Skip to content

Instantly share code, notes, and snippets.

@adricnet

adricnet/volatility plugin output format support.md

Last active November 21, 2015 20:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adricnet/551d203e16f06ff237f3 to your computer and use it in GitHub Desktop.
Save adricnet/551d203e16f06ff237f3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
volatility plugin output format support.md

This answered some questions:

remnux@remnux:~/volatility-2.5$ for plugin in pslist psxview pstree connscann connections hivescan svcscan; do echo -n $plugin"|"; output=`python vol.py $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; echo $output; done
pslist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psxview|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pstree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connscann|
connections|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
svcscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx

This ugliness should work for other vol.py versions, not just the one on hand.

usage=outusage3; 
python vol.py --help 2>&1  > $usage; 
length=` wc -l $usage` | cut -d' ' -f1; 
subhead_loc=`grep -n 'Supported Plugin Commands:' $usage | cut -d':' -f1` ; 
echo  $usage ':' $length $subhead_loc
plugins_length=$(($length-$subhead_loc))
plugin_list=`tail -n $plugins_length $usage | awk '/\t/ {print $1}'`
for plugin in $plugin_list; 
do echo -n $plugin"|"; 
output=`python vol.py $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; 
echo $output; 
done

I get this for 2.5 distribution running on REMnux6. this is awesome that essentially all of the core plugins support json and sqlite, must try out ...

amcache|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
apihooks|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
atoms|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
atomscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
auditpol|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
bigpools|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
bioskbd|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
cachedump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
callbacks|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
clipboard|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
cmdline|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
cmdscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connections|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
consoles|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
crashinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
deskscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
devicetree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
dlldump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
dlllist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
driverirp|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
drivermodule|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
driverscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
dumpcerts|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
dumpfiles|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
dumpregistry|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
envars|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
eventhooks|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
evtlogs|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
filescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
gahti|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
gditimers|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
gdt|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
getservicesids|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
getsids|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
handles|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hashdump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hibinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivedump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivelist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hpakextract|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hpakinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
idt|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
iehistory|Module Output Options: csv, dot, greptext, html, json, sqlite, text, xlsx
imagecopy|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
imageinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
impscan|Module Output Options: dot, greptext, html, idc, json, sqlite, text, xlsx
joblinks|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
kdbgscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
kpcrscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
ldrmodules|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
lsadump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
machoinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
malfind|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
mbrparser|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
memdump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
memmap|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
messagehooks|Module Output Options: block, dot, greptext, html, json, sqlite, text, xlsx
mftparser|Module Output Options: body, dot, greptext, html, json, sqlite, text, xlsx
moddump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
modscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
modules|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
multiscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
mutantscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
notepad|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
objtypescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
patcher|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
poolpeek|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
printkey|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
privs|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
procdump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pslist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pstree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psxview|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
qemuinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
raw2dmp|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
screenshot|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
servicediff|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
sessions|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
shellbags|Module Output Options: body, dot, greptext, html, json, sqlite, text, xlsx
shimcache|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
shutdowntime|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
sockets|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
sockscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
ssdt|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
strings|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
svcscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
symlinkscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
thrdscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
threads|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
timeliner|Module Output Options: body, dot, greptext, html, json, sqlite, text, xlsx
timers|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
truecryptmaster|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
truecryptpassphrase|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
truecryptsummary|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
unloadedmodules|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
userassist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
userhandles|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vaddump|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vadinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vadtree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vadwalk|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vboxinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
verinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
vmwareinfo|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
volshell|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
windows|Module Output Options: block, dot, greptext, html, json, sqlite, text, xlsx
wintree|Module Output Options: block, dot, greptext, html, json, sqlite, text, xlsx
wndscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
yarascan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx

Rewritten a bit to use on MacPorts, to get vol2.4 there

usage="outusage"; 
volcmd="/opt/local/bin/python2.7 /opt/local/Library/Frameworks/Python.framework/Versions/2.7/bin/vol.py"
$volcmd --help 2>&1  > $usage; 
length=`wc -l $usage | awk -F' ' '{print $1}'`
subhead_loc=`grep -n 'Supported Plugin Commands:' $usage | cut -d':' -f1` ; 
echo  $usage ':' $length $subhead_loc
plugins_length=$(($length-$subhead_loc))
plugin_list=`tail -n $plugins_length $usage | awk '/\t/ {print $1}'`
for plugin in $plugin_list; 
do echo -n $plugin"|"; 
output=`$volcmd $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; 
echo $output; 
done

