Created
December 9, 2014 17:42
Experimentation with Volatility's Windows 10 TP x64 Branch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get the Win10 branch of Volatility | |
| git clone -b win10tp https://github.com/volatilityfoundation/volatility.git | |
| # Get the memory dump | |
| https://www.sendspace.com/pro/dl/0cte2h | |
| # Run some commands | |
| $ python vol.py --profile=Win10TPx64 -f Win10TPx64.vmem --kdbg=0xf80369db8284 pslist | |
| Volatility Foundation Volatility Framework 2.4 | |
| Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit | |
| ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ | |
| 0xffffe001416608c0 System 4 0 100 0 ------ 0 2014-10-17 19:36:54 UTC+0000 | |
| 0xffffe0014cc5a8c0 smss.exe 504 4 2 0 ------ 0 2014-10-17 19:36:54 UTC+0000 | |
| 0xffffe0014cece080 csrss.exe 600 588 9 0 0 0 2014-10-17 19:36:56 UTC+0000 | |
| 0xffffe001416fb080 csrss.exe 660 652 9 0 1 0 2014-10-17 19:36:56 UTC+0000 | |
| 0xffffe001416fa8c0 wininit.exe 668 588 1 0 0 0 2014-10-17 19:36:56 UTC+0000 | |
| 0xffffe0014ceb98c0 winlogon.exe 700 652 2 0 1 0 2014-10-17 19:36:56 UTC+0000 | |
| 0xffffe0014d0101c0 services.exe 764 668 4 0 0 0 2014-10-17 19:36:56 UTC+0000 | |
| 0xffffe0014d057680 lsass.exe 772 668 5 0 0 0 2014-10-17 19:36:57 UTC+0000 | |
| 0xffffe0014d18e080 svchost.exe 840 764 12 0 0 0 2014-10-17 19:37:00 UTC+0000 | |
| 0xffffe0014d19b8c0 svchost.exe 872 764 9 0 0 0 2014-10-17 19:37:01 UTC+0000 | |
| 0xffffe0014d1ef680 dwm.exe 972 700 8 0 1 0 2014-10-17 19:37:02 UTC+0000 | |
| 0xffffe0014d2308c0 svchost.exe 1008 764 50 0 0 0 2014-10-17 19:37:02 UTC+0000 | |
| 0xffffe0014d2738c0 svchost.exe 664 764 24 0 0 0 2014-10-17 19:37:02 UTC+0000 | |
| 0xffffe0014d2808c0 svchost.exe 548 764 23 0 0 0 2014-10-17 19:37:02 UTC+0000 | |
| 0xffffe0014d289200 svchost.exe 532 764 23 0 0 0 2014-10-17 19:37:02 UTC+0000 | |
| 0xffffe0014d2ff080 svchost.exe 1216 764 17 0 0 0 2014-10-17 19:37:05 UTC+0000 | |
| 0xffffe0014d385080 spoolsv.exe 1324 764 10 0 0 0 2014-10-17 19:37:06 UTC+0000 | |
| 0xffffe0014d2778c0 svchost.exe 1360 764 23 0 0 0 2014-10-17 19:37:06 UTC+0000 | |
| 0xffffe0014d64a8c0 vmtoolsd.exe 1592 764 10 0 0 0 2014-10-17 19:37:08 UTC+0000 | |
| 0xffffe0014d81f8c0 MsMpEng.exe 1108 764 17 0 0 0 2014-10-17 19:37:11 UTC+0000 | |
| 0xffffe0014d9068c0 TPAutoConnSvc. 2160 764 8 0 0 0 2014-10-17 19:37:12 UTC+0000 | |
| 0xffffe0014d83d8c0 dllhost.exe 2256 764 12 0 0 0 2014-10-17 19:37:13 UTC+0000 | |
| 0xffffe0014d8928c0 svchost.exe 2276 764 19 0 0 0 2014-10-17 19:37:13 UTC+0000 | |
| 0xffffe0014d9268c0 dasHost.exe 2336 532 6 0 0 0 2014-10-17 19:37:13 UTC+0000 | |
| 0xffffe0014d9f98c0 msdtc.exe 2468 764 9 0 0 0 2014-10-17 19:37:14 UTC+0000 | |
| 0xffffe0014da67080 svchost.exe 2672 764 9 0 0 0 2014-10-17 19:37:16 UTC+0000 | |
| 0xffffe0014db5e8c0 TPAutoConnect. 3016 2160 3 0 1 0 2014-10-17 19:37:21 UTC+0000 | |
| 0xffffe0014db2e080 conhost.exe 3056 3016 1 0 1 0 2014-10-17 19:37:21 UTC+0000 | |
| 0xffffe0014db33080 taskhostex.exe 3068 1008 9 0 1 0 2014-10-17 19:37:21 UTC+0000 | |
| 0xffffe0014c89e8c0 explorer.exe 2132 3040 84 0 1 0 2014-10-17 19:37:21 UTC+0000 | |
| 0xffffe001458b4080 SearchIndexer. 3544 764 17 0 0 0 2014-10-17 19:37:26 UTC+0000 | |
