Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
42 lines (25 sloc) 1.84 KB


VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows memory images.

This tool can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.


Examine Memory Snapshots



  • --help display this help and exit
  • --version display version information and exit
  • --dependencies display information about script dependencies and exit
  • --malware-checks hunt and report suspicious anomalies (slow, recommended)
  • --no-report do not create a report

The default VirusTotal API key is limited to 4 requests per minute. If you have a PrivateAPI key, modify vt_api_key.

##Example base_win7.vmem infected_win7.vmem Win7SP1x86 --malware-checks


##Author and Source

Location on REMnux is a part of the remnux-script package and is located in the /opt/remnux-scripts directory.