User Tools

Site Tools


scripting:bash:volatility-check

Script which uses volatility 2.x + yara rules to extract tons of useful info

#!/bin/bash
 
# check if we have at least one file
if [ $# -eq 0 ]
  then
    echo "No memory dump supplied"
    exit 0
fi
DUMP=$1
 
 
# check if it exists
if test -f "$DUMP"; then
    echo "Starting volatility analysis of $DUMP"
else
    echo "$DUMP doesn't exist"
    exit 0    
fi
# Displays the step and add nice separations in the report
function title(){
	#echo -e "\n"
	#printf "[INFO] Extracting $1"
	echo "[INFO] Extracting $1"
	printf "%0.s#" {1..125}>>$DUMP.volatility.report
	echo -e "\n\t$1" >>$DUMP.volatility.report
	printf "%0.s#" {1..125}>>$DUMP.volatility.report
	echo -e "\n">>$DUMP.volatility.report
}
 
 
# Cleaning up the mess
function clean_up(){
	echo -e "\n"
	echo -e "\n">>$DUMP.volatility.report
	sed -i '/Volatility Foundation/d' $DUMP.volatility.report
	rm $DUMP.output
}
 
 
# Removes the old reports if exist
if test -f $DUMP.volatility.report; then
	rm $DUMP.volatility.report
fi
 
if test -f $DUMP.yara.report; then
	rm $DUMP.yara.report
fi
 
echo "[INFO] Yara malware scan search in parallel" 
vol.py -f $DUMP yarascan --yara-file="/opt/yara/rules/malware_index.yar" &> $DUMP.yara.report &
P1=$!
# Detect Profile
echo "[INFO] Searching profile for $DUMP"  
OUTPUT=`vol.py -f $DUMP imageinfo &>$DUMP.output` 
PROFILE=`cat $DUMP.output| grep -oP "Profile\(s\) :\s+\K\w+"` 
 
 
title "Analysis of $DUMP\n\tProfile: $PROFILE"
 
# output basic info into main.report - process
title "All processes"
PSSCAN=`vol.py -f $DUMP --profile=$PROFILE psscan &>> $DUMP.volatility.report`
title "Running processes"
PSTREE=`vol.py -f $DUMP --profile=$PROFILE pstree &>> $DUMP.volatility.report`
title "CMD lines" 
PSDOT=`vol.py -f $DUMP --profile=$PROFILE cmdline &>> $DUMP.volatility.report`
title "Interesting processes"
PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE pstotal -S &>> $DUMP.volatility.report`
title "Hidden process"
PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE psxview &>> $DUMP.volatility.report`
 
#Network Analysis
title "Open Connections-XP/2003"
PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE connections &>> $DUMP.volatility.report`
title "TCP Connections"
PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE connscan &>> $DUMP.volatility.report`
 
#Creates the folder if it doesn't exist
DUMPDIR="$DUMP-PROCs"
title "All process (dump in $DUMPDIR)"
if [ ! -d ./$DUMPDIR ];then
	mkdir "./$DUMPDIR"
fi
PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE procdump --dump-dir ./$DUMPDIR &>> $DUMP.volatility.report`
title "Process dot"
PSDOT=`vol.py -f $DUMP --profile=$PROFILE psscan --output=dot --output-file=./$DUMPDIR/psscan.dot &>> $DUMP.volatility.report`
title "SSL Certs" 
PSDOT=`vol.py -f $DUMP --profile=$PROFILE dumpcerts -D ./$DUMPDIR --ssl &>> $DUMP.volatility.report`
# Run yarascan
 
wait $P1
title "Yara malware" 
cat $DUMP.yara.report >> $DUMP.volatility.report
 
#title "Yara all"
#PSTOTAL=`vol.py -f $DUMP --profile=$PROFILE yarascan --yara-file="/opt/yara/rules/malware_index.yar" &>> $DUMP.volatility.report`
 
# Hash generation
#remove old hash
if test -f ./$DUMPDIR/hashlist;then
	rm ./$DUMPDIR/hashlist
fi
title "Hash generation"
for file in `ls ./$DUMPDIR/executable*.exe`; do shasum $file&>>./$DUMPDIR/hashlist; done;
# add links to virustotal
sed -i 's/^/https:\/\/www.virustotal.com\/gui\/file\//' ./$DUMPDIR/hashlist
cat ./$DUMPDIR/hashlist &>> $DUMP.volatility.report
clean_up

the script : volatility-check.sh.zip Available on github: https://github.com/D4thToMS/cybersecurity/blob/main/volatility-check.sh

scripting/bash/volatility-check.txt · Last modified: 2021/12/29 21:13 by warnaud