Skip to content
This repository has been archived by the owner on Feb 15, 2021. It is now read-only.

Latest commit

 

History

History
22 lines (14 loc) · 1.84 KB

README.md

File metadata and controls

22 lines (14 loc) · 1.84 KB

VolDiff: Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Installation and use directions

Please refer to the VolDiff home wiki for details. VolDiff has also been included in the REMnux Linux malware analysis toolkit.

Sample report

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT, or this blog post for example VolDiff use againt a malware Trojan.

Inspiration

This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!