Home · H2Cyber/VolDiff Wiki · GitHub
Skip to content
This repository has been archived by the owner on Feb 15, 2021. It is now read-only.
aim4r edited this page Feb 17, 2016 · 11 revisions

What is VolDiff

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

How to install VolDiff prerequisites

VolDiff is written in Python (2.7) and was mainly tested / executed on Ubuntu 14.04. It should work on Linux-based systems where the Volatility 2.5 framework is installed.

The installation steps for Volatility 2.5 are documented here. The following instructions can be followed to install Volatility 2.5 on Ubuntu 14.04:

  1. Download the Volatility 2.5 ZIP source code.

  2. Extract the Volatility source code from the ZIP file, and use the included setup.py script to install the framework:

python setup.py build

sudo python setup.py install

  1. Install the Volatility dependencies using the following commands:

sudo apt-get update

sudo apt-get install python-pip

sudo pip install distorm3 yara pycrypto openpyxl simplejson

  1. Test Volatility using the following command:

vol.py --help

Once the VolDiff script is downloaded and the Volatility framework is installed, use the following command to test VolDiff:

python VolDiff.py --help

How to use VolDiff

Analysis of a single memory image

If a single memory image of a potentially infected system is available, use the following command to analyse it using VolDiff:

python VolDiff.py path/to/image.vmem profile --malware-checks

The --malware-checks option instructs VolDiff to perform a number of checks such as process parent/child relationships, unusual loaded DLLs, suspicious imports, malicious drivers and much more. VolDiff will save the output of a selection of Volatility plugins for the memory images, then it will create a report to highlight any identified indicators of compromise.

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT.

Analysis of a baseline clean image vs an infected one

If a malware sample is available (such as a malicious executable, a PDF or MS Office file), then VolDiff can be used to highlight the system changes introduced by the sample:

  1. Capture a memory dump of a clean Windows system and save it as "baseline.vmem". This image will serve as a baseline for the analysis.

  2. Execute the malware sample on the same system (usual precautions apply), then capture a second memory dump and save it as "infected.vmem".

  3. Run VolDiff.py using the following options:

python VolDiff.py path/to/baseline.vmem path/to/infected.vmem profile --malware-checks

profile should be Win7SP0x86 or Win7SP1x64 etc.

VolDiff will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc), as well as any identified indicators of compromise.

Does VolDiff upload files to VirusTotal

No. VolDiff only queries VirusTotal for the MD5 hash of suspicious processes using a public API key.

What operating systems does VolDiff support

VolDiff was tested and tuned to process Windows 7 memory images.

How to speed up VolDiff execution time

VolDiff automates the execution of 40+ Volatility plugins on each supplied memory image. The tool is expected to take some time (usually no less than 10 minutes) to complete.

The max_concurrent_subprocesses variable in VolDiff.py defines the maximum number of processes launched by VolDiff at the same time. That variable is set to 3 by default, but it can be easily changed to speed up (or slow down) VolDiff.

How to fix the "No such file or directory" error

The default Volatility path used in VolDiff is vol.py. If volatility is installed somewhere else then the following error may be observed:

OSError: [Errno 2] No such file or directory

The Volatility path used in VolDiff can be easily changed by modifying the path_to_volatility variable within VolDiff.py.

Alternatively the path to vol.py can be exported (on non-Windows systems) using the following command:

export PATH=$PATH:/home/golden/volatility

Credits

VolDiff was initially inspired by Andrew Case (@attrc) talk on [analyzing the sophisticated Careto malware sample with memory forensics] (http://2014.video.sector.ca/video/110388398 "analyzing the sophisticated Careto malware sample with memory forensics").

A word of thanks to the Volatility development team for creating and maintaining the greatest memory forensic framework out there:

How to cantact VolDiff's developer

Please submit feedback, report bugs, or send feature requests to @aim4r, voldiff[@]gmail.com or on Github.