Allows you to use the full Volatility name space to
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 volshell
Volatility Foundation Volatility Framework 2.4
Current context: System @ 0x84138bb0, pid=4, ppid=0 DTB=0x185000
Welcome to volshell! Current memory image is:
file:///root/amf/windows/Win7.bin
To get help, type 'hh()'
>>>
>>>> print("HELLO WORLD FROM VOLSHELL")
HELLO WORLD FROM VOLSHELL
Notice Volshell auto places your context to "System"
>>> sc()
Current context: System @ 0x84138bb0, pid=4, ppid=0 DTB=0x185000
>>> hh()
Use addrspace() for Kernel/Virtual AS
Use addrspace().base for Physical AS
Use proc() to get the current process object
and proc().get_process_address_space() for the current process AS
and proc().get_load_modules() for the current process DLLs
addrspace() : Get the current kernel/virtual address space.
cc(offset=None, pid=None, name=None, physical=False) : Change current shell context.
db(address, length=128, space=None) : Print bytes as canonical hexdump.
dd(address, length=128, space=None) : Print dwords at address.
dis(address, length=128, space=None, mode=None) : Disassemble code at a given address.
dq(address, length=128, space=None) : Print qwords at address.
dt(objct, address=None, space=None, recursive=False, depth=0) : Describe an object or show type info.
getmods() : Generator for kernel modules (scripting).
getprocs() : Generator of process objects (scripting).
hh(cmd=None) : Get help on a command.
list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a _LIST_ENTRY.
modules() : Print loaded modules in a table view.
proc() : Get the current process object.
ps() : Print active processes in a table view.
sc() : Show the current context.
For help on a specific command, type 'hh(<command>)'
dt(objct, address=None, space=None, recursive=False, depth=0) : Describe an object or show type info.
>>> dt("_LIST_ENTRY")
'_LIST_ENTRY' (8 bytes)
0x0 : Flink ['pointer', ['_LIST_ENTRY']]
0x4 : Blink ['pointer', ['_LIST_ENTRY']]
>>> proc()
[_EPROCESS _EPROCESS] @ 0x84138BB0
>>> dt("_EPROCESS" ,0x84138BB0)
[_EPROCESS _EPROCESS] @ 0x84138BB0
0x0 : Pcb 2215873456
0x98 : ProcessLock 2215873608
0xa0 : CreateTime 2013-10-15 18:45:51 UTC+0000
0xa8 : ExitTime 1970-01-01 00:00:00 UTC+0000
0xb0 : RundownProtect 2215873632
0xb4 : UniqueProcessId 4
0xb8 : ActiveProcessLinks 2215873640
0xc0 : ProcessQuotaUsage -
0xc8 : ProcessQuotaPeak -
0xd0 : CommitCharge 12
0xd4 : QuotaBlock 2190711296
0xd8 : CpuQuotaBlock 0
0xdc : PeakVirtualSize 7577600
0xe0 : VirtualSize 1966080
0xe4 : SessionProcessLinks 2215873684
0xec : DebugPort 0
0xf0 : ExceptionPortData 0
Print active processes in a table view.
