Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
42 lines (25 sloc) 1.84 KB

VolDiff

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows memory images.

This tool can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Category

Examine Memory Snapshots

Usage

VolDiff.py [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS]

Options:

  • --help display this help and exit
  • --version display version information and exit
  • --dependencies display information about script dependencies and exit
  • --malware-checks hunt and report suspicious anomalies (slow, recommended)
  • --no-report do not create a report

The default VirusTotal API key is limited to 4 requests per minute. If you have a PrivateAPI key, modify vt_api_key.

Example

VolDiff.py base_win7.vmem infected_win7.vmem Win7SP1x86 --malware-checks

References

Author and Source

Location on REMnux

VolDiff.py is a part of the remnux-script package and is located in the /opt/remnux-scripts directory.