Volatility3 MCP Server

{ "banners.Banners": "Attempts to identify potential linux banners in an image", "configwriter.ConfigWriter": "Runs the automagics and both prints and outputs configuration in the output directory.", "frameworkinfo.FrameworkInfo": "Plugin to list the various modular components of Volatility", "isfinfo.IsfInfo": "Determines information about the currently available ISF files, or a specific one", "layerwriter.LayerWriter": "Runs the automagics and writes out the primary layer produced by the stacker.", "linux.bash.Bash": "Recovers bash command history from memory.", "linux.boottime.Boottime": "Shows the time the system was started", "linux.capabilities.Capabilities": "Lists process capabilities", "linux.check_afinfo.Check_afinfo": "Verifies the operation function pointers of network protocols.", "linux.check_creds.Check_creds": "Checks if any processes are sharing credential structures", "linux.check_idt.Check_idt": "Checks if the IDT has been altered", "linux.check_modules.Check_modules": "Compares module list to sysfs info, if available", "linux.check_syscall.Check_syscall": "Check system call table for hooks.", "linux.ebpf.EBPF": "Enumerate eBPF programs", "linux.elfs.Elfs": "Lists all memory mapped ELF files for all processes.", "linux.envars.Envars": "Lists processes with their environment variables", "linux.hidden_modules.Hidden_modules": "Carves memory to find hidden kernel modules", "linux.iomem.IOMem": "Generates an output similar to /proc/iomem on a running system.", "linux.keyboard_notifiers.Keyboard_notifiers": "Parses the keyboard notifier call chain", "linux.kmsg.Kmsg": "Kernel log buffer reader", "linux.kthreads.Kthreads": "Enumerates kthread functions", "linux.library_list.LibraryList": "Enumerate libraries loaded into processes", "linux.lsmod.Lsmod": "Lists loaded kernel modules.", "linux.lsof.Lsof": "Lists open files for each processes.", "linux.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.", "linux.mountinfo.MountInfo": "Lists mount points on processes mount namespaces", "linux.netfilter.Netfilter": "Lists Netfilter hooks.", "linux.pagecache.Files": "Lists files from memory", "linux.pagecache.InodePages": "Lists and recovers cached inode pages", "linux.pidhashtable.PIDHashTable": "Enumerates processes through the PID hash table", "linux.proc.Maps": "Lists all memory maps for all processes.", "linux.psaux.PsAux": "Lists processes with their command line arguments", "linux.pslist.PsList": "Lists the processes present in a particular linux memory image.", "linux.psscan.PsScan": "Scans for processes present in a particular linux image.", "linux.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.", "linux.ptrace.Ptrace": "Enumerates ptrace's tracer and tracee tasks", "linux.sockstat.Sockstat": "Lists all network connections for all processes.", "linux.tty_check.tty_check": "Checks tty devices for hooks", "linux.vmayarascan.VmaYaraScan": "Scans all virtual memory areas for tasks using yara.", "mac.bash.Bash": "Recovers bash command history from memory.", "mac.check_syscall.Check_syscall": "Check system call table for hooks.", "mac.check_sysctl.Check_sysctl": "Check sysctl handlers for hooks.", "mac.check_trap_table.Check_trap_table": "Check mach trap table for hooks.", "mac.dmesg.Dmesg": "Prints the kernel log buffer.", "mac.ifconfig.Ifconfig": "Lists network interface information for all devices", "mac.kauth_listeners.Kauth_listeners": "Lists kauth listeners and their status", "mac.kauth_scopes.Kauth_scopes": "Lists kauth scopes and their status", "mac.kevents.Kevents": "Lists event handlers registered by processes", "mac.list_files.List_Files": "Lists all open file descriptors for all processes.", "mac.lsmod.Lsmod": "Lists loaded kernel modules.", "mac.lsof.Lsof": "Lists all open file descriptors for all processes.", "mac.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.", "mac.mount.Mount": "A module containing a collection of plugins that produce data typically found in Mac's mount command", "mac.netstat.Netstat": "Lists all network connections for all processes.", "mac.proc_maps.Maps": "Lists process memory ranges that potentially contain injected code.", "mac.psaux.Psaux": "Recovers program command line arguments.", "mac.pslist.PsList": "Lists the processes present in a particular mac memory image.", "mac.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.", "mac.socket_filters.Socket_filters": "Enumerates kernel socket filters.", "mac.timers.Timers": "Check for malicious kernel timers.", "mac.trustedbsd.Trustedbsd": "Checks for malicious trustedbsd modules", "mac.vfsevents.VFSevents": "Lists processes that are filtering file system events", "timeliner.Timeliner": "Runs all relevant plugins that provide time related information and orders the results by time.", "vmscan.Vmscan": "Scans for Intel VT-d structues and generates VM volatility configs for them", "windows.amcache.Amcache": "Extract information on executed applications from the AmCache.", "windows.bigpools.BigPools": "List big page pools.", "windows.cachedump.Cachedump": "Dumps lsa secrets from memory", "windows.callbacks.Callbacks": "Lists kernel callbacks and notification routines.", "windows.cmdline.CmdLine": "Lists process command line arguments.", "windows.cmdscan.CmdScan": "Looks for Windows Command History lists", "windows.consoles.Consoles": "Looks for Windows console buffers", "windows.crashinfo.Crashinfo": "Lists the information from a Windows crash dump.", "windows.devicetree.DeviceTree": "Listing tree based on drivers and attached devices in a particular windows memory image.", "windows.dlllist.DllList": "Lists the loaded modules in a particular windows memory image.", "windows.driverirp.DriverIrp": "List IRPs for drivers in a particular windows memory image.", "windows.drivermodule.DriverModule": "Determines if any loaded drivers were hidden by a rootkit", "windows.driverscan.DriverScan": "Scans for drivers present in a particular windows memory image.", "windows.dumpfiles.DumpFiles": "Dumps cached file contents from Windows memory samples.", "windows.envars.Envars": "Display process environment variables", "windows.filescan.FileScan": "Scans for file objects present in a particular windows memory image.", "windows.getservicesids.GetServiceSIDs": "Lists process token sids.", "windows.getsids.GetSIDs": "Print the SIDs owning each process", "windows.handles.Handles": "Lists process open handles.", "windows.hashdump.Hashdump": "Dumps user hashes from memory", "windows.hollowprocesses.HollowProcesses": "Lists hollowed processes", "windows.iat.IAT": "Extract Import Address Table to list API (functions) used by a program contained in external libraries", "windows.info.Info": "Show OS & kernel details of the memory sample being analyzed.", "windows.joblinks.JobLinks": "Print process job link information", "windows.kpcrs.KPCRs": "Print KPCR structure for each processor", "windows.ldrmodules.LdrModules": "Lists the loaded modules in a particular windows memory image.", "windows.lsadump.Lsadump": "Dumps lsa secrets from memory", "windows.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.", "windows.mbrscan.MBRScan": "Scans for and parses potential Master Boot Records (MBRs)", "windows.memmap.Memmap": "Prints the memory map", "windows.mftscan.ADS": "Scans for Alternate Data Stream", "windows.mftscan.MFTScan": "Scans for MFT FILE objects present in a particular windows memory image.", "windows.modscan.ModScan": "Scans for modules present in a particular windows memory image.", "windows.modules.Modules": "Lists the loaded kernel modules.", "windows.mutantscan.MutantScan": "Scans for mutexes present in a particular windows memory image.", "windows.netscan.NetScan": "Scans for network objects present in a particular windows memory image.", "windows.netstat.NetStat": "Traverses network tracking structures present in a particular windows memory image.", "windows.orphan_kernel_threads.Threads": "Lists process threads", "windows.pe_symbols.PESymbols": "Prints symbols in PE files in process and kernel memory", "windows.pedump.PEDump": "Allows extracting PE Files from a specific address in a specific address space", "windows.poolscanner.PoolScanner": "A generic pool scanner plugin.", "windows.privileges.Privs": "Lists process token privileges", "windows.processghosting.ProcessGhosting": "Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0", "windows.pslist.PsList": "Lists the processes present in a particular windows memory image.", "windows.psscan.PsScan": "Scans for processes present in a particular windows memory image.", "windows.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.", "windows.psxview.PsXView": "Lists all processes found via four of the methods described in \"The Art of Memory Forensics\" which may help identify processes that are trying to hide themselves. I recommend using -r pretty if you are looking at this plugin's output in a terminal.", "windows.registry.certificates.Certificates": "Lists the certificates in the registry's Certificate Store.", "windows.registry.getcellroutine.GetCellRoutine": "Reports registry hives with a hooked GetCellRoutine handler", "windows.registry.hivelist.HiveList": "Lists the registry hives present in a particular memory image.", "windows.registry.hivescan.HiveScan": "Scans for registry hives present in a particular windows memory image.", "windows.registry.printkey.PrintKey": "Lists the registry keys under a hive or specific key value.", "windows.registry.userassist.UserAssist": "Print userassist registry keys and information.", "windows.scheduled_tasks.ScheduledTasks": "Decodes scheduled task information from the Windows registry, including information about triggers, actions, run times, and creation times.", "windows.sessions.Sessions": "lists Processes with Session information extracted from Environmental Variables", "windows.shimcachemem.ShimcacheMem": "Reads Shimcache entries from the ahcache.sys AVL tree", "windows.skeleton_key_check.Skeleton_Key_Check": "Looks for signs of Skeleton Key malware", "windows.ssdt.SSDT": "Lists the system call table.", "windows.statistics.Statistics": "Lists statistics about the memory space.", "windows.strings.Strings": "Reads output from the strings command and indicates which process(es) each string belongs to.", "windows.suspicious_threads.SuspiciousThreads": "Lists suspicious userland process threads", "windows.svcdiff.SvcDiff": "Compares services found through list walking versus scanning to find rootkits", "windows.svclist.SvcList": "Lists services contained with the services.exe doubly linked list of services", "windows.svcscan.SvcScan": "Scans for windows services.", "windows.symlinkscan.SymlinkScan": "Scans for links present in a particular windows memory image.", "windows.thrdscan.ThrdScan": "Scans for windows threads.", "windows.threads.Threads": "Lists process threads", "windows.timers.Timers": "Print kernel timers and associated module DPCs", "windows.truecrypt.Passphrase": "TrueCrypt Cached Passphrase Finder", "windows.unhooked_system_calls.unhooked_system_calls": "Looks for signs of Skeleton Key malware", "windows.unloadedmodules.UnloadedModules": "Lists the unloaded kernel modules.", "windows.vadinfo.VadInfo": "Lists process memory ranges.", "windows.vadwalk.VadWalk": "Walk the VAD tree.", "windows.vadyarascan.VadYaraScan": "Scans all the Virtual Address Descriptor memory maps using yara.", "windows.verinfo.VerInfo": "Lists version information from PE files.", "windows.virtmap.VirtMap": "Lists virtual mapped sections.", "yarascan.YaraScan": "Scans kernel memory using yara rules (string or file).", }