The following list explains the plugins used in the recipe.
- Imageinfo: This plugin collects some basic information about the memory image you are analyzing: operating system, service pack, hardware architecture; and also useful information such as DTB address, KDBG address, and the timestamp of the image creation.
- Pslist: This plugin shows the processes of the system, including the offset, process name, process ID, parent process ID, number of threads, number of handles, date/time when the process started and exited, Session ID and if the process is a WoW64 process.
- Pstree: This plugin does the same as pslist, but shows the process list in tree form. It uses indentation and periods to indicate child processes.
- Dlllist: This plugin displays the DLLs loaded by the process of interest, or all processes if the -p or --pid switch isn't used.
- Malfind: This plugin allows the examiner to detect and extract hidden or injected code/DLLs in user mode memory for further antivirus scans and analysis.