Skip to content
/ intezer-volatility-plugin Public

Intezer plugin for Volatility 3 to conduct memory dump analysis.

License

Apache-2.0 license
8 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

intezer/intezer-volatility-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
intezer.py
intezer.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Intezer Volatility 3 Plugin (beta)

Intezer plugin for Volatility 3 - memory dump analysis using Intezer.

About the plugin

  • Detects and analyzes malware, memory injections, and other threats in memory images.
  • Supports all Windows versions
  • Requires Volatility 3 (for Intezer Volatility 2 plugin, please get in touch with [email protected])
  • If you're looking to scan live machines, see Intezer's endpoint scanner

How it works

  • Dumps loaded modules and potential injections
  • Analyzes them using Intezer's code analysis
  • Provides verdict, classification, and clear view of all code found in the memory image

Getting started

  • Install Volatility 3
  • Install the plugin's dependencies: 
     pip install requests tenacity
  • Download the plugin file intezer.py from this repository and store it in Volatility's Windows plugins directory volatility3/volatility3/framework/plugins/windows/intezer.py
  • Get your Intezer API key from https://analyze.intezer.com/account-details
  • Create an empty output directory. Defining an output directory is critical. The plugin stores dump files and cache files. You can remove it after execution.
  • From the volatility3 directory, execute the plugin: 
     python vol.py -f [memdump] -o [output-dir] windows.intezer --intezer-key [api-key]
  • The plugin outputs the scan URL to view it in the Intezer web console. You also can find your scan history at https://analyze.intezer.com/history?tab=endpoint.

Troubleshooting

  • The plugin communicates with the Intezer API. Ensure it can access analyze.intezer.com via port 443 (HTTPS).
  • Ensure you have sufficient Intezer scan quota. Each memory scan consumes one endpoint scan quota from your Intezer account.
  • Ensure volatility can process the memory image by running the pslist command. 
     python vol.py -f [memdump] windows.pslist
  • Ensure the output directory you defined exists and empty.
  • To use the plugin with a dedicated Intezer instance specify --intezer-instance-url [dedicated-instance-url].
  • Contact Intezer's support:
    • Execute the plugin with the verbose flag -vv to display all the logs 
       python vol.py -f [memdump] -o [output-dir] -vv windows.intezer --intezer-key [api-key]
    • Or write all logs into a file using the -l option 
       python vol.py -f [memdump] -o [output-dir] -l intezer-volatility-plugin-log.txt windows.intezer --intezer-key [api-key]
    • Then contact us at [email protected] and attach the complete log.

About

Intezer plugin for Volatility 3 to conduct memory dump analysis.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

8 stars

Watchers

6 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages