GitHub - H2Cyber/VolDiff: VolDiff: Malware Memory Footprint Analysis based on Volatility
Skip to content
This repository has been archived by the owner on Feb 15, 2021. It is now read-only.
/ VolDiff Public archive

VolDiff: Malware Memory Footprint Analysis based on Volatility

License

Notifications You must be signed in to change notification settings

H2Cyber/VolDiff

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

VolDiff: Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Installation and use directions

Please refer to the VolDiff home wiki for details. VolDiff has also been included in the REMnux Linux malware analysis toolkit.

Sample report

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT, or this blog post for example VolDiff use againt a malware Trojan.

Inspiration

This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!