| CAMD64PagedMemory | Standard AMD 64-bit address space |
| ►Narm | |
| CArmAddressSpace | Address space for ARM processors |
| ►Ncrash | |
| CWindowsCrashDumpSpace32 | This AS supports windows Crash Dump format |
| CWindowsCrashDumpSpace64 | This AS supports windows Crash Dump format |
| ►Ncrashbmp | |
| CBitmapDmpVTypes | |
| CWindowsCrashDumpSpace64BitMap | This AS supports Windows BitMap Crash Dump format |
| ►Nelfcoredump | |
| CDBGFCOREDESCRIPTOR | A class for VBox core dump descriptors |
| CQemuCoreDumpElf | This AS supports Qemu ELF32 and ELF64 coredump format |
| CVirtualBoxCoreDumpElf64 | This AS supports VirtualBox ELF64 coredump format |
| CVirtualBoxModification | |
| ►Nhibernate | |
| CStore | |
| CWindowsHiberFileSpace32 | This is a hibernate address space for windows hibernation files |
| ►Nhpak | |
| CHPAK_HEADER | A class for B.S |
| CHPAKAddressSpace | This AS supports the HPAK format |
| CHPAKVTypes | |
| ►Nieee1394 | |
| CFirewireAddressSpace | A physical layer address space that provides access via firewire |
| CFWForensic1394 | |
| CFWRaw1394 | |
| ►Nintel | |
| CIA32PagedMemory | Standard IA-32 paging address space |
| CIA32PagedMemoryPae | This class implements the IA-32 PAE paging address space |
| ►Nlime | |
| CLimeAddressSpace | Address space for Lime |
| CLimeTypes | |
| ►Nmacho | |
| CMachOAddressSpace | Address space for mach-o files to support atc-ny memory reader |
| ►Nosxpmemelf | |
| COSXPmemELF | This AS supports VirtualBox ELF64 coredump format |
| ►Npaged | |
| CAbstractPagedMemory | Class to handle all the details of a paged virtual address space |
| CAbstractWritablePagedMemory | Mixin class that can be used to add write functionality to any standard address space that supports write() and vtop() |
| ►Nstandard | |
| CFileAddressSpace | This is a direct file AS |
| ►Nvmem | |
| CVMWareMetaAddressSpace | This AS supports the VMEM format with VMSN/VMSS metadata |
| ►Nvmware | |
| C_VMWARE_GROUP | A class for VMware Groups |
| C_VMWARE_HEADER | A class for VMware VMSS/VMSN files |
| C_VMWARE_TAG | A class for VMware Tags |
| CVMWareAddressSpace | This AS supports VMware snapshot (VMSS) and saved state (VMSS) files |
| CVMwareVTypesModification | Apply the necessary VTypes for parsing VMware headers |
| ►Nbigpagepools | |
| CBigPagePoolScanner | Scanner for big page pools |
| CBigPageTable | Find the directory of big page pools |
| CBigPageTableMagic | Determine the distance to the big page pool trackers |
| CBigPools | Dump the big page pools using BigPagePoolScanner |
| CPoolTrackTypeOverlay | |
| ►Nbioskbd | |
| CBiosKbd | Reads the keyboard buffer from Real Mode memory |
| ►Ncmdline | |
| CCmdline | Display process command-line arguments |
| ►Ncommon | |
| CAbstractScanCommand | A command built to provide the common options that should be available to Volatility's various scanning plugins |
| CAbstractWindowsCommand | |
| ►Nconnections | |
| CConnections | Print list of open connections [Windows XP and 2003 Only]
|
| ►Nconnscan | |
| CConnScan | Pool scanner for tcp connections |
| CPoolScanConn | Pool scanner for tcp connections |
| ►Ncrashinfo | |
| C_DMP_HEADER | A class for crash dumps |
| CCrashInfo | Dump crash-dump information |
| CCrashInfoModification | Applies overlays for crash dump headers |
| ►Ndlldump | |
| CDLLDump | Dump DLLs from a process address space |
| ►Ndrivermodule | |
| Cdrivermodule | Associate driver objects to kernel modules |
| ►Ndumpcerts | |
| C_PKCS_PRIVATE_CERT | Class for PKCS private key certificates |
| C_X509_PUBLIC_CERT | Class for x509 public key certificates |
| CDumpCerts | Dump RSA private and public SSL keys |
| CSSLKeyModification | Applies to all windows profiles (maybe linux?) |
| ►Ndumpfiles | |
| C_CONTROL_AREA | |
| C_SHARED_CACHE_MAP | |
| CControlAreaModification | |
| CDumpFiles | Extract memory mapped and cached files |
| CDumpFilesVTypesx86 | This modification applies the vtypes for all versions of 32bit Windows |
| ►Nenvars | |
| CEnvars | |
| ►Nevtlogs | |
| CEvtLogs | Extract Windows Event Logs (XP/2003 only) |
| CEVTObjectTypes | |
| ►Nfilescan | |
| CDriverScan | Pool scanner for driver objects |
| CFileScan | Pool scanner for file objects |
| CMutantScan | Pool scanner for mutex objects |
| CPoolScanDriver | Pool scanner for driver objects |
| CPoolScanFile | Pool scanner for file objects |
| CPoolScanMutant | Pool scanner for mutex objects |
| CPoolScanProcess | Pool scanner for process objects |
| CPoolScanSymlink | Pool scanner for symlink objects |
| CPSScan | Pool scanner for process objects |
| CSymLinkScan | Pool scanner for symlink objects |
| ►Ngetservicesids | |
| CGetServiceSids | Get the names of services in the Registry and return Calculated SID |
| ►Ngetsids | |
| CGetSIDs | Print the SIDs owning each process |
| ►Ngui | |
| ►Natoms | |
| CAtoms | Print session and window station atom tables |
| CAtomScan | Pool scanner for atom tables |
| CPoolScanAtom | Pool scanner for atom tables |
| ►Nclipboard | |
| CClipboard | Extract the contents of the windows clipboard |
| ►Nconstants | |
| CFakeAtom | |
| ►Ndesktops | |
| CDeskScan | Poolscaner for tagDESKTOP (desktops) |
| ►Neditbox | |
| C_COMBOBOX_x64 | |
| C_COMBOBOX_x86 | |
| C_EDIT_x64 | |
| C_EDIT_x86 | |
| C_LISTBOX_x64 | |
| C_LISTBOX_x86 | |
| CEditBox | Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox) |
| CEditBoxObjectClasses | Add the new class definitions |
| CEditBoxVTypes | This modification adds the gdi_types_x(86|64) |
| ►Neventhooks | |
| CEventHooks | Print details on windows event hooks |
| ►Ngahti | |
| CGahti | Dump the USER handle type information |
| ►Ngditimers | |
| CGDITimers | Print installed GDI timers and callbacks |
| ►Nmessagehooks | |
| CMessageHooks | List desktop and thread window message hooks |
| ►Nscreenshot | |
| CScreenshot | Save a pseudo-screenshot based on GDI windows |
| ►Nsessions | |