| 0xffffe001458dd0c0 TabTip.exe 3596 532 16 0 1 0 2014-10-17 19:37:26 UTC+0000 | |
| 0xffffe00145935400 TabTip32.exe 3644 3596 1 0 1 1 2014-10-17 19:37:26 UTC+0000 | |
| 0xffffe0014588a8c0 dllhost.exe 4080 840 5 0 0 0 2014-10-17 19:37:33 UTC+0000 | |
| 0xffffe001417eb8c0 vmtoolsd.exe 2820 2132 7 0 1 0 2014-10-17 19:37:35 UTC+0000 | |
| 0xffffe00145e28080 wmpnetwk.exe 3300 764 8 0 0 0 2014-10-17 19:39:13 UTC+0000 | |
| 0xffffe0014d986400 taskhost.exe 1248 1008 9 0 0 0 2014-10-18 04:36:15 UTC+0000 | |
| 0xffffe00142795080 consent.exe 3924 1008 0 -------- 1 0 2014-10-18 04:57:23 UTC+0000 2014-10-18 04:57:24 UTC+0000 | |
| 0xffffe0014da83080 SearchProtocol 4072 3544 4 0 0 0 2014-10-18 05:16:47 UTC+0000 | |
| 0xffffe00141886080 SearchFilterHo 4008 3544 3 0 0 0 2014-10-18 05:16:47 UTC+0000 | |
| 0xffffe0014d238080 consent.exe 2408 1008 0 -------- 1 0 2014-10-18 05:18:14 UTC+0000 2014-10-18 05:18:16 UTC+0000 | |
| 0xffffe001424fc080 audiodg.exe 1880 664 6 0 0 0 2014-10-18 05:18:14 UTC+0000 | |
| 0xffffe001422788c0 TabTip.exe 2180 532 0 -------- 1 0 2014-10-18 05:18:16 UTC+0000 2014-10-18 05:18:19 UTC+0000 | |
| 0xffffe001426ec8c0 cmd.exe 236 1592 0 -------- 0 0 2014-10-18 05:20:13 UTC+0000 2014-10-18 05:20:13 UTC+0000 | |
| 0xffffe0014da6c8c0 conhost.exe 3304 236 0 0 0 0 2014-10-18 05:20:13 UTC+0000 2014-10-18 05:20:13 UTC+0000 | |
| $ python vol.py --profile=Win10TPx64 -f Win10TPx64.vmem netscan | |
| Volatility Foundation Volatility Framework 2.4 | |
| Offset(P) Proto Local Address Foreign Address State Pid Owner Created | |
| 0xec4a00 UDPv4 0.0.0.0:0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0xec4a00 UDPv6 :::0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0xec4d70 UDPv4 0.0.0.0:0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0xec4d70 UDPv6 :::0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0xa97660 TCPv4 172.16.55.196:49407 65.55.10.11:80 CLOSED -------- -------------- | |
| 0x17a0710 UDPv4 0.0.0.0:0 *:* 2672 svchost.exe 2014-10-17 19:37:17 UTC+0000 | |
| 0x17a0710 UDPv6 :::0 *:* 2672 svchost.exe 2014-10-17 19:37:17 UTC+0000 | |
| 0x1824550 UDPv4 0.0.0.0:0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0x1824940 UDPv4 0.0.0.0:0 *:* 3300 wmpnetwk.exe 2014-10-17 19:39:13 UTC+0000 | |
| 0x42825a0 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 764 services.exe | |
| 0x5780010 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 872 svchost.exe | |
| 0x5780010 TCPv6 :::135 :::0 LISTENING 872 svchost.exe | |
| 0x6136910 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 668 wininit.exe | |
| 0x6136910 TCPv6 :::49152 :::0 LISTENING 668 wininit.exe | |
| 0x88ec990 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x8b9a1d0 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 764 services.exe | |
| 0x8b9a1d0 TCPv6 :::49157 :::0 LISTENING 764 services.exe | |
| 0x90be790 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 04:36:28 UTC+0000 | |
| 0x90be790 UDPv6 :::0 *:* 548 svchost.exe 2014-10-18 04:36:28 UTC+0000 | |
| 0x9f88d90 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:15:55 UTC+0000 | |
| 0x9f88d90 UDPv6 :::0 *:* 1216 svchost.exe 2014-10-18 05:15:55 UTC+0000 | |
