Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

VolDiff: Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Installation and use directions

Please refer to the VolDiff home wiki for details. VolDiff has also been included in the REMnux Linux malware analysis toolkit.

Sample report

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT, or this blog post for example VolDiff use againt a malware Trojan.


This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!

You can’t perform that action at this time.