Giter Site home page Giter Site logo

reverseame / residentmem Goto Github PK

View Code? Open in Web Editor NEW
2.0 3.0 0.0 34 KB

Volatility plugin to obtain the number of the resident memory pages per module (exe or dll) and per driver from a Windows memory dump.

License: GNU General Public License v3.0

Python 100.00%
python volatility volatility-plugins memory-forensics

residentmem's Introduction

Residentmem - Volatility Plugin

residentmem for Volatility 2.6 obtains the number of the memory pages resident in memory per module (exe or dll) and per driver from a Windows memory dump.

License: GPL v3

Usage

residentmem: counts how many memory pages resident in a Windows memory dump per module (exe or dll) and system driver.

    Options:
        -p: Process PID(s)
            (-p 252 | -p 252,452,2852)

        -D DIR, --dump-dir=DIR: Temporary folder to dump output files
        
        --logfile LOGNAME: Logfile to dump full info
            Creates a logfile containing the full output of the tool (for instance, it allows you to obtain the full module names, not truncated as in the Volatility's output

Usage example

$ python2 vol.py --plugins /path/to/sum -f /path/to/memory.dump residentmem -D dump-dir
Volatility Foundation Volatility Framework 2.6.1
Pid  Process      Module Name          File Version   Module Base Resident Total    Path                                           Dump file                                     
---- ------------ -------------------- -------------- ----------- -------- -------- ---------------------------------------------- --------------------------------------
 216 smss.exe     smss.exe                             0x476e0000       17       19 \SystemRoot\System32\smss.exe                  dump-dir/smss.exe-216-smss.exe.csv     
 216 smss.exe     ntdll.dll                            0x76da0000      112      316 C:\Windows\SYSTEM32\ntdll.dll                  dump-dir/smss.exe-216-ntdll.dll.csv    
 288 csrss.exe    csrss.exe            6.1.7600.16385  0x4a510000        4        5 C:\Windows\system32\csrss.exe                  dump-dir/csrss.exe-288-csrss.exe.csv    
 288 csrss.exe    basesrv.DLL                          0x74f40000       10       14 C:\Windows\system32\basesrv.DLL                dump-dir/csrss.exe-288-basesrv.DLL.csv  
 288 csrss.exe    winsrv.DLL           6.1.7601.17514  0x74f10000       11       44 C:\Windows\system32\winsrv.DLL                 dump-dir/csrss.exe-288-winsrv.DLL.csv   
 288 csrss.exe    USER32.dll           6.1.7601.17514  0x758d0000       66      201 C:\Windows\system32\USER32.dll                 dump-dir/csrss.exe-288-USER32.dll.csv   
[... redacted ...] 
--   --           USBD.SYS             6.1.7600.16385  0x9279b000        2        2 \SystemRoot\system32\DRIVERS\USBD.SYS          dump-dir/drv_USBD.SYS.csv
--   --           termdd.sys                           0x8cb7c000       14       17 \SystemRoot\system32\DRIVERS\termdd.sys        dump-dir/drv_termdd.sys.csv
--   --           pacer.sys                            0x8cc00000       19       31 \SystemRoot\system32\DRIVERS\pacer.sys         dump-dir/drv_pacer.sys.csv
--   --           HIDCLASS.SYS         6.1.7601.17514  0x92781000       19       19 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS      dump-dir/drv_HIDCLASS.SYS.csv
--   --           dump_pciidex.sys     6.1.7600.16385  0x92750000       11       11 \SystemRoot\System32\Drivers\dump_dumpata.sys  dump-dir/drv_dump_dumpata.sys.csv
--   --           VIDEOPRT.SYS         6.1.7600.16385  0x8cf14000       33       33 \SystemRoot\System32\drivers\VIDEOPRT.SYS      dump-dir/drv_VIDEOPRT.SYS.csv
[... redacted ...]

License

Licensed under the GNU GPLv3 license.

residentmem's People

Contributors

miguelmartinperez avatar ricardojrdez avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.