Volatility 3 Brute Force Script

brute_volatility.sh

#!/bin/bash
if [ "$#" -ne 2 ]; then
    echo "Usage: brute_volatility.sh [MEMDUMP FILE] [PLUGIN FILTER]"
    echo "       ex: brute_volatility.sh mydump.mem windows"
fi
python3 -m venv .venv
source .venv/bin/activate
mkdir -p analysis
if [ ! -d volatility3 ]; then
    git clone https://github.com/volatilityfoundation/volatility3.git
fi
pip3 install volatility3
pip3 install capstone
PLUGINS=(
    banners.Banners
    configwriter.ConfigWriter
    frameworkinfo.FrameworkInfo
    isfinfo.IsfInfo
    layerwriter.LayerWriter
    linux.bash.Bash
    linux.capabilities.Capabilities
    linux.check_afinfo.Check_afinfo
    linux.check_creds.Check_creds
    linux.check_idt.Check_idt
    linux.check_modules.Check_modules
    linux.check_syscall.Check_syscall
    linux.ebpf.EBPF
    linux.elfs.Elfs
    linux.envars.Envars
    linux.iomem.IOMem
    linux.keyboard_notifiers.Keyboard_notifiers
    linux.kmsg.Kmsg
    linux.library_list.LibraryList
    linux.lsmod.Lsmod
    linux.lsof.Lsof
    linux.malfind.Malfind
    linux.mountinfo.MountInfo
    linux.netfilter.Netfilter
    linux.pagecache.Files
    linux.pagecache.InodePages
    linux.pidhashtable.PIDHashTable
    linux.proc.Maps
    linux.psaux.PsAux
    linux.pslist.PsList
    linux.psscan.PsScan
    linux.pstree.PsTree
    linux.sockstat.Sockstat
    linux.tty_check.tty_check
    mac.bash.Bash
    mac.check_syscall.Check_syscall
    mac.check_sysctl.Check_sysctl
    mac.check_trap_table.Check_trap_table
    mac.dmesg.Dmesg
    mac.ifconfig.Ifconfig
    mac.kauth_listeners.Kauth_listeners
    mac.kauth_scopes.Kauth_scopes
    mac.kevents.Kevents
    mac.list_files.List_Files
    mac.lsmod.Lsmod
    mac.lsof.Lsof
    mac.malfind.Malfind
    mac.mount.Mount
    mac.netstat.Netstat
    mac.proc_maps.Maps
    mac.psaux.Psaux
    mac.pslist.PsList
    mac.pstree.PsTree
    mac.socket_filters.Socket_filters
    mac.timers.Timers
    mac.trustedbsd.Trustedbsd
    mac.vfsevents.VFSevents
    timeliner.Timeliner
    vmscan.Vmscan
    windows.bigpools.BigPools
    windows.callbacks.Callbacks
    windows.cmdline.CmdLine
    windows.crashinfo.Crashinfo
    windows.devicetree.DeviceTree
    windows.dlllist.DllList
    windows.driverirp.DriverIrp
    windows.drivermodule.DriverModule
    windows.driverscan.DriverScan
    windows.dumpfiles.DumpFiles
    windows.envars.Envars
    windows.filescan.FileScan
    windows.getservicesids.GetServiceSIDs
    windows.getsids.GetSIDs
    windows.handles.Handles
    windows.hollowprocesses.HollowProcesses
    windows.iat.IAT
    windows.info.Info
    windows.joblinks.JobLinks
    windows.kpcrs.KPCRs
    windows.ldrmodules.LdrModules
    windows.malfind.Malfind
    windows.mbrscan.MBRScan
    windows.memmap.Memmap
    windows.modscan.ModScan
    windows.modules.Modules
    windows.mutantscan.MutantScan
    windows.netscan.NetScan
    windows.netstat.NetStat
    windows.orphan_kernel_threads.Threads
    windows.pedump.PEDump
    windows.poolscanner.PoolScanner
    windows.privileges.Privs
    windows.processghosting.ProcessGhosting
    windows.pslist.PsList
    windows.psscan.PsScan
    windows.pstree.PsTree
    windows.psxview.PsXView
    windows.registry.certificates.Certificates
    windows.registry.getcellroutine.GetCellRoutine
    windows.registry.hivelist.HiveList
    windows.registry.hivescan.HiveScan
    windows.registry.printkey.PrintKey
    windows.registry.userassist.UserAssist
    windows.sessions.Sessions
    windows.shimcachemem.ShimcacheMem
    windows.skeleton_key_check.Skeleton_Key_Check
    windows.ssdt.SSDT
    windows.statistics.Statistics
    windows.strings.Strings
    windows.suspicious_threads.SupsiciousThreads
    windows.symlinkscan.SymlinkScan
    windows.thrdscan.ThrdScan
    windows.threads.Threads
    windows.timers.Timers
    windows.truecrypt.Passphrase
    windows.unloadedmodules.UnloadedModules
    windows.vadinfo.VadInfo
    windows.vadwalk.VadWalk
    windows.verinfo.VerInfo
    windows.virtmap.VirtMap
)
for plugin in ${PLUGINS[@]}; do
    if [[ $plugin == *"$2"* ]]; then
        echo $plugin
        if [[ $plugin == *"dumpfiles"* ]]; then
            mkdir -p filedump
            vol -f $1 -o filedump/ $plugin
        else
            vol -f $1 $plugin >analysis/$plugin.out
        fi
    fi
done