Volatility Explorer Suit
WinObj (very similar to WinObj [sysinternals]) Also supports Struct Analyzer and WinObjGui from VolExp.
RAMMap (very similar to Rammap [SysInternals]), but additonally it marks any suspicious pages (for more information read the pdf). This module contains 3 plugins:
This program allows the user to upload a memory dump and navigate through it with ease using a graphical interface. It can also function as a plugin to the Volatility Framework (https://github.com/volatilityfoundation/volatility3). This program functions similarly to Process Explorer/Hacker, but allows the user to analyze a Memory Dump. This program can run from Windows, Linux and MacOS machines, but only accepts Windows memory images.
Download the volexp.py file (download the ).
Run as a standalone program or as a plugin to Volatility:
python3 volexp
python3 vol.py -f <memory file path> windows.volexp.volexp
python3 volexp.py
Some of the information display will not update in real time (except Processes info(update slowly), real time functions like struct analyzer, PE properties, run real time plugin, etc.).
The program also allows to view Loaded dll's, open handles and network connections of each process (Access to a dll's properties is also optional).
Manually marking a certain process and adding a sidenote on it.
User's actions can be saved on a seperate file for later usage.