[Vol-users] New and Updated Volatility Plug-ins

AAron Walters awalters at 4tphi.net
Wed Jul 22 00:31:03 CDT 2009


Volatility contributor Michael Hale Ligh has recently released a number of 
new and updated plugins.

     * idt.py: printing the Interrupt Descriptor Table (IDT) addresses
     * driverirp.py: printing driver IRP function addresses
     * usermode_hooks2.py: updated usermode hook detection plug-in
     * kernel_hooks.py: detects IAT, EAT, and in-line hooks in kernel 
     * orphan_threads.py: detects hidden system/kernel threads
     * malfind2.py: updated plugin for detecting hidden/injected code in 
usermode processes

His blog post also demonstrates how each plugin can be useful for 
detecting different types of malware. Please take some time to test these 
plugins and send Michael any feedback you may have. Shouts to MHL for his 
contributions to the Volatility community!



More information about the Vol-users mailing list