| 0xa6c3480 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 664 svchost.exe | |
| 0xaa3d5f0 UDPv4 172.16.55.196:20674 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0xb119420 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 664 svchost.exe | |
| 0xb119420 TCPv6 :::49153 :::0 LISTENING 664 svchost.exe | |
| 0x100d04f0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1324 spoolsv.exe | |
| 0x100d04f0 TCPv6 :::49155 :::0 LISTENING 1324 spoolsv.exe | |
| 0x103f7810 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1324 spoolsv.exe | |
| 0x108a94d0 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x108a94d0 UDPv6 :::0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x108b89e0 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x1061c200 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 668 wininit.exe | |
| 0x124fd350 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1008 svchost.exe | |
| 0x124fd350 TCPv6 :::49154 :::0 LISTENING 1008 svchost.exe | |
| 0x124fdac0 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1008 svchost.exe | |
| 0x12be13d0 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 872 svchost.exe | |
| 0x148db980 TCPv4 0.0.0.0:3587 0.0.0.0:0 LISTENING 2672 svchost.exe | |
| 0x148db980 TCPv6 :::3587 :::0 LISTENING 2672 svchost.exe | |
| 0x161b3270 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x15f616d0 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System | |
| 0x15f616d0 TCPv6 :::445 :::0 LISTENING 4 System | |
| 0x1689c2d0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 772 lsass.exe | |
| 0x17139970 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 772 lsass.exe | |
| 0x17139970 TCPv6 :::49156 :::0 LISTENING 772 lsass.exe | |
| 0x197b33e0 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x198feec0 UDPv4 0.0.0.0:0 *:* 2672 svchost.exe 2014-10-17 19:37:17 UTC+0000 | |
| 0x198feec0 UDPv6 :::0 *:* 2672 svchost.exe 2014-10-17 19:37:17 UTC+0000 | |
| 0x1954b010 TCPv4 0.0.0.0:554 0.0.0.0:0 LISTENING 3300 wmpnetwk.exe | |
| 0x1954b010 TCPv6 :::554 :::0 LISTENING 3300 wmpnetwk.exe | |
| 0x1a2c9150 TCPv4 0.0.0.0:10243 0.0.0.0:0 LISTENING 4 System | |
| 0x1a2c9150 TCPv6 :::10243 :::0 LISTENING 4 System | |
| 0x1a2c93e0 TCPv4 0.0.0.0:554 0.0.0.0:0 LISTENING 3300 wmpnetwk.exe | |
| 0x1b431c50 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4 System | |
| 0x1b431c50 TCPv6 :::5357 :::0 LISTENING 4 System | |
| 0x1c304010 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-17 19:37:15 UTC+0000 | |
| 0x1cf967d0 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-17 19:37:15 UTC+0000 | |
| 0x1cf967d0 UDPv6 :::0 *:* 2276 svchost.exe 2014-10-17 19:37:15 UTC+0000 | |
| 0x1dcbfd50 UDPv4 127.0.0.1:16576 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x21479660 UDPv4 0.0.0.0:0 *:* 2672 svchost.exe 2014-10-17 19:37:23 UTC+0000 | |
| 0x21479660 UDPv6 :::0 *:* 2672 svchost.exe 2014-10-17 19:37:23 UTC+0000 | |
| 0x21479ba0 UDPv4 0.0.0.0:0 *:* 1008 svchost.exe 2014-10-17 19:37:23 UTC+0000 | |
| 0x21a38ad0 UDPv4 0.0.0.0:0 *:* 2672 svchost.exe 2014-10-17 19:37:23 UTC+0000 | |
| 0x21a38ad0 UDPv6 :::0 *:* 2672 svchost.exe 2014-10-17 19:37:23 UTC+0000 | |
