Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


impfuzzy for Volatility

Volatility plugin for comparing the impfuzzy and imphash.
This plugin can be used to scan malware in memory image.
Imphash see FireEye Blog

More details are described in the following documents:
https://www.jpcert.or.jp/magazine/acreport-impfuzzy_volatility.html (Japanese)
http://blog.jpcert.or.jp/2016/12/a-new-tool-to-d-d6bc.html (English)


This plugin requires the following modules:


Use -h to see help message.

  • impfuzzy - compare or print the impfuzzy
  • imphashlist - print the imphash
  • imphashsearch - search the imphash

Example Usage

Printing The Impfuzzy Hash of Process and Dll Module

$ python vol.py -f [image] --profile=[profile] impfuzzy -p [PID] -a

Searching The Impfuzzy Hash from PE Files

$ python vol.py -f [image] --profile=[profile] impfuzzy -e [PE File or Folder]

Searching The Impfuzzy Hash from Hash List

$ python vol.py -f [image] --profile=[profile] impfuzzy -i [Hash List File]

Printing The Imphash

$ python vol.py -f [image] --profile=[profile] imphashlist -p [PID]

Searching The Imphash

$ python vol.py -f [image] --profile=[profile] imphashsearch -i [Hash List]