基础操作
查看帮助文件
volatility_2.6_win64_standalone.exe -h
内存镜像信息
volatility_2.6_win64_standalone\volatility_2.6_win64_standalone>volatility_2.6_win64_standalone.exe -f "C:\Users\xx\Desktop\victor_PC_memdump.dmp" imageinfo
查看账户
volatility_2.6_win64_standalone.exe -f "C:\Users\xx\Desktop\victor_PC_memdump.dmp" --profile=Win7SP1x64 hashdump
列出进程信息(pslist,pstree)
volatility_2.6_win64_standalone.exe -f "C:\Users\xx\Desktop\victor_PC_memdump.dmp" --profile=Win7SP1x64 pslist
动态链接库(dlllist)
volatility_2.6_win64_standalone.exe -f "C:\Users\xx\Desktop\victor_PC_memdump.dmp" --profile=Win7SP1x64 dlllist -p pid号
命令查询cmdscan cmdline concoles