VolDiff – Malware Memory Footprint Analysis.

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

Bash Script :

Source : https://github.com/aim4r