skip to Main Content

Volatility Memory Forensics | Basic Usage for Malware Analysis

Here is a real-world example of using Volatilty and YARA. You can download this good old ZeuS image from the Malware Analyst’s Cookbook: [41,4 MB]

1.) Go into your Volatility directory

2.) If you don’t know what type of system your image came from, use the ‘imageinfo’ command.

$ python imageinfo -f /home/evild3ad/memory-samples/cookbook/zeus.vmem


3.) Use the command ‘pslist’ to display a list of all processes that were active when the snapshot was taken.

$ python pslist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem


4.) The list of open TCP connections looks a lot more promising. Two active connections are listed to the IP address on port 80. According to the process list, the process ID 856 don’t belong to a browser process.

$ python connscan -f /home/evild3ad/memory-samples/cookbook/zeus.vmem


5.) Let’s do a whois for the IP address and see what comes back. You can also use Google to find more information to this IP address.

$ whois


6.) The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.

$ python hivelist -f /home/evild3ad/memory-samples/cookbook/zeus.vmem


7.) The key ‘UserInit’ specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc. for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. It’s is a common place for trojans.

$ python printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -o 0xe153ab60 -K 'Microsoft\Windows NT\CurrentVersion\Winlogon'


8.) To view the process listing in tree form, use the ‘pstree’ command. This plugin print process list as a tree so we can visualize the parent/child relationships.

$ python pstree -f /home/evild3ad/memory-samples/cookbook/zeus.vmem


We did notice that winlogon.exe launched sdra64.exe and that the system process svchost.exe (Pid 856) is connected to the internet…services.exe (PPid 676) looked to have some code injected into it.

9.) Let’s revisit our ‘printkey’ command so we can detect if the windows firewall is enabled or disabled.

python printkey -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -K 'ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile'

firewall settings

10.) Now, it’s time for the Volatility plug-in Simply place the plugin in the ‘plugins’ directory within the Volatility directory. The function ‘apihooks’ looks at the svchost.exe process with the PID 856 and finds two in-line hooks.

$ python apihooks -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856


11.) There is a typical PE file header including the characteristic “This program cannot be run in DOS mode.” This is the smoking gun; it proves that a complete program image has indeed been injected into the svchost.exe process.

$ python malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -D /home/evild3ad/Volatility/dump-files


12.) Finally we’ll use YARA which identifies malicious software based on characteristic strings and byte sequences. You can download here the official malware rules of the YARA project website.

$ python malfind -f /home/evild3ad/memory-samples/cookbook/zeus.vmem -p 856 -Y /home/evild3ad/yara-rules/MalwareRules.yara -D /home/evild3ad/Volatility/dump-files


CSI Internet – A trip into RAM by Frank Boldewin (English Version)
Tatort Internet – Eine Reise ins RAM by Frank Boldewin (Deutsche Version)
Volatility – CommandReference
Volatility – FeaturesByPlugin
Volatility Documentation Project (VDP) 2.0
Yara – A malware identification and classification tool

This Post Has 3 Comments
  1. Thanks much for the headstart on finding malware in memory. This is great!

Comments are closed.

Back To Top