DAMM

Description

DAMM differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample;

data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory.

Usage

Syntax

damm [-h] [-d DIR] [-p PLUGIN [PLUGIN …]] [-f FILE] [-k KDBG] [–db DB] [–profile PROFILE] [–debug] [–info] [–tsv] [–grepable] [–filter FILTER] [–filtertype FILTERTYPE] [–diff BASELINE] [-u FIELD [FIELD …]] [–warnings] [-q]

Options

  -h, --help            show this help message and exit
  -d DIR                Path to additional plugin directory
  -p PLUGIN [PLUGIN ...]
                        Plugin(s) to run. For a list of options use --info
  -f FILE               Memory image file to run plugin on
  -k KDBG               KDBG address for the images (in hex)
  --db DB               SQLite db file, for efficient input/output
  --profile PROFILE     Volatility profile for the images (e.g. WinXPSP2x86)
  --debug               Print debugging statements
  --info                Print available volatility profiles, and DAMM plugins
  --tsv                 Print screen formatted output.
  --grepable            Print in grepable text format
  --filter FILTER       Filter results on name:value pair, e.g., pid:42
  --filtertype FILTERTYPE
                        Filter match type; either "exact" or "partial",
                        defaults to partial
  --diff BASELINE       Diff the db with this db file as a baseline
  -u FIELD [FIELD ...]  Use the specified fields to determine uniqueness of
                        memobjs when diffing
  --warnings            Look for suspicious objects
  -q                    Query the supplied db (via --db)

Example

Please Visit : https://github.com/504ensicsLabs/DAMM#example-
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?