Skip to content

List of volatility plugins


  • Articles that need to be expanded tags:
  • Research
  • Websites

The Volatility Framework was designed to be expanded by plugins. Here is a list of the published plugins for the Volatility 1.3 framework. Note that these plugins are not hosted on the wiki, but all on external sites. The latest release of the Volatility Framework is 2.2. These plugins are not compatible with the latest version of the framework and information about compatible plugins can be found on the wiki on the project Googlecode site.

Command Shell

  • volshell (By Moyix)- Creates a python shell can be used with the framework.

Malware Detection

  • IDT (By Michael Hale Ligh) - Prints the Interrupt Descriptor Table (IDT) addresses for one processor
  • DriverIRP (By Michael Hale Ligh) - Prints driver IRP function addresses
  • kernel_hooks (By Michael Hale Ligh) - Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules
  • malfind2 (By Michael Hale Ligh) - Automates the process of finding and extracting (usually malicious) code injected into another process
  • orphan_threads (By Michael Hale Ligh) - Detects hidden system/kernel threads
  • usermode_hooks2 (By Michael Hale Ligh) - Detect IAT/EAT/Inline rootkit hooks in usermode processes
  • kernel_hooks (By Michael Hale Ligh) - Detect IAT/EAT/Inline hooks in kernel drivers
  • Volatility Analyst Pack 0.1 (By Michael Hale Ligh) - A pack which contains updates to many of the listed modules

Data Recovery

  • cryptoscan, by Jesse Kornblum - Finds TrueCrypt passphrases
  • moddump (By Moyix) - Dump out a kernel module (aka driver)
  • Registry tools (By Moyix) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
  • Modified Regripper & Glue Code (By Moyix) - Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
  • getsids (By Moyix) - Get information about what user (SID) started a process.
  • ssdt (By Moyix) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
  • threadqueues - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs. By Moyix)
  • objtypescan, by Andreas Schuster - Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
  • keyboardbuffer, by Andreas Schuster - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
  • mutantscan, by Andreas Schuster - Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • symlinkobjscan, by Andreas Schuster - Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • driverscan, by Andreas Schuster - Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
  • fileobjscan, by Andreas Schuster - File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)

Process Enumeration

  • suspicious, by Jesse Kornblum - Identify "suspicious" processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

Other Helper Tools

Though these are not actual plugins they are helpful tools for obtaining output from the Volatility Framework.