-
Notifications
You must be signed in to change notification settings - Fork 50
Home
VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.
VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.
VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.
VolDiff is written in Python (2.7) and was mainly tested / executed on Ubuntu 14.04. It should work on Linux-based systems where the Volatility 2.5 framework is installed.
The installation steps for Volatility 2.5 are documented here. The following instructions can be followed to install Volatility 2.5 on Ubuntu 14.04:
-
Download the Volatility 2.5 ZIP source code.
-
Extract the Volatility source code from the ZIP file, and use the included
setup.pyscript to install the framework:
python setup.py build
sudo python setup.py install
- Install the Volatility dependencies using the following commands:
sudo apt-get update
sudo apt-get install python-pip
sudo pip install distorm3 yara pycrypto openpyxl simplejson
- Test Volatility using the following command:
vol.py --help
Once the VolDiff script is downloaded and the Volatility framework is installed, use the following command to test VolDiff:
python VolDiff.py --help
If a single memory image of a potentially infected system is available, use the following command to analyse it using VolDiff:
python VolDiff.py path/to/image.vmem profile --malware-checks
The --malware-checks option instructs VolDiff to perform a number of checks such as process parent/child relationships, unusual loaded DLLs, suspicious imports, malicious drivers and much more. VolDiff will save the output of a selection of Volatility plugins for the memory images, then it will create a report to highlight any identified indicators of compromise.
See this wiki page for a sample VolDiff analysis of a system infected with the DarkComet RAT.
If a malware sample is available (such as a malicious executable, a PDF or MS Office file), then VolDiff can be used to highlight the system changes introduced by the sample:
-
Capture a memory dump of a clean Windows system and save it as "baseline.vmem". This image will serve as a baseline for the analysis.
-
Execute the malware sample on the same system (usual precautions apply), then capture a second memory dump and save it as "infected.vmem".
-
Run VolDiff.py using the following options:
python VolDiff.py path/to/baseline.vmem path/to/infected.vmem profile --malware-checks
profile should be Win7SP0x86 or Win7SP1x64 etc.
VolDiff will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc), as well as any identified indicators of compromise.
No. VolDiff only queries VirusTotal for the MD5 hash of suspicious processes using a public API key.
VolDiff was tested and tuned to process Windows 7 memory images.
VolDiff automates the execution of 40+ Volatility plugins on each supplied memory image. The tool is expected to take some time (usually no less than 10 minutes) to complete.
The max_concurrent_subprocesses variable in VolDiff.py defines the maximum number of processes launched by VolDiff at the same time. That variable is set to 3 by default, but it can be easily changed to speed up (or slow down) VolDiff.
The default Volatility path used in VolDiff is vol.py. If volatility is installed somewhere else then the following error may be observed:
OSError: [Errno 2] No such file or directory
The Volatility path used in VolDiff can be easily changed by modifying the path_to_volatility variable within VolDiff.py.
Alternatively the path to vol.py can be exported (on non-Windows systems) using the following command:
export PATH=$PATH:/home/golden/volatility
VolDiff was initially inspired by Andrew Case (@attrc) talk on [analyzing the sophisticated Careto malware sample with memory forensics] (http://2014.video.sector.ca/video/110388398 "analyzing the sophisticated Careto malware sample with memory forensics").
A word of thanks to the Volatility development team for creating and maintaining the greatest memory forensic framework out there:
- Michael Hale Ligh @iMHLv2
- Andrew Case @attrc
- Jamie Levy @gleeda
- Mike Auty ikelos
- Brendan Dolan-Gavitt @moyix
- AAron Walters @4tphi
- Michael Cohen @scudette
Please submit feedback, report bugs, or send feature requests to @aim4r, voldiff[@]gmail.com or on Github.