| CSessions | List details on _MM_SESSION_SPACE (user logon sessions) |
| CSessionsMixin | This is a mixin that plugins can inherit for access to the main sessions APIs |
| ►Nuserhandles | |
| CUserHandles | Dump the USER handle tables |
| ►Nvtypes | |
| ►Nvista | |
| CVista2008x64GuiVTypes | |
| CVista2008x86GuiVTypes | |
| ►Nwin2003 | |
| CWin2003x86GuiVTypes | Apply the overlays for Windows 2003 x86 (builds on Windows XP x86) |
| ►Nwin7 | |
| C_MM_SESSION_SPACE | A class for session spaces on Windows 7 |
| CtagSHAREDINFO | A class for shared info blocks on Windows 7 |
| CWin7GuiOverlay | Apply general overlays for Windows 7 |
| CWin7SP0x64GuiVTypes | Apply the base vtypes for Windows 7 SP0 x64 |
| CWin7SP0x86GuiVTypes | Apply the base vtypes for Windows 7 SP0 x86 |
| CWin7SP1x64GuiVTypes | Apply the base vtypes for Windows 7 SP1 x64 |
| CWin7SP1x86GuiVTypes | Apply the base vtypes for Windows 7 SP1 x86 |
| CWin7Vista2008x64Timers | Apply the tagTIMER for Windows 7, Vista, and 2008 x64 |
| CWin7Vista2008x86Timers | Apply the tagTIMER for Windows 7, Vista, and 2008 x86 |
| CWin7Win32KCoreClasses | Apply the core object classes for Windows 7 |
| ►Nwin8 | |
| C_RTL_ATOM_TABLE_ENTRY | A class for atom table entries |
| CWin8x64Gui | |
| CWin8x86Gui | |
| ►Nxp | |
| CXP2003x64BaseVTypes | Applies to Windows XP and 2003 x64 |
| CXP2003x86BaseVTypes | Applies to everything x86 before Windows 7 |
| ►Nwin32k_core | |
| C_HANDLEENTRY | A for USER handle entries |
| C_MM_SESSION_SPACE | A class for session spaces |
| C_RTL_ATOM_TABLE | A class for atom tables |
| C_RTL_ATOM_TABLE_ENTRY | A class for atom table entries |
| CAtomTablex64Overlay | Apply the atom table overlays for all x64 Windows |
| CAtomTablex86Overlay | Apply the atom table overlays for all x86 Windows |
| CtagCLIPDATA | A class for clipboard objects |
| CtagDESKTOP | A class for Desktop objects |
| CtagEVENTHOOK | A class for event hooks |
| CtagHOOK | A class for message hooks |
| CtagRECT | A class for window rects |
| CtagSHAREDINFO | A class for shared info blocks |
| CtagTHREADINFO | A class for thread information objects |
| CtagWINDOWSTATION | A class for Windowstation objects |
| CtagWND | A class for window structures |
| CWin32KCoreClasses | Apply the core object classes |
| CWin32KGahtiVType | Apply a vtype for win32k!gahti |
| CWin32Kx64VTypes | Applies to all x64 windows profiles |
| CWin32Kx86VTypes | Applies to all x86 windows profiles |
| CXP2003x64TimerVType | Apply the tagTIMER for XP and 2003 x64 |
| CXP2003x86TimerVType | Apply the tagTIMER for XP and 2003 x86 |
| CXPx86SessionOverlay | Apply the ResidentProcessCount overlay for x86 XP session spaces |
| ►Nwindows | |
| CWindows | Print Desktop Windows (verbose details) |
| CWinTree | Print Z-Order Desktop Windows Tree |
| ►Nwindowstations | |
| CPoolScanWind | PoolScanner for window station objects |
| CWndScan | Pool scanner for window stations |
| ►Nhandles | |
| CHandles | Print list of open handles for each process |
| ►Nheaps | |
| CHeapModification | |
| ►Nhibinfo | |
| CHibInfo | Dump hibernation file information |
| ►Nhpakinfo | |
| CHPAKExtract | Extract physical memory from an HPAK file |
| CHPAKInfo | Info on an HPAK file |
| ►Niehistory | |
| C_URL_RECORD | A class for URL and LEAK records |
| CIEHistory | Reconstruct Internet Explorer cache / history |
| CIEHistoryVTypes | Apply structures for IE history parsing |
| ►Nimagecopy | |
| CImageCopy | Copies a physical address space out as a raw DD image |
| ►Nimageinfo | |
| CImageInfo | Identify information for the image |
| ►Njoblinks | |
| CJobLinks | Print process job link information |
| ►Nkdbgscan | |
| CKDBGScan | Search for and dump potential KDBG values |
| CKDBGScanner | |
| CMultiPrefixFinderCheck | Checks for multiple strings per page, finishing at the offset |
| CMultiStringFinderCheck | Checks for multiple strings per page |
| ►Nkpcrscan | |
| CKPCRScan | Search for and dump potential KPCR values |
| CKPCRScanner | |
| CKPCRScannerCheck | Checks the self referential pointers to find KPCRs |
| ►Nlinux | |
| ►Napihooks | |
| Clinux_apihooks | Checks for userland apihooks |
| ►Narp | |
| Ca_ent | |
| Clinux_arp | Print the ARP table |
| ►Nbanner | |
| Clinux_banner | Prints the Linux banner information |
| ►Nbash | |
| C_hist_entry | A class for history entries |
| CBashTypes | |
| Clinux_bash | Recover bash history from bash process memory |
| ►Nbash_hash | |
| C_bash_hash_table | |
| CBashHashTypes | |
| Clinux_bash_hash | Recover bash hash table from bash process memory |
| ►Ncheck_afinfo | |
| Clinux_check_afinfo | Verifies the operation function pointers of network protocols |
| ►Ncheck_creds | |
| Clinux_check_creds | Checks if any processes are sharing credential structures |
| ►Ncheck_evt_arm | |
| Clinux_check_evt_arm | Checks the Exception Vector Table to look for syscall table hooking |
| ►Ncheck_fops | |
| Clinux_check_fop | Check file operation structures for rootkit modifications |
| ►Ncheck_idt | |
| Clinux_check_idt | Checks if the IDT has been altered |
| CLinuxIDTTypes | |
| ►Ncheck_inline_kernel | |
| Clinux_check_inline_kernel | Check for inline kernel hooks |
| ►Ncheck_modules | |
| Clinux_check_modules | Compares module list to sysfs info, if available |
| ►Ncheck_syscall | |
| Clinux_check_syscall | Checks if the system call table has been altered |
| ►Ncheck_syscall_arm | |
| Clinux_check_syscall_arm | Checks if the system call table has been altered |
| ►Ncommon | |
| CAbstractLinuxARMCommand | |
| CAbstractLinuxCommand | |
| CAbstractLinuxIntelCommand | |
| Cvol_timespec | |
| ►Ncpuinfo | |
| Clinux_cpuinfo | Prints info about each active processor |
| ►Ndentry_cache | |
| Clinux_dentry_cache | Gather files from the dentry cache |
| ►Ndmesg | |
| Clinux_dmesg | Gather dmesg buffer |
| ►Ndump_map | |
| Clinux_dump_map | Writes selected memory mappings to disk |
| ►Nelfs | |
| Clinux_elfs | Find ELF binaries in process mappings |
