creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-memory-dumps-with-volatility/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

3.0 KiB
Raw Blame History

API Reference: Volatility 3 Memory Forensics

Core Syntax

vol3 -f <memory_dump> <plugin> [options]
vol3 -f memory.dmp --help          # List all plugins
vol3 -f memory.dmp <plugin> --help # Plugin-specific help

Windows Plugins

Process Analysis

Plugin Purpose
windows.pslist List active processes
windows.pstree Process tree (parent-child)
windows.psscan Pool-tag scan (finds hidden processes)
windows.cmdline Process command-line arguments
windows.envars Process environment variables
windows.handles Process handle table

Code Injection Detection

Plugin Purpose
windows.malfind Detect injected code (RWX memory + PE headers)
windows.hollowfind Detect process hollowing
windows.dlllist List loaded DLLs per process
windows.ldrmodules Detect unlinked DLLs

Network

Plugin Purpose
windows.netscan List network connections and listeners
windows.netstat Network connections (older Windows)

Kernel / Rootkit

Plugin Purpose
windows.ssdt System Service Descriptor Table hooks
windows.callbacks Kernel callback registrations
windows.driverscan Scan for driver objects
windows.modules Loaded kernel modules
windows.idt Interrupt Descriptor Table

Credentials

Plugin Purpose
windows.hashdump Dump SAM password hashes
windows.cachedump Dump cached domain credentials
windows.lsadump Dump LSA secrets

Registry

Plugin Purpose
windows.registry.printkey Print registry key values
windows.registry.hivelist List registry hives
windows.registry.certificates Extract certificates

File System

Plugin Purpose
windows.filescan Scan for file objects
windows.dumpfiles Extract files from memory
windows.memmap Dump process memory

YARA Scanning

vol3 -f memory.dmp yarascan.YaraScan --yara-file rules.yar
vol3 -f memory.dmp yarascan.YaraScan --yara-file rules.yar --pid 2184
vol3 -f memory.dmp yarascan.YaraScan --yara-rules "rule Test { strings: $s = \"cmd.exe\" condition: $s }"

Timeline

vol3 -f memory.dmp timeliner.Timeliner --output-file timeline.csv

Output Options

vol3 -f memory.dmp windows.pslist --output csv > processes.csv
vol3 -f memory.dmp windows.pslist --output json > processes.json
vol3 -f memory.dmp windows.malfind --dump --pid 2184

Memory Acquisition Tools

Tool Platform Command
WinPmem Windows winpmem_mini_x64.exe memdump.raw
DumpIt Windows DumpIt.exe (interactive)
LiME Linux insmod lime.ko "path=/tmp/mem.lime format=lime"
AVML Linux avml /tmp/memory.lime

Symbols

# Download symbol packs
# https://downloads.volatilityfoundation.org/volatility3/symbols/
# Place in: volatility3/symbols/
Reference in New Issue View Git Blame Copy Permalink