volatility-wnf

Browse and dump Windows Notification Facilities

This plugin is based on work of Alex Ionescu and Gabrielle Viala.

• https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html
• https://www.blackhat.com/us-18/briefings/schedule/#the-windows-notification-facility-peeling-the-onion-of-the-most-undocumented-kernel-attack-surface-yet-11626
• https://www.youtube.com/watch?v=MybmgE95weo

This plugin just walk through all process, or by filter one, and dump all subscribers. Additionnaly, it can dump associated data from a subscriber.

Install

Please put wnf.py in your volatility plugin folder.

Use

To dump all subscribers of all process

python vol.py -f your_dump --profile=your_profile wnf

To dump all subscriber of a particular process

python vol.py -f your_dump --profile=your_profile wnf --pid PID

To dump data associated to a particular subscriber

python vol.py -f your_dump --profile=your_profile wnfdata -s ADRESS_OF_SUBSCRIBER

ADRESS_OF_SUBSCRIBER is the first field dump from wnf command.