| ►Nenumerate_files | |
| Clinux_enumerate_files | Lists files referenced by the filesystem cache |
| ►Nfind_file | |
| Clinux_find_file | Lists and recovers files from memory |
| ►Ngetcwd | |
| Clinux_getcwd | Lists current working directory of each process |
| ►Nhidden_modules | |
| Clinux_hidden_modules | Carves memory to find hidden kernel modules |
| ►Nifconfig | |
| Clinux_ifconfig | Gathers active interfaces |
| ►Ninfo_regs | |
| Clinux_info_regs | It's like 'info registers' in GDB |
| ►Niomem | |
| Clinux_iomem | Provides output similar to /proc/iomem |
| ►Nkernel_opened_files | |
| Clinux_kernel_opened_files | Lists files that are opened from within the kernel |
| ►Nkeyboard_notifiers | |
| Clinux_keyboard_notifiers | Parses the keyboard notifier call chain |
| ►Nld_env | |
| Clinux_dynamic_env | Recover a process' dynamic environment variables |
| ►Nldrmodules | |
| Clinux_ldrmodules | Compares the output of proc maps with the list of libraries from libdl |
| ►Nlibc_env | |
| Clinux_bash_env | Recover a process' dynamic environment variables |
| ►Nlibrary_list | |
| Clinux_library_list | Lists libraries loaded into a process |
| ►Nlibrarydump | |
| Clinux_librarydump | Dumps shared libraries in process memory to disk |
| ►Nlime | |
| CLiMEInfo | Dump Lime file format information |
| ►Nlinux_strings | |
| Clinux_strings | Match physical offsets to virtual addresses (may take a while, VERY verbose) |
| ►Nlinux_truecrypt | |
| Clinux_truecrypt_passphrase | Recovers cached Truecrypt passphrases |
| CLinuxTruecryptModification | A modification for Linux Truecrypt passphrases |
| CPassphraseScanner | A scanner over all memory regions of a process |
| ►Nlinux_volshell | |
| Clinux_volshell | Shell in the memory image |
| ►Nlinux_yarascan | |
| Clinux_yarascan | A shell in the Linux memory image |
| CVmaYaraScanner | A scanner over all memory regions of a process |
| ►Nlist_raw | |
| Clinux_list_raw | List applications with promiscuous sockets |
| ►Nlsmod | |
| Clinux_lsmod | Gather loaded kernel modules |
| Clinux_moddump | Extract loaded kernel modules |
| ►Nlsof | |
| Clinux_lsof | Lists file descriptors and their path |
| ►Nmalfind | |
| Clinux_malfind | Looks for suspicious process mappings |
| ►Nmount | |
| Clinux_mount | Gather mounted fs/devices |
| ►Nmount_cache | |
| Clinux_mount_cache | Gather mounted fs/devices from kmem_cache |
| ►Nnetfilter | |
| Clinux_netfilter | Lists Netfilter hooks |
| ►Nnetscan | |
| Clinux_netscan | Carves for network connection structures |
| ►Nnetstat | |
| Clinux_netstat | Lists open sockets |
| ►Npidhashtable | |
| Clinux_pidhashtable | Enumerates processes through the PID hash table |
| ►Npkt_queues | |
| Clinux_pkt_queues | Writes per-process packet queues out to disk |
| ►Nplthook | |
| Clinux_plthook | Scan ELF binaries' PLT for hooks to non-NEEDED images |
| ►Nproc_maps | |
| Clinux_proc_maps | Gathers process memory maps |
| ►Nproc_maps_rb | |
| Clinux_proc_maps_rb | Gathers process maps for linux through the mappings red-black tree |
| ►Nprocdump | |
| Clinux_procdump | Dumps a process's executable image to disk |
| ►Nprocess_hollow | |
| Clinux_process_hollow | Checks for signs of process hollowing |
| ►Nprocess_info | |
| Clinux_process_info | Plugin to gather info for a task/process |
| Cprocess_info | A class to collect various information about a process/task |
| ►Nprocess_stack | |
| Clinux_process_stack | Plugin to do analysis on the stack of user space applications |
| Cstack_frame | A class to record info about a stack frame |
| ►Npsaux | |
| Clinux_psaux | Gathers processes along with full command line and start time |
| ►Npsenv | |
| Clinux_psenv | Gathers processes along with their static environment variables |
| ►Npslist | |
| Clinux_memmap | Dumps the memory map for linux tasks |
| Clinux_pslist | Gather active tasks by walking the task_struct->task list |
| ►Npslist_cache | |
| Clinux_pslist_cache | Gather tasks from the kmem_cache |
| ►Npstree | |
| Clinux_pstree | Shows the parent/child relationship between processes |
| ►Npsxview | |
| Clinux_psxview | |
| ►Nrecover_filesystem | |
| Clinux_recover_filesystem | Recovers the entire cached file system from memory |
| ►Nroute_cache | |
| Clinux_route_cache | Recovers the routing cache from memory |
| ►Nsk_buff_cache | |
| Clinux_sk_buff_cache | Recovers packets from the sk_buff kmem_cache |
| ►Nslab_info | |
| Ckmem_cache | |
| Ckmem_cache_slab | |
| Clinux_slabinfo | Mimics /proc/slabinfo on a running machine |
| CLinuxKmemCacheOverlay | |
| ►Nthreads | |
| Clinux_threads | Prints threads of processes |
| ►Ntmpfs | |
| Clinux_tmpfs | Recovers tmpfs filesystems from memory |
| ►Ntty_check | |
| Clinux_check_tty | Checks tty devices for hooks |
| ►Nvma_cache | |
| Clinux_vma_cache | Gather VMAs from the vm_area_struct cache |
| ►Nmac | |
| ►Nadiummsgs | |
| Cmac_adium | Lists Adium messages |
| ►Napihooks | |
| Cmac_apihooks | Checks for API hooks in processes |
| ►Napihooks_kernel | |
| Cmac_apihooks_kernel | Checks to see if system call and kernel functions are hooked |
| ►Narp | |
| Cmac_arp | Prints the arp table |
| ►Nbash | |
| C_mac_hist_entry | A class for history entries |
| Cbash32_hist_entry | |
| Cbash64_hist_entry | |
| Cmac_bash | Recover bash history from bash process memory |
| CMacBashTypes | |
| ►Nbash_env | |
| Cmac_bash_env | Recover bash's environment variables |
| ►Nbash_hash | |
| Cbash_funcs | |
| Cmac32_bash_hash_table | |
| Cmac32_bucket_contents | |
| Cmac32_pathdata | |
| Cmac64_bash_hash_table | |
| Cmac64_bucket_contents | |
| Cmac64_pathdata | |
| Cmac_bash_hash | Recover bash hash table from bash process memory |
| CMacBashHashTypes | |
| ►Ncalendar | |
| Cmac_calendar | Gets calendar events from Calendar.app |
| ►Ncheck_mig_table | |
| Cmac_check_mig_table | Lists entires in the kernel's MIG table |
| ►Ncheck_syscall_shadow | |
| Cmac_check_syscall_shadow | Looks for shadow system call tables |
