changelog v-4.0.6:

• Update NEWS file ; NEWS.asciidoc
• Clear an object internally when retreiving directly from chi
• Removed the localization of lib/pf/authentication.pm in first filter
• Fixed issues with services not stopping

PacketFence is a fully supported, trusted network access control (NAC) system. It includes a captive portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, and integration with the Snort IDS and the Nessus vulnerability scanner. It can be used to effectively secure networks, from small to very large heterogeneous networks.

changelog Snort v-2.9.5.5:

[*] Improvements
* Address issue with SMTP preprocessor and the ignore_tls_data configuration
to correctly stop inspection after an SMTP session is encrypted.
(Thanks Bram!)

* Disable all rule evaluation (as opposed to just rules with fast patterns)
for packets on a previously blocked session.

* Corrected when perfmon preprocessor writes stats to occur as soon as
both the time and packet count criteria are met.

* Enforce same restrictions on relative PCRE for HTTP buffers from
shared library rules as already existed with text rules.

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger, or a full network intrusion prevention system.

Features

• Protocol analysis and content searching/matching
• Uses a flexible rules language to describe traffic that it should collect or pass
• Detection engine that utilizes a modular plug-in architecture
• Real-time alerting capability
• Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more

Download :
Windows: Snort_2_9_5_5_Installer.exe (2.5 MB) 
Linux : snort-2.9.5.5.tar.gz (5.0 MB) 
centos : snort-2.9.5.5-1.centos6.i386.rpm (6.3 MB) 
Redhat : snort-2.9.5.5-1.src.rpm (5.0 MB)
Find other version |
source : http://www.snort.org/
Our Pst before : http://seclist.us/2013/03/update-snort-v-2-9-4-1.html

24-09-2013 SmoothSec 3.4 released

[*] Improvements and fixes

New available deployments:

Standard (IDS mode – All in one mode [Snorby + Sensor]
Console (IDS mode – Distributed [Only Snorby web console])”
Sensor (IDS mode – Distributed [Only sensor])”

Ips-standard (IPS mode – All in one mode [Snorby + Sensor])”
Ips-console (IPS mode – Distributed [Only Snorby web console])”
Ips-sensor (IPS mode – Distributed [Only sensor])”
[*] Upgrades
Pigsty unified2 spooler v0.1.8

[*] New tools

Rule2alert, On-the-fly packet generation based off snort and suricata rules.
greppcap.py, Python/Scapy tool to find and extract regex-matching sessions from libpcap files.
nstreams, identify the IP streams that are occurring on a network from a non-user friendly tcpdump.
pktstat, displays a real-time summary of packet activity on an interface.
arpalert, monitor ARP changes in ethernet networks.

Smooth-Sec is a lightweight and fully-ready IDS/IPS (Intrusion Detection/Prevention System) Linux distribution based on Debian 7 (wheezy), available for 32 and 64 bit architecture. The distribution includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. An easy setup process allows to deploy a complete IDS/IPS System within minutes, even for security beginners with minimal Linux experience

System Requirement :

• VMware VM (Hardware Version 9)
• 4 vCPU’s
• 8GB of RAM
• 2 vNIC’s (SPAN, mgmt)
• 500GB of Storage
• 1GB network throughout

Download :
smoothsec-3.4-i386.iso (804.3 MB)
smoothsec-3.4-amd64.iso (728.6 MB)
Our post before : http://seclist.us/2012/07/smooth-sec-v-2-0-released.html
sources : https://github.com/smoothsec/docs/wiki

Droid Fusion is a platform for android mobile or any other mobile for doing Malware Analysis, Development, Application Pentesting,forensics. You can use it in any mobile security research, and if you have Droid Fusion, you don’t need to worry about finding tools. There are more then 60 tools and scripts and it is free.

Tool Features :
Rom Flash :
- SBFlash
- Heimdall CLI
- Heimdall Gui
- Fastboot

Android Exploitation :
- Mercury
- Android Framework For Exploitation
- Smartphone Pentest Framework
- Metasploit

Pentest Application :
- Burpsuite
- Wireshark
- Zap
- Ettermap
- W3af
- Zenmap

Device Forensic :
- Aflogical
- Dc 3dd
- iphone Backup Analyzer
- Scalpel
- Sleuthkit

Miscellsneous : 
- Android Kitchen
- Android Bruteforce
- iPhone Bruteforce
- Fastboot
- HconSTF
- Arduino IDE
- Record my desktop

and more…

Download : Droid fusion Beta.iso(3.0 GB) 
Username: Droid
Password: fusion
Sources : http://droidfusion.gurunsb.com/

changelog PacketFence – 4.1.0 :
======================================
- 0001752: [scanning] Fresh Snort install fails to start after rules update script is run (francis) – resolved.
- 0001749: [web admin] Can’t assign rules to an authentication source (francis) – resolved.
- 0001744: [configuration] Unable to add new rule to existing authentication source via the GUI (francis) – resolved.
- 0001742: [captive portal] Wispr doesn´t work (fdurand) – resolved.
- 0001738: [web admin] Advanced search results of users: Can’t sort by telephone nor by nodes count (francis) – resolved.
- 0001737: [captive portal] An matches/regexp condition in an LDAP source doesn’t test all values (francis) – resolved.
- 0001730: [web admin] Authentication rules can’t include dashes in their name (francis) – resolved.
- 0001729: [web admin] Can’t add rules to a freshly created authentication source (francis) – resolved.
- 0001715: [scanning] Snort (francis) – resolved.
- 0001724: [web admin] Help from documentation.conf is truncated (francis) – resolved.
- 0001712: [hardware modules] Argument “noSuchObject” isn’t numeric in numeric eq – resolved.
- 0001722: [captive portal] Local users can’t login on expiration date (francis) – resolved.
- 0001721: [web admin] Error when creating users with no “set role” action (francis) – resolved.
- 0001714: [captive portal] Htpasswd source doesn’t respect username (francis) – resolved.
- 0001706: [configuration] Freeradius config files overwritten on RPM upgrade (francis) – resolved.

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with IDSs and vulnerability scanners;PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.

Captive Portal Registration

Download :
PacketFence-ZEN-4.1.zip (543.4 MB) 
PacketFenceZEN_USB-4.1.0.zip (582.2 MB)

sources : http://www.packetfence.org/ | Our Post Before

Xplico is installed in the major distributions of digital forensics and penetration testing: Kali Linix, BackTrack, DEFT, Security Onion, Matriux, BackBox, CERT Forensics Tools and Pentoo.

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…
Xplico is able to classify more than 140 (application) protocols.
Xplico cam be used as sniffer-decoder if used in “live mode” or in conjunction with netsniff-ng.

Download Version :
Debian :
xplico_1.1.0_i386.deb (22.0 MB) 
xplico_1.1.0_amd64.deb (22.1 MB) 
Tarball : xplico-1.1.0.tgz (3.7 MB)
Sources : http://www.xplico.org/

Change and Update 14.03.2015  updates vulnerability scanner:

## Blackbox vulnerability scanne for the concrete5 CMS
## Detects concrete5 CMS, version and associated vulnerabilities
## Detects full path disclosure vulnerabilities
## Enumerates CMS users
## Brute-fores user account credentials

This section offers a selection of our fully featured security and hacking tools from NullSecurity.
+ Automation :
This section includes automation tools and wrapper scripts for well-known and public security tools to make your life easier. You can adjust the scripts fast and easily according to your own needs. Mostly written in bourne shell.
+ Backdoor :
Backdoors and rootkits for kernel and userland, network, hardware and software. Once you have gone through all the hard work making sure you can get on the system. Make sure you can always get back in.
+ Binary :
ELF and PE binary related tools. This section includes packers, runtime crypters, including our famous (thanks trusted sec team) hyperion tool from our very own belial and other stuff.
+ Cracker :
Tools for cracking network and software login masks. Not been able to find an exploit to give you RCE? Too lazy to SE? So go smash down the front doors and rummage around with our cracking and brute force tools.
+ Cryptography :
Encrypt all the things! With privacy issues moving up most people agenda with items like PRISM in the news cryptography it one of todays hot topics. It’s also pretty useful for exfiltrating data from your target environment, connecting to that C2 box and keeping your loot away from prying eyes.
+ DDoS :
(D)DoS tools if you wanna by like those n00bs at anonymous or simulate everyones favourite underground extortionists.
+ Exploit :
Proof of Concept tools and, if we are feeling particularly generous, fully working exploits because there is nothing more fun that RCE, except dinner with noptrix of course.
+ Fuzzer :
Didn’t find the exploit you wanted in our exploit section well try one of our fuzzers and write you own god damn code.
+ Keylogger :
When you really need to know those credentials you keep seeing the user enter or are too lazy to go searching for every new piece of useful information just try one of our keyloggers and get the user to do the hard work for you!
+ LogCleaner :
Just because our mothers raised us right, we always clean up after ourselves and pwnage is no exception. These logcleaners also help in not getting caught on that important engagement.
+ Misc :
This section includes miscellanous files. Often, you will find non-security related stuff here.
+ Resersing :
Whether figuring out how that new piece of malware you just discovered works or hunting for the next 0day from $vendor, our reversing toolz will help you on your way.
+ Scanner
Can’t find any useful hints on shodan? Google dorks not dishing up the goods? Hell get one of our scanners out and track down your targets in 2 shakes of a lol-cat’s tail.
+ Shellcode
Just because our fuzzer worked or the PoC was fantastic doesn’t mean that running calc is gonna put a smile on your face. If you got RCE try our shellcodes to actually do something useful.
+ Wireless
Why wireless? It works and you don’t have to wear your favorite nullsecurity hoody to hide you face from the camera in reception. Hack all the thingz!

