DAMM differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample;
data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory.
damm [-h] [-d DIR] [-p PLUGIN [PLUGIN …]] [-f FILE] [-k KDBG] [–db DB] [–profile PROFILE] [–debug] [–info] [–tsv] [–grepable] [–filter FILTER] [–filtertype FILTERTYPE] [–diff BASELINE] [-u FIELD [FIELD …]] [–warnings] [-q]
-h, --help show this help message and exit -d DIR Path to additional plugin directory -p PLUGIN [PLUGIN ...] Plugin(s) to run. For a list of options use --info -f FILE Memory image file to run plugin on -k KDBG KDBG address for the images (in hex) --db DB SQLite db file, for efficient input/output --profile PROFILE Volatility profile for the images (e.g. WinXPSP2x86) --debug Print debugging statements --info Print available volatility profiles, and DAMM plugins --tsv Print screen formatted output. --grepable Print in grepable text format --filter FILTER Filter results on name:value pair, e.g., pid:42 --filtertype FILTERTYPE Filter match type; either "exact" or "partial", defaults to partial --diff BASELINE Diff the db with this db file as a baseline -u FIELD [FIELD ...] Use the specified fields to determine uniqueness of memobjs when diffing --warnings Look for suspicious objects -q Query the supplied db (via --db)
Please Visit : https://github.com/504ensicsLabs/DAMM#example-