Volatility_Plugins

Malware Detection


Malfind2 - Michael Hale Ligh - http://code.google.com/p/mhl-malware-scripts/

Automates the process of finding and extracting (usually malicious) code injected into another process.



usermode_hooks2 - Michael Hale Ligh - http://code.google.com/p/mhl-malware-scripts/

Detect IAT/EAT/Inline rootkit hooks in usermode processes.



kernel_hooks - Michael Hale Ligh - http://code.google.com/p/mhl-malware-scripts/

Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules.



orphan_threads - Michael Hale Ligh - http://code.google.com/p/mhl-malware-scripts/

Detects hidden system/kernel threads.



suspicious - Jesse Kornblum - http://jessekornblum.com

Identifies suspicious processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.




 

 




   
E5h Forensic Solutions
1 Princess Drive, Sawston, Cambridgeshire, CB22 3DL 08709741131 email memory@e5hforensics.com