| ►Ncheck_syscall_table | |
| Cmac_check_syscalls | Checks to see if system call table entries are hooked |
| ►Ncheck_sysctl | |
| Cmac_check_sysctl | Checks for unknown sysctl handlers |
| ►Ncheck_trap_table | |
| Cmac_check_trap_table | Checks to see if mach trap table entries are hooked |
| ►Ncommon | |
| CAbstractMacCommand | |
| ►Ncompressed_swap | |
| Cmac_compressed_swap | Prints Mac OS X VM compressor stats and dumps all compressed pages |
| ►Ncontacts | |
| Cmac_contacts | Gets contact names from Contacts.app |
| ►Ndead_procs | |
| Cmac_dead_procs | Prints terminated/de-allocated processes |
| ►Ndead_sockets | |
| Cmac_dead_sockets | Prints terminated/de-allocated network sockets |
| ►Ndead_vnodes | |
| Cmac_dead_vnodes | Lists freed vnode structures |
| ►Ndlyd_maps | |
| Cmac_dyld_maps | Gets memory maps of processes from dyld data structures |
| ►Ndmesg | |
| Cmac_dmesg | Prints the kernel debug buffer |
| ►Ndump_files | |
| Cmac_dump_file | Dumps a specified file |
| ►Ndump_map | |
| Cmac_dump_maps | Dumps memory ranges of process(es), optionally including pages in compressed swap |
| ►Nfind_aslr_shift | |
| Cmac_find_aslr_shift | Find the ASLR shift value for 10.8+ images |
| ►Nget_profile | |
| CcatfishScan | Scanner for Catfish string for Mountain Lion |
| Cmac_get_profile | Automatically detect Mac profiles |
| ►Ngkextmap | |
| Cmac_lsmod_kext_map | Lists loaded kernel modules |
| ►Nifconfig | |
| Cmac_ifconfig | Lists network interface information for all devices |
| ►Nip_filters | |
| Cmac_ip_filters | Reports any hooked IP filters |
| ►Nkeychaindump | |
| Cmac_keychaindump | Recovers possbile keychain keys |
| ►Nldrmodules | |
| Cmac_ldrmodules | Compares the output of proc maps with the list of libraries from libdl |
| ►Nlibrarydump | |
| Cmac_librarydump | Dumps the executable of a process |
| ►Nlist_files | |
| Cmac_list_files | Lists files in the file cache |
| ►Nlist_kauth_listeners | |
| Cmac_list_kauth_listeners | Lists Kauth Scope listeners |
| ►Nlist_kauth_scopes | |
| Cmac_list_kauth_scopes | Lists Kauth Scopes and their status |
| ►Nlist_raw | |
| Cmac_list_raw | List applications with promiscuous sockets |
| ►Nlist_zones | |
| Cmac_list_zones | Prints active zones |
| ►Nlsmod | |
| Cmac_lsmod | Lists loaded kernel modules |
| ►Nlsmod_iokit | |
| Cmac_lsmod_iokit | Lists loaded kernel modules through IOkit |
| ►Nlsof | |
| Cmac_lsof | Lists per-process opened files |
| ►Nmac_strings | |
| Cmac_strings | Match physical offsets to virtual addresses (may take a while, VERY verbose) |
| ►Nmac_volshell | |
| Cmac_volshell | Shell in the memory image |
| ►Nmac_yarascan | |
| Cmac_yarascan | Scan memory for yara signatures |
| CMapYaraScanner | A scanner over all memory regions of a process |
| ►Nmachine_info | |
| Cmac_machine_info | Prints machine information about the sample |
| ►Nmalfind | |
| Cmac_malfind | Looks for suspicious process mappings |
| ►Nmemdump | |
| Cmac_memdump | Dump addressable memory pages to a file |
| ►Nmoddump | |
| Cmac_moddump | Writes the specified kernel extension to disk |
| ►Nmount | |
| Cmac_mount | Prints mounted device information |
| ►Nnetconns | |
| Cmac_network_conns | Lists network connections from kernel network structures |
| ►Nnetstat | |
| Cmac_netstat | Lists active per-process network connections |
| ►Nnotesapp | |
| Cmac_notesapp | Finds contents of Notes messages |
| ►Nnotifiers | |
| Cmac_notifiers | Detects rootkits that add hooks into I/O Kit (e.g |
| ►Norphan_threads | |
| Cmac_orphan_threads | Lists threads that don't map back to known modules/processes |
| ►Npgrp_hash_table | |
| Cmac_pgrp_hash_table | Walks the process group hash table |
| ►Npid_hash_table | |
| Cmac_pid_hash_table | Walks the pid hash table |
| ►Nprint_boot_cmdline | |
| Cmac_print_boot_cmdline | Prints kernel boot arguments |
| ►Nproc_maps | |
| Cmac_proc_maps | Gets memory maps of processes |
| ►Nprocdump | |
| Cmac_procdump | Dumps the executable of a process |
| ►Npsaux | |
| Cmac_psaux | Prints processes with arguments in user land (**argv) |
| ►Npsenv | |
| Cmac_psenv | Prints processes with environment in user land (**envp) |
| ►Npslist | |
| Cmac_pslist | List Running Processes |
| ►Npstasks | |
| Cmac_tasks | List Active Tasks |
| ►Npstree | |
| Cmac_pstree | Show parent/child relationship of processes |
| ►Npsxview | |
| Cmac_psxview | |
| ►Nrecover_filesystem | |
| Cmac_recover_filesystem | Recover the cached filesystem |
| ►Nroute | |
| Cmac_route | Prints the routing table |
| ►Nsession_hash_table | |
| Cmac_list_sessions | Enumerates sessions |
| ►Nsocket_filters | |
| Cmac_socket_filters | Reports socket filters |
| ►Nthreads | |
| Cmac_threads | List Process Threads |
| CMacObjectClasses2 | |
| CMacObjectClasses4 | |
| Cqueue_entry | |
| ►Nthreads_simple | |
| Cmac_threads_simple | Lists threads along with their start time and priority |
| ►Ntrustedbsd | |
| Cmac_trustedbsd | Lists malicious trustedbsd policies |
| ►Nversion | |
| Cmac_version | Prints the Mac version |
| ►NWKdm | |
| CWKdm | |
| ►Nmachoinfo | |
| CMachOInfo | Dump Mach-O file format information |
| ►Nmalware | |
| ►Napihooks | |
| CApiHooks | Detect API hooks in process and kernel memory |
| CHook | A class for API hooks |
| CMalwareWSPVTypes | |
| CModuleGroup | A class to assist with module lookups |
| ►Ncallbacks | |
| C_SHUTDOWN_PACKET | Class for shutdown notification callbacks |
| CAbstractCallbackScanner | Return the offset of the callback, no object headers |
| CCallbackMods | |
| CCallbacks | Print system-wide notification routines |
| CPoolScanDbgPrintCallback | PoolScanner for DebugPrint Callbacks on Vista and 7 |
| CPoolScanFSCallback | PoolScanner for File System Callbacks |
| CPoolScanGenericCallback | PoolScanner for Generic Callbacks |
| CPoolScanPnp9 | PoolScanner for Pnp9 (EventCategoryHardwareProfileChange) |
| CPoolScanPnpC | PoolScanner for PnpC (EventCategoryTargetDeviceChange) |
