volatility3
volatility3 copied to clipboard
volatilityfoundation
Orphandll Volatility3 Plugin
OrphanDLLs Plugin Volatility 3
OrphanDLLs is an advanced custom plugin for the Volatility 3 memory forensics framework.
It is designed to detect unlinked, hidden, or reflectively loaded DLLs and other stealthy module manipulation techniques in Windows memory images.
Overview
This plugin identifies anomalies in process memory structures that often indicate advanced malware activity, including:
- DLL unlinking (removal from PEB lists)
- Reflective DLL injection
- Process hollowing and PE injection
- Memory-only or cloned DLLs
- Hidden modules loaded via VAD
- Suspicious or manipulated protection flags
- Cross-list inconsistencies between
InLoadOrder,InMemoryOrder, andInInitOrderlists
These techniques are commonly used by attackers to hide malicious code or evade forensic tools.
Detection Categories
| Status | Description | Technique |
|---|---|---|
| UNLINKED_DLL | DLL missing from multiple PEB lists | PEB Unlinking |
| HIDDEN_MODULE | Mapped in VAD but not listed in PEB | VAD Manipulation / Memory Injection |
| REFLECTIVE_DLL | DLL loaded without a file backing | Reflective DLL Injection |
| HIDDEN_PE | Memory region containing PE headers not linked to any module | Process Hollowing / PE Injection |
| CLONED_DLL | Multiple instances of same DLL found | DLL Cloning |
| SUSPICIOUS_PROTECTION | Memory region with writable + executable flags | Memory Protection Manipulation |
| INCONSISTENT_MODULE | Conflicts between module lists | Module Tampering |
Output Fields
When --verbose is off (default):
| Field | Description |
|---|---|
| Process | Name of the process |
| PID | Process ID |
| Base Address | Memory base address of the module |
| Status | Classification of anomaly |
| Severity | Risk level (LOW, MEDIUM, HIGH, CRITICAL) |
| Evidence | Supporting information for the detection |
When --verbose is on:
| Additional Fields | Description |
|---|---|
| Size | Module size in bytes |
| Technique | Detection technique used |
| Path | Full path or memory label of the DLL |
Optional Arguments
| Argument | Type | Description |
|---|---|---|
--pid |
Integer | Analyze a specific process ID only |
--verbose |
Boolean | Show detailed DLL information |
--debug |
Boolean | Enable debug logs |
--check-vad |
Boolean | Perform deep VAD analysis (default: True) |
--check-pe |
Boolean | Verify PE headers in suspicious regions |
--min-size |
Integer | Minimum region size to consider (bytes, default: 4096) |
--check-clones |
Boolean | Detect multiple DLL instances |
--check-protection |
Boolean | Analyze memory protection flags |
--whitelist-system |
Boolean | Skip known system DLLs (default: True) |
--whitelist-file |
String | Path to custom whitelist file |
