/
memory.conf
152 lines (127 loc) · 3.57 KB
/
memory.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Volatility configuration
# Basic settings
[basic]
# Profile to avoid wasting time identifying it
# Note: mem_profile in the machinery configuration will override this
guest_profile = WinXPSP2x86
# Delete memory dump after volatility processing.
dostrings = yes
strings_nullterminated_only = no
strings_minchars = 5
delete_memdump = no
# Delete memory dump in the event of a volatility exception
delete_memdump_on_exception = no
# List of available modules
# enabled: enable this module
# filter: use filters to remove benign system data from the logs
# Filters are defined in the mask section at below
# Scans for hidden/injected code and dlls
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#malfind
[malfind]
enabled = yes
filter = on
# Lists hooked api in user mode and kernel space
# Expect it to be very slow when enabled
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#apihooks
[apihooks]
enabled = no
filter = on
# Lists official processes. Does not detect hidden processes
# http://code.google.com/p/volatility/wiki/CommandReference23#pslist
[pslist]
enabled = yes
filter = off
# Lists hidden processes. Uses several tricks to identify them
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#psxview
[psxview]
enabled = yes
filter = off
# Show callbacks
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#callbacks
[callbacks]
enabled = yes
filter = off
# Show idt
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#idt
[idt]
enabled = yes
filter = off
# Show timers
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#timers
[timers]
enabled = yes
filter = off
# Show messagehooks
# Expect it to be very slow when enabled
# http://code.google.com/p/volatility/wiki/CommandReferenceGui23#messagehooks
[messagehooks]
enabled = no
filter = off
# Show sids
# http://code.google.com/p/volatility/wiki/CommandReference23#getsids
[getsids]
enabled = yes
filter = off
# Show privileges
# http://code.google.com/p/volatility/wiki/CommandReference23#privs
[privs]
enabled = yes
filter = off
# Display processes' loaded DLLs- Does not display hidden DLLs
# http://code.google.com/p/volatility/wiki/CommandReference23#dlllist
[dlllist]
enabled = yes
filter = on
# List open handles of processes
# http://code.google.com/p/volatility/wiki/CommandReference23#handles
[handles]
enabled = yes
filter = on
# Displays processes' loaded DLLs - Even hidden one (unlinked from PEB linked list)
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#ldrmodules
[ldrmodules]
enabled = yes
filter = on
# Scan for Mutexes (whole system)
# http://code.google.com/p/volatility/wiki/CommandReference23#mutantscan
[mutantscan]
enabled = yes
filter = on
# List devices and drivers
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#devicetree
[devicetree]
enabled = yes
filter = on
# Scan for services
# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#svcscan
[svcscan]
enabled = yes
filter = on
# Scan for kernel drivers (includes hidden, unloaded)
# http://code.google.com/p/volatility/wiki/CommandReference23#modscan
[modscan]
enabled = yes
filter = on
[yarascan]
enabled = yes
filter = on
[ssdt]
enabled = yes
filter = on
[gdt]
enabled = yes
filter = on
# This will only run on XP profiles
[sockscan]
enabled = yes
filter = off
# This will only run on Vista/7 profiles
[netscan]
enabled = yes
filter = off
# Masks. Data that should not be logged
# Just get this information from your plain VM Snapshot (without running malware)
# This will filter out unwanted information in the logs
[mask]
enabled = no
pid_generic =