VolDiff: Malware Memory Footprint Analysis based on Volatility
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
LICENSE Update LICENSE Feb 17, 2016
README.md Update README.md Sep 12, 2017
VolDiff.py Update VolDiff.py Feb 17, 2016


VolDiff: Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Installation and use directions

Please refer to the VolDiff home wiki for details. VolDiff has also been included in the REMnux Linux malware analysis toolkit.

Sample report

See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT, or this blog post for example VolDiff use againt a malware Trojan.


This work was initially inspired by Andrew Case (@attrc) talk on analyzing the sophisticated Careto malware sample with memory forensics. Kudos to @attrc and all the Volatility development team for creating and maintaining the greatest memory forensic framework out there!