Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images.

VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis.

VolDiff can also be used against a single Windows memory image to automate Volatility plugin execution, and hunt for malicious patterns.

Download/Source code
Download from Github.

git clone

VolDiff is written in Python (2.7) and was mainly tested / executed on Ubuntu 14.04. It should work on Linux-based systems where the Volatility 2.5 framework is installed.

The installation steps for Volatility 2.5 are documented here. The following instructions can be followed to install Volatility 2.5 on Ubuntu 14.04:

1) Download the Volatility 2.5 ZIP source code.

2) Extract the Volatility source code from the ZIP file, and use the included script to install the framework:

python build
sudo python install

3) Install the Volatility dependencies using the following commands:

sudo apt-get update
sudo apt-get install python-pip
sudo pip install distorm3 yara pycrypto openpyxl simplejson

4) Test Volatility using the following command: --help

Once the VolDiff script is downloaded and the Volatility framework is installed, use the following command to test VolDiff:

python --help