| CPoolScanPnpD | PoolScanner for PnpD (EventCategoryDeviceInterfaceChange) |
| CPoolScanRegistryCallback | PoolScanner for DebugPrint Callbacks on Vista and 7 |
| CPoolScanShutdownCallback | PoolScanner for Shutdown Callbacks |
| ►Ncmdhistory | |
| C_COMMAND_HISTORY | Object class for command histories |
| C_CONSOLE_INFORMATION | Object class for console information structs |
| C_CONSOLE_PROCESS | Object class for console process |
| C_EXE_ALIAS_LIST | Object class for alias lists |
| C_SCREEN_INFORMATION | Object class for screen information |
| CCmdHistoryObjectClasses | This modification applies the object classes for all versions of 32bit Windows |
| CCmdHistoryVTypesWin7x64 | This modification applies the vtypes for 64bit Windows starting with Windows 7 |
| CCmdHistoryVTypesWin7x86 | This modification applies the vtypes for 32bit Windows starting with Windows 7 |
| CCmdHistoryVTypesx64 | This modification applies the vtypes for 64bit Windows up to Windows 7 |
| CCmdHistoryVTypesx86 | This modification applies the vtypes for 32bit Windows up to Windows 7 |
| CCmdScan | Extract command history by scanning for _COMMAND_HISTORY |
| CConsoles | Extract command history by scanning for _CONSOLE_INFORMATION |
| ►Ndevicetree | |
| C_DEVICE_OBJECT | |
| C_DRIVER_OBJECT | |
| CDeviceTree | |
| CDriverIrp | |
| CMalwareDrivers | |
| ►Nidt | |
| C_KGDTENTRY | A class for GDT entries |
| C_KIDTENTRY | Class for interrupt descriptors |
| CGDT | |
| CIDT | |
| CMalwareIDTGDTx86 | |
| ►Nimpscan | |
| CImpScan | Scan for calls to imported functions |
| ►Nmalfind | |
| CBaseYaraScanner | An address space scanner for Yara signatures |
| CDiscontigYaraScanner | A Scanner for Discontiguous scanning |
| CLdrModules | |
| CMalfind | |
| CVadYaraScanner | A scanner over all memory regions of a process |
| CYaraScan | |
| ►Npsxview | |
| C_PSP_CID_TABLE | Subclass the Windows handle table object for parsing PspCidTable |
| CMalwarePspCid | |
| CPsXview | |
| ►Nservicediff | |
| CServiceDiff | |
| ►Nsvcscan | |
| C_SERVICE_HEADER | |
| C_SERVICE_RECORD_LEGACY | |
| C_SERVICE_RECORD_RECENT | |
| CService8x64 | Service structures for Win8/8.1 and Server2012/R2 64-bit |
| CService8x86 | Service structures for Win8/8.1 32-bit |
| CServiceBase | The base applies to XP and 2003 SP0-SP1 |
| CServiceBasex64 | This overrides the base x86 vtypes with x64 vtypes |
| CServiceVista | Override the base with OC's for Vista, 2008, and 7 |
| CServiceVistax64 | Override the base with vtypes for x64 Vista, 2008, and 7 |
| CServiceVistax86 | Override the base with vtypes for x86 Vista, 2008, and 7 |
| CSvcScan | |
| ►Nthreads | |
| CAbstractThreadCheck | Base thread check class |
| CAttachedProcess | Detect threads attached to another process |
| CDkomExit | Detect inconsistencies wrt exit times and termination |
| CHideFromDebug | Detect threads hidden from debuggers |
| CHookedSSDT | Check if a thread is using a hooked SSDT |
| CHwBreakpoint | Detect threads with hardware breakpoints |
| CImpersonation | Detect impersonating threads |
| CMalwareKthread | |
| COrphanThread | Detect orphan threads |
| CScannerOnly | Detect threads no longer in a linked list |
| CSystemThread | Detect system threads |
| CThreads | |
| ►Ntimers | |
| C_KTIMER | |
| CTimers | Print kernel timers and associated module DPCs |
| CTimerVTypes | |
| ►Nmbrparser | |
| CMbrObjectTypes | |
| CMBRParser | Scans for and parses potential Master Boot Records (MBRs) |
| CMBRScanner | |
| CPARTITION_ENTRY | |
| ►Nmftparser | |
| CFILE_NAME | |
| CMFT_FILE_RECORD | |
| CMFTParser | Scans for and parses potential MFT entries |
| CMFTScanner | |
| CMFTTYPES | |
| COBJECT_ID | |
| CRESIDENT_ATTRIBUTE | |
| CSTANDARD_INFORMATION | |
| CUnicodeString | |
| ►Nmoddump | |
| CModDump | Dump a kernel driver to an executable file sample |
| ►Nmodscan | |
| CModScan | Pool scanner for kernel modules |
| CPoolScanModule | Pool scanner for kernel modules |
| CPoolScanThread | Pool scanner for thread objects |
| CThrdScan | Pool scanner for thread objects |
| ►Nmodules | |
| CModules | Print list of loaded modules |
| CUnloadedModules | Print list of unloaded modules |
| ►Nmultiscan | |
| CMultiScan | Scan for various objects at once |
| ►Nnetscan | |
| C_TCP_ENDPOINT | Class for objects found in TcpE pools |
| C_TCP_LISTENER | Class for objects found in TcpL pools |
| C_UDP_ENDPOINT | Class for objects found in UdpA pools |
| CNetscan | Scan a Vista (or later) image for connections and sockets |
| CNetscanObjectClasses | Network OCs for Vista, 2008, and 7 x86 and x64 |
| CPoolScanTcpEndpoint | PoolScanner for TCP Endpoints |
| CPoolScanTcpListener | PoolScanner for Tcp Listeners |
| CPoolScanUdpEndpoint | PoolScanner for Udp Endpoints |
| ►Nnotepad | |
| C_HEAP | A Heap on XP and 2003 |
| C_HEAP_ENTRY | A Heap Entry |
| C_HEAP_SEGMENT | A Heap Segment on XP and 2003 |
| CNotepad | List currently displayed notepad text |
| CXPHeapModification | |
| ►Nobjtypescan | |
| CObjectTypeKeyModification | |
| CObjectTypeScanner | Pool scanner for object type objects |
| CObjTypeScan | Scan for Windows object type objects |
| ►Noverlays | |
| ►Nbasic | |
| CBasicObjectClasses | |
| CEnumeration | Enumeration class for handling multiple possible meanings for a single value |
| CFlags | This object decodes each flag into a string |
| CIpAddress | Provides proper output for IpAddress objects |
| CIpv6Address | Provides proper output for Ipv6Address objects |
| CString | Class for dealing with Strings |
| CUnixTimeStamp | Class for handling Unix Time Stamps |
| CVOLATILITY_MAGIC | Class representing a VOLATILITY_MAGIC namespace |
| CVolatilityDTB | |
| CVolatilityMaxAddress | The maximum address of a profile's underlying AS |
| ►Nlinux | |
| ►Nelf | |
| Celf | |
| Celf32_dyn | |
| Celf32_link_map | |
| Celf32_note | |
| Celf32_phdr | |
| Celf32_rel | |
| Celf32_rela | |
| Celf32_shdr | |