Vol2.4 results are significantly simpler, showing how much work went into output format for 2.5. Thanks @volatilityfoundation!

apihooks|Module Output Options: text
atoms|Module Output Options: text
atomscan|Module Output Options: text
auditpol|Module Output Options: text
bigpools|Module Output Options: text
bioskbd|Module Output Options: text
cachedump|Module Output Options: text
callbacks|Module Output Options: text
clipboard|Module Output Options: text
cmdline|Module Output Options: text
cmdscan|Module Output Options: text
connections|Module Output Options: text
connscan|Module Output Options: text
consoles|Module Output Options: text
crashinfo|Module Output Options: text
deskscan|Module Output Options: text
devicetree|Module Output Options: text
dlldump|Module Output Options: text
dlllist|Module Output Options: text
driverirp|Module Output Options: text
driverscan|Module Output Options: text
dumpcerts|Module Output Options: text
dumpfiles|Module Output Options: text
envars|Module Output Options: text
eventhooks|Module Output Options: text
evtlogs|Module Output Options: text
filescan|Module Output Options: text
gahti|Module Output Options: text
gditimers|Module Output Options: text
gdt|Module Output Options: text
getservicesids|Module Output Options: text
getsids|Module Output Options: text
handles|Module Output Options: text
hashdump|Module Output Options: text
hibinfo|Module Output Options: text
hivedump|Module Output Options: text
hivelist|Module Output Options: text
hivescan|Module Output Options: text
hpakextract|Module Output Options: text
hpakinfo|Module Output Options: text
idt|Module Output Options: text
iehistory|Module Output Options: csv, text
imagecopy|Module Output Options: text
imageinfo|Module Output Options: text
impscan|Module Output Options: idc, text
joblinks|Module Output Options: text
kdbgscan|Module Output Options: text
kpcrscan|Module Output Options: text
ldrmodules|Module Output Options: text
lsadump|Module Output Options: text
machoinfo|Module Output Options: text
malfind|Module Output Options: text
mbrparser|Module Output Options: text
memdump|Module Output Options: text
memmap|Module Output Options: text
messagehooks|Module Output Options: block, text
mftparser|Module Output Options: body, text
moddump|Module Output Options: text
modscan|Module Output Options: text
modules|Module Output Options: text
multiscan|Module Output Options: text
mutantscan|Module Output Options: text
notepad|Module Output Options: text
objtypescan|Module Output Options: text
patcher|Module Output Options: text
poolpeek|Module Output Options: text
printkey|Module Output Options: text
privs|Module Output Options: text
procdump|Module Output Options: text
pslist|Module Output Options: text
psscan|Module Output Options: dot, text
pstree|Module Output Options: text
psxview|Module Output Options: text, xlsx
raw2dmp|Module Output Options: text
screenshot|Module Output Options: text
sessions|Module Output Options: text
shellbags|Module Output Options: body, text
shimcache|Module Output Options: text
sockets|Module Output Options: text
sockscan|Module Output Options: text
ssdt|Module Output Options: text
strings|Module Output Options: text
svcscan|Module Output Options: dot, text
symlinkscan|Module Output Options: text
thrdscan|Module Output Options: text
threads|Module Output Options: text
timeliner|Module Output Options: body, text, xlsx
timers|Module Output Options: text
truecryptmaster|Module Output Options: text
truecryptpassphrase|Module Output Options: text
truecryptsummary|Module Output Options: text
unloadedmodules|Module Output Options: text
userassist|Module Output Options: text
userhandles|Module Output Options: text
vaddump|Module Output Options: text
vadinfo|Module Output Options: text
vadtree|Module Output Options: dot, text
vadwalk|Module Output Options: text
vboxinfo|Module Output Options: text
verinfo|Module Output Options: text
vmwareinfo|Module Output Options: text
volshell|Module Output Options: text
windows|Module Output Options: block, text
wintree|Module Output Options: block, text
wndscan|Module Output Options: text
yarascan|Module Output Options: text
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment