VolDiff – Malware Memory Footprint Analysis based on Volatility

0
0

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. This program may also analyze a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

When running malware check the tool will make different verification against the memory image such as process parent/child relationships, unusual loaded DLLs, suspicious imports, malicious drivers and much more. The tool will save the output of a selection of Volatility plugins for the memory images, then it will create a report to highlight any identified indicators of compromise.

VolDiff: Malware Memory Footprint Analysis based on Volatility

VolDiff: Malware Memory Footprint Analysis based on Volatility

If a malware sample is available (such as a malicious executable, a PDF or MS Office file), then VolDiff can be used to highlight the system changes introduced by the sample:

  • Capture a memory dump of a clean Windows system and save it as “baseline.vmem”. This image will serve as a baseline for the analysis.
  • Execute the malware sample on the same system (usual precautions apply), then capture a second memory dump and save it as “infected.vmem”.
  • Run VolDiff.py

You can  create a report to highlight notable changes (new processes, network connections, injected code, drivers etc), as well as any identified indicators of compromise.

You can read more and download the tool over here: https://github.com/aim4r/

Share