Live Interactive Shell Volatility3 Plugin #1904
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# live.py – Volatility 3 Live System Analysis Plugin `live.py` is a custom plugin for **Volatility 3** designed to extend its capabilities for **real-time forensic data collection and threat hunting** directly on a **live Windows system**, eliminating the need for a full memory dump. This tool provides an **interactive command-line shell** for dynamic investigation, leveraging system APIs through libraries like `psutil` and `pywin32` to quickly triage and analyze active endpoints. --- ## Key Capabilities ### **Live Analysis Mode** Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements. ### **Interactive Shell** Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the `LiveShellCommand` interface. ### **Advanced Threat Hunting** Provides built-in commands for targeted analysis: - **fileless** – Detects fileless malware and suspicious in-memory activity, focusing on processes such as `powershell.exe`. - **detect_sandbox** – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes. ### **Comprehensive Forensic Data Collection** Collects essential artifacts and system information for deep analysis: - **Process and Module Data:** `pslist`, `psscan`, `dlllist`, `handles`, `sids`, `cmdline` - **Network Activity:** `netscan` for active connections and sockets - **Persistence & Services:** Analysis of `services`, `drivers`, `registry`, and autorun entries - **Artifact Analysis:** Extraction of `shimcache`, `prefetch`, `userassist`, and `jumplists` - **Timeline Generation:** Unified event correlation using `timeliner` ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin) `proccon.py` is a **Volatility 3 plugin** designed to provide **process visualization and relationship mapping** from a **Windows memory dump**. While it does not perform direct forensic analysis, it serves as a **critical utility** for post-processing and visualizing process hierarchy data. The plugin extracts **Parent-Child process relationships** and outputs them as a **Graphviz DOT file**, enabling investigators to generate graphical representations of the system’s process tree at the time of capture. --- ## Key Capabilities ### **Process Tree Extraction** Efficiently iterates through the complete process list obtained via Volatility’s `windows.pslist` plugin to map: - **PID** (Process ID) → **PPID** (Parent Process ID) This provides a foundational dataset for visual process relationship mapping. --- ### **Graphviz DOT Output** Automatically generates a **structured `.dot` file** compatible with Graphviz visualization tools such as: - `dot` - `neato` - Online renderers and graphing tools This output can be rendered into **network-style process trees**, allowing investigators to: - Visualize process spawning chains - Detect irregular or unexpected parent-child relationships - Identify suspicious execution flows in malware investigations --- ### **Visualization Focus** The plugin emphasizes **connectivity and hierarchy**, providing a clear visual representation of process structures that supports: - **Anomaly Detection:** Spot abnormal or hidden parent-child relationships - **Malware Analysis:** Map execution chains to trace malicious process origins - **System Understanding:** Reveal the operational process tree at the time of memory capture ---
# OrphanDLLs Plugin — Volatility 3 **OrphanDLLs** is an advanced custom plugin for the [Volatility 3 memory forensics framework](https://github.com/volatilityfoundation/volatility3). It is designed to detect **unlinked, hidden, or reflectively loaded DLLs** and other stealthy module manipulation techniques in Windows memory images. --- ## Overview This plugin identifies anomalies in process memory structures that often indicate advanced malware activity, including: - DLL unlinking (removal from PEB lists) - Reflective DLL injection - Process hollowing and PE injection - Memory-only or cloned DLLs - Hidden modules loaded via VAD - Suspicious or manipulated protection flags - Cross-list inconsistencies between `InLoadOrder`, `InMemoryOrder`, and `InInitOrder` lists These techniques are commonly used by attackers to hide malicious code or evade forensic tools. --- ## Detection Categories | Status | Description | Technique | |---------|--------------|------------| | **UNLINKED_DLL** | DLL missing from multiple PEB lists | PEB Unlinking | | **HIDDEN_MODULE** | Mapped in VAD but not listed in PEB | VAD Manipulation / Memory Injection | | **REFLECTIVE_DLL** | DLL loaded without a file backing | Reflective DLL Injection | | **HIDDEN_PE** | Memory region containing PE headers not linked to any module | Process Hollowing / PE Injection | | **CLONED_DLL** | Multiple instances of same DLL found | DLL Cloning | | **SUSPICIOUS_PROTECTION** | Memory region with writable + executable flags | Memory Protection Manipulation | | **INCONSISTENT_MODULE** | Conflicts between module lists | Module Tampering | --- ## Output Fields When `--verbose` is **off** (default): | Field | Description | |--------|--------------| | Process | Name of the process | | PID | Process ID | | Base Address | Memory base address of the module | | Status | Classification of anomaly | | Severity | Risk level (`LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | | Evidence | Supporting information for the detection | When `--verbose` is **on**: | Additional Fields | Description | |-------------------|-------------| | Size | Module size in bytes | | Technique | Detection technique used | | Path | Full path or memory label of the DLL | --- ## Optional Arguments | Argument | Type | Description | |-----------|------|-------------| | `--pid` | Integer | Analyze a specific process ID only | | `--verbose` | Boolean | Show detailed DLL information | | `--debug` | Boolean | Enable debug logs | | `--check-vad` | Boolean | Perform deep VAD analysis (default: True) | | `--check-pe` | Boolean | Verify PE headers in suspicious regions | | `--min-size` | Integer | Minimum region size to consider (bytes, default: 4096) | | `--check-clones` | Boolean | Detect multiple DLL instances | | `--check-protection` | Boolean | Analyze memory protection flags | | `--whitelist-system` | Boolean | Skip known system DLLs (default: True) | | `--whitelist-file` | String | Path to custom whitelist file | ---
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
live.py – Volatility 3 Live System Analysis Plugin
live.pyis a custom plugin for Volatility 3 designed to extend its capabilities for real-time forensic data collection and threat hunting directly on a live Windows system, eliminating the need for a full memory dump.This tool provides an interactive command-line shell for dynamic investigation, leveraging system APIs through libraries like
psutilandpywin32to quickly triage and analyze active endpoints.Key Capabilities
Live Analysis Mode
Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements.
Interactive Shell
Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the
LiveShellCommandinterface.Advanced Threat Hunting
Provides built-in commands for targeted analysis:
powershell.exe.Comprehensive Forensic Data Collection
Collects essential artifacts and system information for deep analysis:
pslist,psscan,dlllist,handles,sids,cmdlinenetscanfor active connections and socketsservices,drivers,registry, and autorun entriesshimcache,prefetch,userassist, andjumpliststimeliner