>>> ps()
Name PID PPID Offset
System 4 0 0x84138bb0
smss.exe 260 4 0x852d95b0
csrss.exe 348 340 0x853f7490
wininit.exe 400 340 0x859c2d40
csrss.exe 412 392 0x859c2030
winlogon.exe 468 392 0x85a11030
services.exe 504 400 0x85a1e410
lsass.exe 520 400 0x85a2d308
lsm.exe 528 400 0x85a315a8
svchost.exe 632 504 0x85ad6530
svchost.exe 700 504 0x85e22530
svchost.exe 748 504 0x85e60530
svchost.exe 868 504 0x85f07648
svchost.exe 908 504 0x85ef03c8
svchost.exe 948 504 0x85eeb328
audiodg.exe 1000 748 0x85f03648
svchost.exe 1204 504 0x85f8c630
spoolsv.exe 1304 504 0x86019b48
svchost.exe 1340 504 0x860621a8
vmtoolsd.exe 1504 504 0x85e2cb38
TPAutoConnSvc. 1668 504 0x8617ab90
dllhost.exe 1804 504 0x8538b030
dllhost.exe 1868 504 0x85e008c8
msdtc.exe 1980 504 0x8613ad40
VSSVC.exe 580 504 0x862007d0
taskhost.exe 320 504 0x86144030
dwm.exe 1916 868 0x86256858
explorer.exe 352 1848 0x8625b420
vmtoolsd.exe 2060 352 0x8628e6d0
TPAutoConnect. 2176 1668 0x862ba8c8
conhost.exe 2184 412 0x862ba248
iexplore.exe 2364 352 0x85e56828
SearchIndexer. 2436 504 0x8633ad40
iexplore.exe 2468 2364 0x8634a380
mstsc.exe 2704 352 0x862f63a0
devenv.exe 2876 352 0x863f63b8
StikyNot.exe 2972 352 0x86452d40
calc.exe 3032 352 0x86480530
WFS.exe 3056 352 0x8533ad40
FXSSVC.exe 3092 504 0x86485030
mspaint.exe 3196 352 0x86499d40
svchost.exe 3232 504 0x864ada20
SnippingTool.e 3276 352 0x864b5d40
wisptis.exe 3364 868 0x86487d40
mobsync.exe 3444 632 0x85358d40
sidebar.exe 3544 352 0x86250770
msra.exe 3676 352 0x84a35030
svchost.exe 3712 504 0x8526ad00
svchost.exe 3744 504 0x861abd40
ProcessHacker. 1108 352 0x863cc540
dllhost.exe 884 632 0x84355d40
cmd.exe 3912 1504 0x842424b8
conhost.exe 3880 348 0x8426ad40
ipconfig.exe 968 3912 0x8426aa50
cc = change context
>>> cc(0x86480530)
Current context: calc.exe @ 0x86480530, pid=3032, ppid=352 DTB=0x3ecec540
You are now in that processes virtual memory
>>> modules()
Offset Base Name
0x84131c98 0x82804000 \SystemRoot\system32\ntkrnlpa.exe
0x84131c20 0x82c17000 \SystemRoot\system32\halmacpi.dll
0x84131ba0 0x80bb8000 \SystemRoot\system32\kdcom.dll
0x84131b20 0x82e35000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x84131aa0 0x82eba000 \SystemRoot\system32\PSHED.dll
0x84131a20 0x82ecb000 \SystemRoot\system32\BOOTVID.dll
0x841319a8 0x82ed3000 \SystemRoot\system32\CLFS.SYS
0x84131930 0x82f15000 \SystemRoot\system32\CI.dll
Let's find the PE header!
>>> dt("_EPROCESS", 0x86480530)
[_EPROCESS _EPROCESS] @ 0x86480530
0x1a8 : Peb 2147319808
>>> dt("_PEB",2147319808)
0x8 : ImageBaseAddress 1179648
>>> db(1179648)
0x00120000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x00120010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00120020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00120030 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 ................
0x00120040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
0x00120050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is.program.canno
0x00120060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t.be.run.in.DOS.
0x00120070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
dis() is useful to disassemble instructions at some memory location
>>> dis(1179648 + 0x2506)
0x122506 2500000089 AND EAX, 0x89000000
0x12250b 45 INC EBP
0x12250c fc CLD
0x12250d 8bcb MOV ECX, EBX
0x12250f 85c0 TEST EAX, EAX
0x122511 0f853b190100 JNZ 0x133e52
0x122517 e8e1fcffff CALL 0x1221fd
0x12251c 8b45f8 MOV EAX, [EBP-0x8]
0x12251f 8b08 MOV ECX, [EAX]
0x122521 50 PUSH EAX
0x122522 ff5108 CALL DWORD [ECX+0x8]
Could just hit random memory and get jibberish, but you could use it on something discovered by malfind() (discussed later in course)
Volshell lets you do a whole lot
I will be using it a lot to display structures and just did not want confusion!
| VOLSHELL | 1 |
|---|---|
| Volatility Python Shell | 2 |
| Getting into Volshell | 3 |
| Help | 4 |
| Exploring a Structure | 5 |
| PS() | 6 |
| Switching contexts and using them | 7 |
| More | 8 |
| Disassemble | 9 |
| TL;DR | 10 |
| Table of Contents | t |
|---|---|
| Exposé | ESC |
| Full screen slides | e |
| Presenter View | p |
| Source Files | s |
| Slide Numbers | n |
| Toggle screen blanking | b |
| Show/hide slide context | c |
| Notes | 2 |
| Help | h |