| 0x26b2a420 UDPv6 fe80::d15d:56ce:eff7:f239:33 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x26b8c5c0 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x26bc2260 UDPv6 fe80::d15d:56ce:eff7:f239:33 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x2b614810 TCPv4 172.16.55.196:49370 23.205.120.123:80 CLOSED -------- -------------- | |
| 0x371e9b80 TCPv4 172.16.55.196:49398 65.55.108.23:443 CLOSED -------- -------------- | |
| 0x3f32dec0 UDPv6 ::1:16416 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x401ab860 UDPv4 172.16.55.196:20674 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x42c1cec0 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 04:36:28 UTC+0000 | |
| 0x4335cb50 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 04:36:19 UTC+0000 | |
| 0x4335cb50 UDPv6 :::0 *:* 2336 dasHost.exe 2014-10-18 04:36:19 UTC+0000 | |
| 0x433ea8a0 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 04:36:19 UTC+0000 | |
| 0x48ce8730 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x48ce8730 UDPv6 :::0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x5149d820 UDPv6 fe80::d15d:56ce:eff7:f239:33 *:* 664 svchost.exe 2014-10-18 05:19:03 UTC+0000 | |
| 0x51989390 TCPv4 172.16.55.196:49383 157.55.133.204:443 CLOSED -------- -------------- | |
| 0x51f9d3a0 TCPv4 172.16.55.196:49399 172.233.105.237:80 CLOSED -------- -------------- | |
| 0x54e76260 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x54e76260 UDPv6 :::0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x554b4ed0 TCPv4 0.0.0.0:2869 0.0.0.0:0 LISTENING 4 System | |
| 0x554b4ed0 TCPv6 :::2869 :::0 LISTENING 4 System | |
| 0x56af7c70 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:15:55 UTC+0000 | |
| 0x58d0f940 TCPv4 172.16.55.196:139 0.0.0.0:0 LISTENING 4 System | |
| 0x60735010 UDPv4 172.16.55.196:20674 *:* 664 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x735bfb20 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x735bfb20 UDPv6 :::0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x742c26c0 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x742c26c0 UDPv6 :::0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x7563a2f0 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x7563a2f0 UDPv6 :::0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x7639abf0 UDPv4 0.0.0.0:0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x7639abf0 UDPv6 :::0 *:* 2336 dasHost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x77174520 UDPv4 0.0.0.0:0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x77174520 UDPv6 :::0 *:* 548 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x77c7f4e0 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x77c7f4e0 UDPv6 :::0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x77c7f780 UDPv4 0.0.0.0:0 *:* 1216 svchost.exe 2014-10-18 05:20:13 UTC+0000 | |
| 0x78855ad0 UDPv4 0.0.0.0:0 *:* 2276 svchost.exe 2014-10-18 05:15:54 UTC+0000 | |
| 0x7a3d3280 UDPv4 127.0.0.1:16576 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x7c63c9a0 UDPv6 ::1:16416 *:* 2276 svchost.exe 2014-10-18 04:36:17 UTC+0000 | |
| 0x7e19fad0 TCPv4 172.16.55.196:139 0.0.0.0:0 LISTENING 4 System |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment