DAMM – Differential Analysis of Malware in Memory.
DAMM is An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.
Features:
* ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a ‘processes’ plugin)
* Can run multiple plugins in one invocation
* The option to store plugin results in SQLite databases for preservation or for “cached” analysis
* A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
* The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
* The ability to warn on certain types of suspicious behavior
* Output for terminal, tsv or grepable
Usage:
git clone https://github.com/504ensicsLabs/DAMM && cd DAMM
python damm.py -h
python damm.py -p processes --db my_results.db
python damm.py -p processes --diff stock_WinXPSP2x86_processes.db --db after_malware.db
git clone https://github.com/504ensicsLabs/DAMM && cd DAMM
python damm.py -h
python damm.py -p processes --db my_results.db
python damm.py -p processes --diff stock_WinXPSP2x86_processes.db --db after_malware.db
Source: https://github.com/504ensicsLabs
Features:
* ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a ‘processes’ plugin)
* Can run multiple plugins in one invocation
* The option to store plugin results in SQLite databases for preservation or for “cached” analysis
* A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
* The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
* The ability to warn on certain types of suspicious behavior
* Output for terminal, tsv or grepable
Usage:
git clone https://github.com/504ensicsLabs/DAMM && cd DAMM
python damm.py -h
python damm.py -p processes --db my_results.db
python damm.py -p processes --diff stock_WinXPSP2x86_processes.db --db after_malware.db
git clone https://github.com/504ensicsLabs/DAMM && cd DAMM
python damm.py -h
python damm.py -p processes --db my_results.db
python damm.py -p processes --diff stock_WinXPSP2x86_processes.db --db after_malware.db
Source: https://github.com/504ensicsLabs
Post a Comment