How to Use

MalConfScan has two functions malconfscan and malstrscan.

Export known malware configuration

malconfscan can dump the malware configuration data, decoded strings or DGA domains.

$ python vol.py malconfscan -f images.mem --profile=Win7SP1x64

For Example

RedLeaves configuration data

RedLeaves sample

Bebloh configuration data and DGAs

Bebloh sample

FormBook decoded strings

FormBook sample

List the referenced strings

malstrscan can list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data.

This feature lists strings only from PE loaded memory space by default. -a option will also list strings in the parent memory space, such as Heap.

$ python vol.py malstrscan -a -f images.mem --profile=Win7SP1x64

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to Use

Export known malware configuration

For Example

RedLeaves configuration data

Bebloh configuration data and DGAs

FormBook decoded strings

List the referenced strings

For Example

List the referenced strings of Ramnit

Manual

マニュアル(日本語)

Clone this wiki locally