AVCHECK Volatility3 Plugin #1909
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# live.py – Volatility 3 Live System Analysis Plugin `live.py` is a custom plugin for **Volatility 3** designed to extend its capabilities for **real-time forensic data collection and threat hunting** directly on a **live Windows system**, eliminating the need for a full memory dump. This tool provides an **interactive command-line shell** for dynamic investigation, leveraging system APIs through libraries like `psutil` and `pywin32` to quickly triage and analyze active endpoints. --- ## Key Capabilities ### **Live Analysis Mode** Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements. ### **Interactive Shell** Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the `LiveShellCommand` interface. ### **Advanced Threat Hunting** Provides built-in commands for targeted analysis: - **fileless** – Detects fileless malware and suspicious in-memory activity, focusing on processes such as `powershell.exe`. - **detect_sandbox** – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes. ### **Comprehensive Forensic Data Collection** Collects essential artifacts and system information for deep analysis: - **Process and Module Data:** `pslist`, `psscan`, `dlllist`, `handles`, `sids`, `cmdline` - **Network Activity:** `netscan` for active connections and sockets - **Persistence & Services:** Analysis of `services`, `drivers`, `registry`, and autorun entries - **Artifact Analysis:** Extraction of `shimcache`, `prefetch`, `userassist`, and `jumplists` - **Timeline Generation:** Unified event correlation using `timeliner` ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin) `proccon.py` is a **Volatility 3 plugin** designed to provide **process visualization and relationship mapping** from a **Windows memory dump**. While it does not perform direct forensic analysis, it serves as a **critical utility** for post-processing and visualizing process hierarchy data. The plugin extracts **Parent-Child process relationships** and outputs them as a **Graphviz DOT file**, enabling investigators to generate graphical representations of the system’s process tree at the time of capture. --- ## Key Capabilities ### **Process Tree Extraction** Efficiently iterates through the complete process list obtained via Volatility’s `windows.pslist` plugin to map: - **PID** (Process ID) → **PPID** (Parent Process ID) This provides a foundational dataset for visual process relationship mapping. --- ### **Graphviz DOT Output** Automatically generates a **structured `.dot` file** compatible with Graphviz visualization tools such as: - `dot` - `neato` - Online renderers and graphing tools This output can be rendered into **network-style process trees**, allowing investigators to: - Visualize process spawning chains - Detect irregular or unexpected parent-child relationships - Identify suspicious execution flows in malware investigations --- ### **Visualization Focus** The plugin emphasizes **connectivity and hierarchy**, providing a clear visual representation of process structures that supports: - **Anomaly Detection:** Spot abnormal or hidden parent-child relationships - **Malware Analysis:** Map execution chains to trace malicious process origins - **System Understanding:** Reveal the operational process tree at the time of memory capture ---
# avcheck.py – Antivirus and Endpoint Detection and Response (EDR) Artifact Scanner (Volatility 3 Plugin) `avcheck.py` is a specialized **Volatility 3 plugin** designed to detect and enumerate artifacts related to **Antivirus (AV)** and **Endpoint Detection and Response (EDR)** solutions within a **Windows memory dump**. It enables investigators and threat hunters to identify which security products were active or installed on a system at the time of capture—critical for understanding a compromised system’s defensive posture. --- ## Key Capabilities ### **Security Software Identification** Performs broad detection of security tools across **over 80 known AV and EDR products**, including: - Windows Defender (`MsMpEng.exe`) - Kaspersky (`avp.exe`) - Symantec - AVG - CrowdStrike (`CsAgent.exe`) - SentinelOne - FireEye - And many others This identification provides immediate situational awareness of protective technologies present on the analyzed host. --- ### **Multi-Artifact Detection** Leverages multiple Volatility 3 subsystems to identify security software artifacts across different system components: - **Processes:** Scans active process lists (`pslist`) for executables associated with AV/EDR agents and monitoring daemons. - **Services:** Enumerates running services (`svcscan`) to locate entries related to installed security software. - **DLLs:** Inspects loaded libraries (`dlllist`) to detect known AV/EDR DLLs used for userland hooks or kernel-level integrations. - **Files:** Uses file scanning (`filescan`) to locate security software directories, databases, log files, and quarantine folders. Each layer of detection provides corroborating evidence of installed and active endpoint protection components. --- ### **Detection History Triage** Includes a specialized analysis routine that looks for: - Quarantine directories and detection logs - Temporary or deleted AV alert files - Residual detection history (e.g., Defender history, Kaspersky reports) These findings offer valuable context on **prior malware detections** or **automated remediation activity** performed by security software. --- ### **Detailed Summary Reporting** Generates a structured **TreeGrid report** summarizing all detected artifacts, categorized by source type: - **Processes Detected** - **Services Detected** - **DLLs Detected** - **Files Detected** At the end of the report, a **summary count** highlights the number of findings per category, providing a concise overview of the security landscape of the system. Example output: | Category | Name / Artifact | Path / Details | Source Plugin | |-----------|----------------|----------------|----------------| | Process | MsMpEng.exe | Windows Defender | pslist | | Service | WinDefend | Microsoft Defender Antivirus Service | svcscan | | DLL | mpengine.dll | AV core scanning module | dlllist | | File | DetectionHistory.db | Defender detection logs | filescan | ---
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
avcheck.py – Antivirus and Endpoint Detection and Response (EDR) Artifact Scanner (Volatility 3 Plugin)
avcheck.pyis a specialized Volatility 3 plugin designed to detect and enumerate artifacts related to Antivirus (AV) and Endpoint Detection and Response (EDR) solutions within a Windows memory dump.It enables investigators and threat hunters to identify which security products were active or installed on a system at the time of capture—critical for understanding a compromised system’s defensive posture.
Key Capabilities
Security Software Identification
Performs broad detection of security tools across over 80 known AV and EDR products, including:
MsMpEng.exe)avp.exe)CsAgent.exe)This identification provides immediate situational awareness of protective technologies present on the analyzed host.
Multi-Artifact Detection
Leverages multiple Volatility 3 subsystems to identify security software artifacts across different system components:
Processes:
Scans active process lists (
pslist) for executables associated with AV/EDR agents and monitoring daemons.Services:
Enumerates running services (
svcscan) to locate entries related to installed security software.DLLs:
Inspects loaded libraries (
dlllist) to detect known AV/EDR DLLs used for userland hooks or kernel-level integrations.Files:
Uses file scanning (
filescan) to locate security software directories, databases, log files, and quarantine folders.Each layer of detection provides corroborating evidence of installed and active endpoint protection components.
Detection History Triage
Includes a specialized analysis routine that looks for:
These findings offer valuable context on prior malware detections or automated remediation activity performed by security software.
Detailed Summary Reporting
Generates a structured TreeGrid report summarizing all detected artifacts, categorized by source type:
At the end of the report, a summary count highlights the number of findings per category, providing a concise overview of the security landscape of the system.
Example output: