Giters

bedazzlinghex / Memory-analysis

Contains tools to perform malware and forensic analysis in Memory

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Memory-analysis

Contains tools to perform malware and forensic analysis in Memory.

Plugins:

  • Dyrescan.py - parses Dyreconfig in memory.
  • Rat9002.py - parses 9002 rat config in memory.
  • plugx.py - parses plugx config in memory (modified to also parse config size: 0x170c).
  • ghostrat.py - parses ghostrat config in memory.

Analysis_Script:

  • vol_analysis.sh - script to automate analysis with volatility
  • common_search_strings.txt - textfile used by vol_analysis.sh to search for common commands used by threat actors. Fill out with your own terms.
  • drv_list.txt - List gathered from the Internet with all known bad and good drivernames. Used by vol_analysis.sh to search for bad drivers.

Irma:

  • Created a python script to interact with IRMA on a localmachine. This script is also used by vol_analysis.sh to submit and scan all files extracted from a memory dump and perform analysis on them with various AV-engines.
  • Usage with vol_analysis script: vol_analysis.sh -p WinXPSP2x86 -f memdump.mem -d /output_path -t CASENAME ** Requires IRMA up and running on your machine and the IRMACL API installed.

About

Contains tools to perform malware and forensic analysis in Memory

Languages

Language:Python 90.2%Language:Shell 9.8%