VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.
VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.
VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.
Download from Github.
git clone https://github.com/aim4r/VolDiff
VolDiff is written in Python (2.7) and was mainly tested / executed on Ubuntu 14.04. It should work on Linux-based systems where the Volatility 2.5 framework is installed.
The installation steps for Volatility 2.5 are documented here. The following instructions can be followed to install Volatility 2.5 on Ubuntu 14.04:
1) Download the Volatility 2.5 ZIP source code.
2) Extract the Volatility source code from the ZIP file, and use the included setup.py script to install the framework:
python setup.py build
sudo python setup.py install
3) Install the Volatility dependencies using the following commands:
sudo apt-get update
sudo apt-get install python-pip
sudo pip install distorm3 yara pycrypto openpyxl simplejson
4) Test Volatility using the following command:
Once the VolDiff script is downloaded and the Volatility framework is installed, use the following command to test VolDiff:
python VolDiff.py --help