valkheim · February 28, 2021 11:26
diff --git a/vol_dump.bash b/vol_dump.bash
 #!/bin/sh

 out="vol_dump"
 image=$1 # .raw .vmem .sav .bin .mem etc


 function vol_op {
  echo "[+] $1: $2 ${@:3}"
  volatility -f $1 --profile=$2 ${@:3} > $out/$2/$3.txt
 }

 profiles=$(volatility -f $image imageinfo | grep "Suggested Profile" | cut -d ":" -f2 | cut -d '(' -f1 | tr ' ' '\0')
 IFS=',' ; for profile in $profiles; do
  echo "[+] Testing $profile"
  mkdir -p $out/$profile
  vol_op $image $profile pslist
  vol_op $image $profile psxview # False columns -> process intentionally hidden
  vol_op $image $profile ldrmodules # False columns likely means injection
  vol_op $image $profile apihooks # detect unexpected patches in system dlls (<unknow> hooking module is b4d)
  malfind_out=$out/$profile/malfind
  mkdir -p $malfind_out
  vol_op $image $profile malfind -D $malfind_out
  vol_op $image $profile dlllist
  #vol_op $image $profile netscan
 done
	#!/bin/sh

	out="vol_dump"
	image=$1 # .raw .vmem .sav .bin .mem etc


	function vol_op {
	echo "[+] $1: $2 ${@:3}"
	volatility -f $1 --profile=$2 ${@:3} > $out/$2/$3.txt
	}

	profiles=$(volatility -f $image imageinfo \| grep "Suggested Profile" \| cut -d ":" -f2 \| cut -d '(' -f1 \| tr ' ' '\0')
	IFS=',' ; for profile in $profiles; do
	echo "[+] Testing $profile"
	mkdir -p $out/$profile
	vol_op $image $profile pslist
	vol_op $image $profile psxview # False columns -> process intentionally hidden
	vol_op $image $profile ldrmodules # False columns likely means injection
	vol_op $image $profile apihooks # detect unexpected patches in system dlls (<unknow> hooking module is b4d)
	malfind_out=$out/$profile/malfind
	mkdir -p $malfind_out
	vol_op $image $profile malfind -D $malfind_out
	vol_op $image $profile dlllist
	#vol_op $image $profile netscan
	done