regscan

Scan the registry from the memory dump to find malware.

Running the Plugin

Copy the plugin to volatility/plugins directory

$ python vol.py -f infected.vmem --profile=Win7SP1x86 regscan

Other Options

Scan for specific registry keys

$ python vol.py -f infected.vmem --profile=Win7SP1x86 regscan -k %REGKEY%

Registry for system startup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

reference

volatility registry api : https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Registry-Api
plugin 제작 : http://www.dailysecu.com/news/articleView.html?idxno=5128
메모리 레지스트리 분석 : http://moyix.blogspot.kr/2008/02/enumerating-registry-hives.html
plugin man page : https://fossies.org/dox/volatility-2.6/zeusscan_8py_source.html

reference plugin

hivelist.py
printkey.py
dumpregistry.py

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.idea		.idea
README.md		README.md
regscan.py		regscan.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.idea

.idea

README.md

README.md

regscan.py

regscan.py

Repository files navigation

regscan

Running the Plugin

Other Options

Registry for system startup

reference

reference plugin

About

Releases

Packages

Languages

amohanta/regscan

Folders and files

Latest commit

History

Repository files navigation

regscan

Running the Plugin

Other Options

Registry for system startup

reference

reference plugin

About

Resources

Stars

Watchers

Forks

Languages