| Celf32_sym | |
| CELF32Modification | |
| Celf64_dyn | |
| Celf64_link_map | |
| Celf64_note | |
| Celf64_phdr | |
| Celf64_rel | |
| Celf64_rela | |
| Celf64_shdr | |
| Celf64_sym | |
| CELF64Modification | |
| Celf_dyn | An elf dynamic section struct |
| Celf_hdr | An ELF header |
| Celf_link_map | An libdl link map structure |
| Celf_note | An ELF note header |
| Celf_phdr | An elf program header |
| Celf_rel | An elf relocation |
| Celf_rela | An elf relocation |
| Celf_shdr | An elf section header |
| Celf_sym | An elf symbol struct |
| CELFModification | |
| ►Nlinux | |
| Cdentry | |
| Cdesc_struct | |
| Cfiles_struct | |
| Cgate_struct64 | |
| Chlist_bl_node | A list_head makes a doubly linked list |
| Chlist_node | A hlist_node makes a doubly linked list |
| Cin_device | |
| Cinet_sock | Class for an internet socket object |
| Cinode | |
| Ckernel_param | |
| Ckparam_array | |
| Clinux_file | |
| Clinux_fs_struct | |
| CLinuxGate64Overlay | |
| CLinuxIntelOverlay | |
| CLinuxMountOverlay | |
| CLinuxObjectClasses | |
| CLinuxOverlay | |
| CLinuxPermissionFlags | A Flags object for printing vm_area_struct permissions in a format like rwx or r-x |
| Clist_head | A list_head makes a doubly linked list |
| Cmodule_sect_attr | |
| Cmodule_struct | |
| Cmount | |
| Cnet_device | |
| Cpage | |
| Csock | |
| Csuper_block | |
| Ctask_struct | |
| Ctimespec | |
| Ctty_ldisc | |
| Cvfsmount | |
| Cvm_area_struct | |
| CVolatilityDTB | A scanner for DTB values |
| CVolatilityLinuxARMValidAS | An object to check that an address space is a valid Arm Paged space |
| CVolatilityLinuxIntelValidAS | An object to check that an address space is a valid Arm Paged space |
| ►Nmac | |
| ►Nmac | |
| CBashEnvYaraScanner | A scanner over all memory regions of a process |
| CcatfishScan | Scanner for Catfish string for Mountain Lion |
| Cdyld32_image_info | |
| Cdyld64_image_info | |
| CDyldTypes | |
| Cfileglob | |
| Cifnet | |
| Cinpcb | |
| Cinpcbinfo | |
| Ckauth_scope | |
| CMacObjectClasses | |
| CMacOverlay | |
| CMigTypes | |
| COSString | |
| Cproc | |
| Cqueue_entry | |
| Crtentry | |
| Csockaddr | |
| Csockaddr_dl | |
| Csocket | |
| Csysctl_oid | |
| Cthread | |
| Cvm_map_entry | |
| Cvm_map_object | |
| Cvnode | |
| CVolatilityDTB | A scanner for DTB values |
| CVolatilityMacIntelValidAS | An object to check that an address space is a valid Mac Intel Paged space |
| Czone | |
| ►Nmacho | |
| Cmacho | |
| Cmacho32_dysymtab_command | |
| Cmacho32_header | |
| Cmacho32_load_command | |
| Cmacho32_nlist | |
| Cmacho32_section | |
| Cmacho32_segment_command | |
| Cmacho32_symtab_command | |
| Cmacho64_dysymtab_command | |
| Cmacho64_header | |
| Cmacho64_load_command | |
| Cmacho64_nlist | |
| Cmacho64_section | |
| Cmacho64_segment_command | |
| Cmacho64_symtab_command | |
| Cmacho_dysymtab_command | A macho symtab command |
| Cmacho_header | An macho header |
| Cmacho_load_command | A macho load command |
| Cmacho_nlist | A macho nlist |
| Cmacho_section | An macho section header |
| Cmacho_segment_command | A macho segment command |
| Cmacho_symtab_command | A macho symtab command |
| CMachoModification | |
| CMachoOverlay | |
| CMachoTypes | |
| ►Nwindows | |
| ►Nhibernate_vtypes | |
| CHiberVistaSP01x64 | |
| CHiberVistaSP01x86 | |
| CHiberVistaSP2x64 | |
| CHiberVistaSP2x86 | |
| CHiberWin2003x64 | |
| CHiberWin7SP01x64 | |
| CHiberWin7SP01x86 | |
| ►Nkdbg_vtypes | |
| C_KDDEBUGGER_DATA64 | A class for KDBG |
| CKDBGObjectClass | Add the KDBG object class to all Windows profiles |
| CUnloadedDriverVTypes | Add the unloaded driver structure definitions |
| ►Nkpcr_vtypes | |
| C_KPCROnx64 | KPCR for x64 windows |
| C_KPCROnx86 | KPCR for 32bit windows |
| CKPCRProfileModification | |
| ►Npe_vtypes | |
| C_IMAGE_DOS_HEADER | DOS header |
| C_IMAGE_EXPORT_DIRECTORY | Class for PE export directory |
| C_IMAGE_IMPORT_DESCRIPTOR | Handles IID entries for imported functions |
| C_IMAGE_NT_HEADERS | PE header |
| C_IMAGE_RESOURCE_DIR_STRING_U | Handles Unicode-esque strings in IMAGE_RESOURCE_DIRECTORY structures |
| C_IMAGE_RESOURCE_DIRECTORY | Handles Directory Entries |
| C_IMAGE_SECTION_HEADER | PE section |
| C_LDR_DATA_TABLE_ENTRY | Class for PE file / modules |
| C_VS_FIXEDFILEINFO | Fixed (language and codepage independent) information |
| C_VS_VERSION_INFO | Version Information |
| CVerStruct | Generic Version Structure |
| CWinPEObjectClasses | |
| CWinPEVTypes | |
| CWinPEx64VTypes | |
| ►Nssdt_vtypes | |
| CAbstractSyscalls | |
| CVistaSP0Syscalls | |
| CVistaSP0x64Syscalls | |
| CVistaSP12Syscalls | |
| CVistaSP12x64Syscalls | |
| CWin2003SP0Syscalls | |
| CWin2003SP12Syscalls | |
| CWin2003SP12x64Syscalls | |
| CWin2003SyscallVTypes | |
| CWin64SyscallVTypes | |
| CWin7SP01Syscalls | |
| CWin7SP01x64Syscalls | |
| CWin8SP0x64Syscalls | |
| CWin8SP0x86Syscalls | |
| CWin8SP1x64Syscalls | |
| CWin8SP1x86Syscalls | |
| CWinSyscallsAttribute | |
| CWinXPSyscalls | |
| ►Ntcpip_vtypes | |
| C_ADDRESS_OBJECT | |
| CVista2008Tcpip | |
| CVistaSP12x64Tcpip | |
| CWin2003SP12Tcpip | |
| CWin7Tcpip | |
| CWin7Vista2008x64Tcpip | |
| CWin7x64Tcpip | |
| CWin81Tcpip | |
| CWin81x64Tcpip | |
| CWin8Tcpip | |
| CWin8x64Tcpip | |
| CWinXP2003AddressObject | |
| CWinXP2003Tcpipx64 | |
| ►Nvad_vtypes | |
| C_MM_AVL_NODE | |
| C_MM_AVL_TABLE | |
| C_MM_AVL_TABLE_WIN8 | |
| C_MMSECTION_FLAGS | |
| C_MMVAD_2003 | |
| C_MMVAD_FLAGS | |
| C_MMVAD_FLAGS2 | |
| C_MMVAD_LONG_2003 | |
| C_MMVAD_LONG_VISTA | |
| C_MMVAD_LONG_XP | |
| C_MMVAD_SHORT_2003 | |
| C_MMVAD_SHORT_WIN8 | |
| C_MMVAD_SHORT_WIN81 | |
| C_MMVAD_SHORT_XP | |
| C_MMVAD_VISTA | |
| C_MMVAD_WIN8 | |
| C_MMVAD_WIN81 | |
| C_MMVAD_XP | |
| C_RTL_AVL_TREE | |
| C_RTL_BALANCED_NODE | |
| CVadFlags | |
| CVadFlagsModification | |
| CVadTagModification | |
| CVadTraverser | |
| CVistaVad | |
| CWin2003x86Vad | |
| CWin81Vad | |
| CWin8Vad | |
| CWinXPx86Vad | |
| ►Nvista | |
