Volatility3 plugin for comparing the impfuzzy, imphash and ssdeep.
This plugin can be used to scan malware in memory image.
Imphash see FireEye Blog
More details are described in the following documents:
- https://blogs.jpcert.or.jp/ja/2016/11/impfuzzy_volatility.html (Japanese)
- https://blogs.jpcert.or.jp/en/2016/12/a-new-tool-to-d-d6bc.html (English)
- pehash.ImpFuzzy - compare or print the impfuzzy
- pehash.ImpHash - search or print the imphash
- pehash.Ssdeep - compare or print the ssdeep
This plugin requires the following modules:
- pefile https://github.com/erocarrera/pefile
- pyimpfuzzy https://github.com/JPCERTCC/impfuzzy/tree/master/pyimpfuzzy
- python-ssdeep https://github.com/DinoTools/python-ssdeep
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ git clone https://github.com/JPCERTCC/impfuzzy.git$ pip3 install pefile yara-python capstone pyimpfuzzy ssdeep$ cd volatility3
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 [ pehash.ImpHash | pehash.ImpFuzzy | pehash.Ssdeep ]Use -h to see help message.
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.ImpFuzzy --pid [PID]
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.ImpFuzzy --exefile [PE file]
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.ImpFuzzy --impfuzzylist [Hash List File]
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.ImpHash --pid [PID]
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.ImpHash --imphashlist [Hash List]
$ python3 vol.py -f [memorydata] --plugin-dirs ../impfuzzy/impfuzzy_for_Volatility3 pehash.Ssdeep --pid [PID]