# 1. 安装 Volatility
## 1.1. Volatility2
https://github.com/volatilityfoundation/volatility/releases/download/2.6.1/volatility_2.6_win64_standalone.zip
## 1.2. Volatility3
```bash
pip install volatility3
```
# 2. 常用参数
## 2.1. 查看系统信息:`imageinfo`
```bash
volatility_2.6.exe -f mem.vmem imageinfo
```
## 2.2. 进入内存会话: `volshell`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 volshell
```
常用会话命令:
```bash
hh() # 查看帮助
ps() # 查看进程
sc() # 显示上下文
```
## 2.3. 查看进程:`pslist`、`pstree`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 pslist
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 pstree
```
## 2.4. 列举缓存在内存的注册表: `hivelist`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 hivelist
```
## 2.5. 获取 SAM 表中的用户: `printkey`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
```
## 2.6. 获取最后登录系统的账户: `printkey`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
```
程序运行状态:
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 userassist
```
## 2.7. 转储进程:`memdump`
将内存中的某个进程数据以 dmp 的格式保存出来:
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 memdump -p 1712 -D vmtoolsd
```
## 2.8. 获取 IE 浏览器历史记录:`iehistory`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 iehistory
```
## 2.9. 获取网络连接情况:`netscan`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 netscan
```
## 2.10. 扫描 Windows 服务:`svcscan`
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 svcscan
```
<!-- ## 获取主机名
```bash
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 hivelist
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 -o 0xe1035b60 printkey
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 -o 0xe1035b60 printkey -K "ControlSet001"
volatility_2.6.exe -f mem.vmem --profile WinXPSP2x86 -o 0xe1035b60 printkey -K "ControlSet001\Control"
``` -->
https://mp.weixin.qq.com/s/tK3iyB1Ug-c7KstFcJLgkQ