| C_ETHREAD | A class for Windows 7 ETHREAD objects |
| C_POOL_HEADER | A class for pool headers |
| C_TOKEN | |
| CVistaKDBG | |
| CVistaObjectClasses | |
| CVistaPolicyKey | |
| CVistaSP0x64 | A Profile for Windows Vista SP0 x64 |
| CVistaSP0x64Hiber | |
| CVistaSP0x86 | A Profile for Windows Vista SP0 x86 |
| CVistaSP0x86Hiber | |
| CVistaSP1KDBG | |
| CVistaSP1x64 | A Profile for Windows Vista SP1 x64 |
| CVistaSP1x64Hiber | |
| CVistaSP1x86 | A Profile for Windows Vista SP1 x86 |
| CVistaSP1x86Hiber | |
| CVistaSP2x64 | A Profile for Windows Vista SP2 x64 |
| CVistaSP2x64Hiber | |
| CVistaSP2x86 | A Profile for Windows Vista SP2 x86 |
| CVistaSP2x86Hiber | |
| CVistaWin7KPCR | |
| CVistax64DTB | |
| CVistax86DTB | |
| CWin2008SP1x64 | A Profile for Windows 2008 SP1 x64 |
| CWin2008SP1x86 | A Profile for Windows 2008 SP1 x86 |
| CWin2008SP2x64 | A Profile for Windows 2008 SP2 x64 |
| ►Nwin10 | |
| C_HMAP_ENTRY | |
| C_OBJECT_HEADER_10 | |
| CObHeaderCookieStore | A class for finding and storing the nt!ObHeaderCookie value |
| CVolatilityCookie | The Windows 10 Cookie Finder |
| CWin10Cookie | The Windows 10 Cookie Finder |
| CWin10ObjectHeader | |
| CWin10Registry | The Windows 10 registry HMAP |
| CWin10x64 | A Profile for Windows 10 x64 |
| CWin10x64DTB | The Windows 10 64-bit DTB signature |
| CWin10x86 | A Profile for Windows 10 x86 |
| CWin10x86DTB | The Windows 10 32-bit DTB signature |
| ►Nwin2003 | |
| CEThreadCreateTime | |
| CWin2003KDBG | |
| CWin2003SP0x86 | A Profile for Windows 2003 SP0 x86 |
| CWin2003SP0x86DTB | |
| CWin2003SP1x64 | A Profile for Windows 2003 SP1 x64 |
| CWin2003SP1x86 | A Profile for Windows 2003 SP1 x86 |
| CWin2003SP2x64 | A Profile for Windows 2003 SP2 x64 |
| CWin2003SP2x86 | A Profile for Windows 2003 SP2 x86 |
| CWin2003x64DTB | |
| CWin2003x64Hiber | |
| CWin2003x86DTB | |
| CWin2003x86Hiber | |
| CWinXPSP1x64 | A Profile for Windows XP SP1 x64 |
| ►Nwin7 | |
| C_OBJECT_HEADER | A Volatility object to handle Windows 7 object headers |
| CWin2008R2SP0x64 | A Profile for Windows 2008 R2 SP0 x64 |
| CWin7KDBG | |
| CWin7ObjectClasses | |
| CWin7Pointer64 | |
| CWin7SP0x64 | A Profile for Windows 7 SP0 x64 |
| CWin7SP0x86 | A Profile for Windows 7 SP0 x86 |
| CWin7SP1x64 | A Profile for Windows 7 SP1 x64 |
| CWin7SP1x86 | A Profile for Windows 7 SP1 x86 |
| CWin7x64DTB | |
| CWin7x64Hiber | |
| CWin7x86DTB | |
| CWin7x86Hiber | |
| ►Nwin8 | |
| C_HANDLE_TABLE32 | A class for 32-bit Windows 8 handle tables |
| C_HANDLE_TABLE64 | A class for 64-bit Windows 8 / 2012 handle tables |
| C_HANDLE_TABLE_81R264 | A class for 64-bit Windows 8.1 / 2012 R2 handle tables |
| C_LDR_DATA_TABLE_ENTRY | A class for DLL modules |
| C_OBJECT_HEADER | A class for object headers on Win 8 / Server 2012 |
| C_OBJECT_HEADER_81R2 | A class for object headers on Win 8.1 / Server 2012 R2 |
| C_PSP_CID_TABLE32 | PspCidTable for 32-bit Windows 8 |
| C_PSP_CID_TABLE64 | PspCidTable for 64-bit Windows 8 and Server 2012 |
| C_PSP_CID_TABLE_81R264 | PspCidTable for 64-bit Windows 8.1 and Server 2012 R2 |
| CWin2012R2x64 | A Profile for Windows Server 2012 R2 x64 |
| CWin2012x64 | A Profile for Windows Server 2012 x64 |
| CWin81U1x64 | A Profile for Windows 8.1 Update 1 x64 |
| CWin81U1x86 | A Profile for Windows 8.1 Update 1 x86 |
| CWin8KDBG | The Windows 8 / 2012 KDBG signatures |
| CWin8ObjectClasses | |
| CWin8SP0x64 | A Profile for Windows 8 x64 |
| CWin8SP0x86 | A Profile for Windows 8 x86 |
| CWin8SP1x64 | A Profile for Windows 8.1 x64 |
| CWin8SP1x86 | A Profile for Windows 8.1 x86 |
| CWin8x64DTB | The Windows 8 32-bit DTB signature |
| CWin8x64MaxCommit | The Windows 8 / Server 2012 MM_MAX_COMMIT value |
| CWin8x86DTB | The Windows 8 32-bit DTB signature |
| CWin8x86SyscallVTypes | Applying the SSDT structures for Win 8 32-bit |
| ►Nwin8_kdbg | |
| CVolatilityKDBG | A Scanner for KDBG data within an address space |
| CWin8x64VolatilityKDBG | Apply the KDBG finder for x64 |
| ►Nwindows | |
| C_CM_KEY_BODY | Registry key |
| C_CMHIVE | Registry hive |
| C_EPROCESS | An extensive _EPROCESS with bells and whistles |
| C_ETHREAD | A class for threads |
| C_EX_FAST_REF | |
| C_FILE_OBJECT | Class for file objects |
| C_HANDLE_TABLE | A class for _HANDLE_TABLE |
| C_KMUTANT | A mutex object |
| C_LIST_ENTRY | Adds iterators for _LIST_ENTRY types |
| C_OBJECT_HEADER | A Volatility object to handle Windows object headers |
| C_OBJECT_SYMBOLIC_LINK | A symbolic link object |
| C_OBJECT_TYPE | |
| C_POOL_HEADER | A class for pool headers |
| C_TOKEN | A class for Tokens |
| C_UNICODE_STRING | Class representing a _UNICODE_STRING |
| CAbstractKDBGMod | |
| CDosDate | |
| CExecutiveObjectMixin | A mixin for executive objects to allow easy derivation of the object's _OBJECT_HEADER struct |
| CHandleTableEntryPreWin8 | A modification for handle table entries before Windows 8 |
| CPoolTagModification | A modification for variable pool tags across Windows versions |
| CThreadCreateTimeStamp | Handles ThreadCreateTimeStamps which are bit shifted WinTimeStamps |
| CVolatilityAMD64ValidAS | |
| CVolatilityIA32ValidAS | An object to check that an address space is a valid IA32 Paged space |
| CVolatilityKDBG | A Scanner for KDBG data within an address space |
| CVolatilityKPCR | A scanner for KPCR data within an address space |
| CVolMagicPoolTag | The pool tag for a specific data structure on a given OS |
| CWindowsObjectClasses | |
| CWindowsOverlay | |
| CWindowsVTypes | |
| CWinTimeStamp | Class for handling Windows Time Stamps |
| ►Nwindows64 | |
| C_EX_FAST_REF | |
| CExFastRefx64 | |
| CPointer64Decorator | |
| CWindows64Overlay | |
| ►Nxp | |
| CWinXPSP2x86 | A Profile for Windows XP SP2 x86 |
| CWinXPSP3x86 | A Profile for Windows XP SP3 x86 |
| CXPOverlay | |
| ►Npatcher | |
| CMultiPageScanner | Scans a page at a time through the address space |
| CPatcher | Patches memory based on page scans |
| CPatcherObject | Simple object to hold patching data |
