VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows memory images.
This tool can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.
Examine Memory Snapshots
VolDiff.py [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS]
--helpdisplay this help and exit
--versiondisplay version information and exit
--dependenciesdisplay information about script dependencies and exit
--malware-checkshunt and report suspicious anomalies (slow, recommended)
--no-reportdo not create a report
The default VirusTotal API key is limited to 4 requests per minute. If you have a PrivateAPI key, modify vt_api_key.
VolDiff.py base_win7.vmem infected_win7.vmem Win7SP1x86 --malware-checks
- Memory Analysis of DarkComet using VolDiff by aim4r
- REMnux v6 for Malware Analysis (Part 1): VolDiff by Anuj Soni
- VolDiff for Memory Image Differential Analysis by Russ McRee
Author and Source
Location on REMnux
VolDiff.py is a part of the remnux-script package and is located in the /opt/remnux-scripts directory.