-
Notifications
You must be signed in to change notification settings - Fork 50
Home
VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.
VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.
VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.
VolDiff is written in Python (2.7) and was mainly tested / executed on Ubuntu 14.04. It should work on Linux-based systems where the Volatility 2.4 framework is installed.
The installation steps for Volatility 2.4 are documented here. The following instructions can be followed to install Volatility 2.4 on Ubuntu 14.04:
-
Download the Volatility 2.4 source code tarball.
-
Extract the Volatility source code from the tarball archive, and use the included
setup.pyscript to install the framework:
python setup.py build
sudo python setup.py install
- Install the Volatility dependencies using the following commands:
sudo apt-get update
sudo apt-get install python-pip
sudo pip install distorm3 yara pycrypto openpyxl
- Test Volatility using the following command:
vol.py --help
Once the VolDiff script is downloaded and the Volatility framework is installed, use the following command to test VolDiff:
python VolDiff.py --help
The default Volatility path used in VolDiff is vol.py. This path can be easily changed by modifying the path_to_volatility variable within VolDiff.py.
If a single memory image of an potentially infected system is available, use the following command to analyse it using VolDiff:
python VolDiff.py path/to/image.vmem profile --malware-checks
The --malware-checks option instructs VolDiff to perform a number of checks such as process parent/child relationships, unusual loaded DLLs, suspicious imports, malicious drivers and much more. VolDiff will save the output of a selection of Volatility plugins for the memory images, then it will create a report to highlight any identified indicators of compromise.
If a malware sample is available (such as a malicious executable, a PDF or MS Office file), then VolDiff can be used to highlight the system changes introduced by the sample:
-
Capture a memory dump of a clean Windows system and save it as "baseline.vmem". This image will serve as a baseline for the analysis.
-
Execute the malware sample on the same system (usual precautions apply), then capture a second memory dump and save it as "infected.vmem".
-
Run VolDiff.py using the following options:
python VolDiff.py path/to/baseline.vmem path/to/infected.vmem profile --malware-checks
profile should be Win7SP0x86 or Win7SP1x64 etc.
VolDiff will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc), as well as any identified indicators of compromise.
VolDiff was tested and tuned to process Windows 7 memory images.
VolDiff automates the execution of 40+ Volatility plugins on each supplied memory image. The tool is expected to take some time (usually no less than 10 minutes) to complete.
The max_concurrent_subprocesses variable in VolDiff.py defines the maximum number of processes launched by VolDiff at the same time. That variable is set to 3 by default, but it can be easily changed to speed up (or slow down) VolDiff.
VolDiff was initially inspired by Andrew Case (@attrc) talk on [analyzing the sophisticated Careto malware sample with memory forensics] (http://2014.video.sector.ca/video/110388398 "analyzing the sophisticated Careto malware sample with memory forensics").
A word of thanks to the Volatility development team for creating and maintaining the greatest memory forensic framework out there:
- Michael Hale Ligh @iMHLv2
- Andrew Case @attrc
- Jamie Levy @gleeda
- Mike Auty ikelos
- Brendan Dolan-Gavitt @moyix
- AAron Walters @4tphi
- Michael Cohen @scudette
Please submit feedback, report bugs, or send feature requests to @aim4r, houcem.hachicha[@]gmail.com or Github.