| ►Npooltracker | |
| CGenericPoolScan | Configurable pool scanner |
| CPoolPeek | Configurable pool scanner plugin |
| CPoolTracker | Show a summary of pool tag usage |
| CPoolTrackTagOverlay | Overlays for pool trackers |
| ►Nprivileges | |
| CPrivs | |
| CTokenXP2003 | |
| ►Nprocdump | |
| CProcDump | Dump a process to an executable file sample |
| ►Npstree | |
| CProcessAuditVTypes | |
| CPSTree | Print process list as a tree |
| ►Nraw2dmp | |
| CRaw2dmp | Converts a physical memory sample to a windbg crash dump |
| ►Nregistry | |
| ►Namcache | |
| CAmCache | |
| ►Nauditpol | |
| CAudipolWin7 | |
| CAuditpol | Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv |
| CAuditPolData7 | |
| CAuditPolDataVista | |
| CAuditPolDataXP | |
| CAuditpolTypesVista | |
| CAuditpolTypesXP | |
| ►Ndumpregistry | |
| CDumpRegistry | Dumps registry files out to disk |
| ►Nhivelist | |
| CHiveList | Print list of registry hives |
| ►Nhivescan | |
| CHiveScan | Pool scanner for registry hives |
| CPoolScanHive | Pool scanner for registry hives |
| ►Nlsadump | |
| CCacheDump | Dumps cached domain hashes from memory |
| CHashDump | Dumps passwords hashes (LM/NTLM) from memory |
| CLSADump | Dump (decrypted) LSA secrets from the registry |
| ►Nprintkey | |
| CHiveDump | Prints out a hive |
| CPrintKey | |
| ►Nregistryapi | |
| CRegistryApi | A wrapper several highly used Registry functions |
| ►Nshellbags | |
| C_GUID | Type overrides for output below ##### |
| C_VOLUSER_ASSIST_TYPES | |
| CCONTROL_PANEL | |
| CFILE_ENTRY | |
| CFOLDER_ENTRY | |
| CITEMPOS | |
| CNETWORK_SHARE | |
| CNETWORK_VOLUME_NAME | |
| CNullString | |
| CShellBags | Prints ShellBags info |
| CShellBagsTypesVista | |
| CShellBagsTypesWin7 | |
| CShellBagsTypesXP | |
| CUNKNOWN_00 | |
| CVOLUME_NAME | |
| ►Nshimcache | |
| CShimCache | Parses the Application Compatibility Shim Cache registry key |
| CShimCacheTypes2003x64 | |
| CShimCacheTypes2003x86 | |
| CShimCacheTypesVistax64 | |
| CShimCacheTypesVistax86 | |
| CShimCacheTypesWin7x64 | |
| CShimCacheTypesWin7x86 | |
| CShimCacheTypesXPx86 | |
| ►Nshutdown | |
| CShutdownTime | |
| ►Nuserassist | |
| CUserAssist | |
| CUserAssistVTypes | |
| CUserAssistWin7VTypes | |
| ►Nsockets | |
| CSockets | Print list of open sockets |
| ►Nsockscan | |
| CPoolScanSocket | Pool scanner for tcp socket objects |
| CSockScan | Pool scanner for tcp socket objects |
| ►Nssdt | |
| CSSDT | |
| ►Nstrings | |
| CStrings | Match physical offsets to virtual addresses (may take a while, VERY verbose) |
| ►Ntaskmods | |
| CDllList | Print list of loaded dlls for each process |
| CMemDump | Dump the addressable memory for a process |
| CMemMap | Print the memory map |
| CPSList | Print all running processes by following the EPROCESS lists |
| ►Ntcaudit | |
| CTrueCryptMaster | Recover TrueCrypt 7.1a Master Keys |
| CTrueCryptPassphrase | TrueCrypt Cached Passphrase Finder |
| CTrueCryptSummary | TrueCrypt Summary |
| ►Ntimeliner | |
| CTimeLiner | Creates a timeline from various artifacts in memory |
| CWin7LdrDataTableEntry | |
| CWin7SP1CMHIVE | |
| CWinAllTime | |
| CWinXPTrim | |
| ►Nvadinfo | |
| CVADDump | Dumps out the vad sections to a file |
| CVADInfo | Dump the VAD info |
| CVADTree | Walk the VAD tree and display in tree format |
| CVADWalk | Walk the VAD tree |
| ►Nvboxinfo | |
| CQemuInfo | Dump Qemu information |
| CVBoxInfo | Dump virtualbox information |
| ►Nverinfo | |
| CVerInfo | Prints out the version information from PE images |
| ►Nvmwareinfo | |
| CVMwareInfo | Dump VMware VMSS/VMSN information |
| ►Nvolshell | |
| Cvolshell | Shell in the memory image |
| ►Nwin10cookie | |
| CWin10Cookie | Find the ObHeaderCookie value for Windows 10 |
| ►Npoolscan | |
| CCheckPoolSize | Check pool block size |
| CCheckPoolType | Check the pool type |
| CMultiPoolScanner | An optimized scanner for pool tags |
| CMultiScanInterface | An interface into a scanner that can find multiple pool tags in a single pass through an address space |
| CPoolScanner | A generic pool scanner class |
| CPoolTagCheck | The following are checks for pool scanners |
| CSinglePoolScanner | |
| ►Nregistry | |
| CPluginImporter | This class searches through a comma-separated list of plugins and imports all classes found, based on their path and a fixed prefix |
| ►Nrenderers | |
| ►Nbasic | |
| CAddress | Integer class to allow renderers to differentiate between addresses and numbers |
| CAddress64 | Integer class to allow renderers to differentiate between addresses and numbers |
| CBytes | String class to allow us to encode binary data |
| CHex | Integer class to allow renderers to differentiate between addresses and numbers |
| CRenderer | |
| ►Ndot | |
| CDotRenderer | |
| ►Nhtml | |
| CHTMLRenderer | |
| CJSONRenderer | |
| ►Nsqlite | |
| CSqliteRenderer | |
| ►Ntext | |
| CCellRenderer | Class to handle rendering of a particular cell in a text grid |
| CFormatCellRenderer | Class to handle rendering each cell of a grid |
| CGrepTextRenderer | |
| CTextRenderer | |
| ►Nxlsx | |
| CXLSXRenderer | |
| CColumnSortKey | |
| CTreeGrid | Class providing the interface for a TreeGrid (which contains TreeNodes) |
| CTreeNode | Class representing a particular node in a tree grid |
| CTreePopulationError | Exception class for accessing functions on an partially populated tree |
| ►Nscan | |
| CBaseScanner | Following is the new implementation of the scanning framework |
| CDiscontigScanner | |
| CScannerCheck | A scanner check is a special class which is invoked on an AS to check for a specific condition |
| ►Ntimefmt | |
| COffsetTzInfo | Timezone implementation that allows offsets specified in seconds |
| CUTC | Concrete instance of the UTC timezone |
| ►Nvalidity | |
| CValidityRoutines | Created on 4 May 2013 |
| ►Nwin32 | |
| ►Nhive | |
| CHiveAddressSpace | |
| CHiveFileAddressSpace | |
| ▼Nvtype_diff | |
| CVtypeHolder | |
1.8.9.1