impfuzzy/impfuzzy_for_Volatility at master · JPCERTCC/impfuzzy · GitHub
Skip to content

Latest commit

 

History

History

impfuzzy_for_Volatility

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
impfuzzy.py
impfuzzy.py
 
 

README.md

impfuzzy for Volatility

Volatility plugin for comparing the impfuzzy and imphash.
This plugin can be used to scan malware in memory image.
Imphash see FireEye Blog

More details are described in the following documents:
https://www.jpcert.or.jp/magazine/acreport-impfuzzy_volatility.html (Japanese)
http://blog.jpcert.or.jp/2016/12/a-new-tool-to-d-d6bc.html (English)

Requirements

This plugin requires the following modules:

Usage

Use -h to see help message.

  • impfuzzy - compare or print the impfuzzy
  • imphashlist - print the imphash
  • imphashsearch - search the imphash

Example Usage

Printing The Impfuzzy Hash of Process and Dll Module

$ python vol.py -f [image] --profile=[profile] impfuzzy -p [PID] -a

Searching The Impfuzzy Hash from PE Files

$ python vol.py -f [image] --profile=[profile] impfuzzy -e [PE File or Folder]

Searching The Impfuzzy Hash from Hash List

$ python vol.py -f [image] --profile=[profile] impfuzzy -i [Hash List File]

Printing The Imphash

$ python vol.py -f [image] --profile=[profile] imphashlist -p [PID]

Searching The Imphash

$ python vol.py -f [image] --profile=[profile] imphashsearch -i [Hash List]