Updates and a New Home for Plugins

As I've now released a number of plugins for Volatility, and some have gone through a couple revisions, I thought I'd put them all up on a single page, which can point to the latest versions and act as a sort of one-stop shop.

I've also updated the registry tools yet again, to fix some bugs and add new functionality, and also made some enhancements to volshell. You can read about the changes below:

Changes to VolReg:
  • New command hivedump: dump keys and timestamps (and optionally value data) from all hives to a CSV file.
  • Many improvements to robustness and error handling when reading key and value data.
  • When checking the registry hive names, catch exceptions and try to continue anyway (reported by chris).
Changes to volshell:
  • A new command, dis, is available. If distorm is installed, it will disassemble bytes from a given memory address as x86 code.
  • db no longer rounds length to a multiple of 4.
  • Use a single profile object throughout all commands (speed improvement)
  • dt can now overlay an arbitrary structure at an address, for example: dt('_EPROCESS', 0x81234567)


Keydet89 said...

Awesome, thanks!

Mike said...

Why I'm I getting this error!

root@bt:~/Desktop/Volatility-1.3_Beta# python volatility hivelist -f /mnt/diskte
o memory.dd
Error: Invalid module [hivelist].

