OS Information

• Check OS Information:

  vol.py -f "/path/to/file" windows.info
  

  • Retrieves basic information about the operating system, such as version and build.

Process Information

• List Processes:

  vol.py -f "/path/to/file" windows.pslist
  

  • Displays a list of running processes.

• Scan for Hidden Processes:

  vol.py -f "/path/to/file" windows.psscan
  

  • Scans for processes that may be hidden or unlinked from active process lists.

• Process Tree:

  vol.py -f "/path/to/file" windows.pstree
  

  • Shows parent-child relationships between processes.

Dumping Memory

• Dump Process Executable:

  vol.py -f "/path/to/file" -o "/path/to/dir" windows.dumpfiles --pid <PID>
  

  • Dumps the executable file of a process to analyze it outside of the memory image.

• Memory Dump for a Process:

  vol.py -f "/path/to/file" -o "/path/to/dir" windows.memmap --dump --pid <PID>
  

  • Extracts the memory space allocated to a specific process.

• Dump Loaded Modules:

vol.py -f "/path/to/file" windows.moddump --dump-dir /path/to/dump

Dumps loaded modules (DLLs) from memory to the specified directory

--pid: Specifies the process ID to dump.
--dump-dir: Defines the directory where the dumped file will be saved.

Handles

• List Open Handles:

  vol.py -f "/path/to/file" windows.handles --pid <PID>
  

  • Displays open handles (files, registry keys, etc.) for a process.

• List Loaded Modules (DLLs):

  
  vol.py -f "/path/to/file" windows.ldrmodules --pid <PID>
  

  • Displays the loaded modules (DLLs) in a process's memory, including details about potentially malicious or anomalous modules.

DLLs

• List DLLs:

  vol.py -f "/path/to/file" windows.dlllist --pid <PID>
  

  • Lists DLLs loaded by a particular process.

Command Line

• Process Command Line:

  vol.py -f "/path/to/file" windows.cmdline
  

  • Shows the command line arguments used to start a process.