Downlaod : Master.zip  | Clone Url
Source : http://nullsecurity.net/

Ratdecoders : a collection of Python Scripts that will extract and decode the configuration settings from common rats.

see the allocated address of the memory in the EAX register: 0x40B61B

Change and updates 15.03.2015 AlienSpy Rat Rat Config Decoder :
+ __description__ = ‘AlienSpy Rat Config Extractor’
+ __author__ = ‘Kevin Breen http://techanarchy.net http://malwareconfig.com’
+ __version__ = ‘0.1’
+ __date__ = ‘2015/03/03′
Here is a list of the currently supported RATS:
– Adwind
– Albertino Advanced RAT
– Arcom
– BlackNix
– BlackShades
– Blue Banana
– Bozok
– ClientMesh
– CyberGate
– DarkComet
– drakddoser
– DarkRat
– Graeme
– jRat
– LostDoor
– LuxNet
– njRat
– Pandora
– PoisionIvy
– Punisher
– SpyGate
– SmallNet
– Unrecom
– Vantom
– Vertex
– VirusRat
– xtreme

Upcoming RATS :
– NetWire
– Gh0st
– Plasma
– Any Other Rats i can find.

Requirements :
There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders

pefile – https://code.google.com/p/pefile/
pycrypto – https://pypi.python.org/pypi/pycrypto/2.6.1
pype32 – https://github.com/crackinglandia/pype32

ToDo :
There will be more decoders coming Finish the Recursive mode on several of the Decoders

Reference :
Malware.lu for the initial xtreme Rat Writeup – https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) – http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here – http://www.matasano.com/research/PEST-CONTROL.pdf

Download : Master.zip  | Clone Url
Source : https://github.com/kevthehermit

Smudge is a Windows forensics tool with a simple premise, attackers are lazy when installing persistence mechanisms. Persistence usually involves installing some mechanism on a compromised machine to allow the attacker continued access to the machine across reboots, updates, and password changes.

Example Screen Capture Smudge : simple Windows forensics tool

However, while these persistence mechanisms may actually be well hidden and the C2 agents patient, many professional pieces of penetration testing software are so careless as to leave unobfuscated strings on disk or unsantized strings in memory. Smudge takes advantage of this by searching disk and process memory for strings resembling http resources, domain names and IP addresses. Smudge’s purpose is to point out anomalies and shed light on suspicious files and processes. Smudge leaves judgement of what is malware up to the operator.

Download :
smudge.exe
smudge64.exe
source tarball
Source : https://github.com/NickStephens

 Latest changes, bug fixes and tool added :
– Add update GeoIP files
– Rename .cpp cod to .c for packet parser
– Add help to project remark
– Add script for geoip bases update
– Move common code to library
– Add Cojacfar
– Fixes in performance tests
– Add patch for netmap
– Fix for compilation on Mac OS X Yosemite
– Move separate code files to test folder
– Enable fast_library linking woth boost modules
– Move syn umbrella to separate project

FastNetMon – A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP).

Features:
– Can process incoming and outgoing traffic
– Can trigger block script if certain IP loads network with a large amount of packets per second
– Can trigger block script if certain IP loads network with a large amount of bytes per second
– Can trigger block script if certain IP loads network with a large amount of flows per second
– netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
– PF_RING ZC/DNA support (wire speed processing on tens of MPPS but needs license)
– Can process sFLOW v5
– Can process NetFlow v5, v9, ipfix
– Can use PCAP for packet sniffing
– Can work on mirror/SPAN ports
– Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
– Can work on server/soft-router
– Can detect DoS/DDoS in 1-2 seconds
– Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
– Complete plugin support

Supported platforms:
– Linux (Debian 6/7, CentOS 6/7, Ubuntu 12+)
– FreeBSD 9, 10, 11
– Mac OS X Yosemite

Why netflow is not an best solution for DoS/DDoS attack detection?
– It need additional licenses or even hardware (Juniper MX240, MX480, MX960 – additional license)
– It realized in software and can overload equipment (Juniper SRX, J-series, Microtic, VmWare, Linux)
– Even on top equipment flow-active-timeout starts from 60 seconds and it’s very slow for massive attacks and slow-speed-attacks both.
Example deployment scheme:
Step By Step Manual Installation :
At first you should install PF_RING (you can install any latest version :

cd /usr/src
wget 'http://downloads.sourceforge.net/project/ntop/PF_RING/PF_RING-6.0.2.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fntop%2Ffiles%2FPF_RING%2F&ts=1402307916&use_mirror=cznic' -OPF_RING-6.0.2.tar.gz
tar -xf PF_RING-6.0.2.tar.gz 
cd PF_RING-6.0.2
# Debian way
apt-get install build-essential bison flex linux-headers-$(uname -r) libnuma-dev
# CentOS
yum install -y make bison flex kernel-devel gcc gcc-c++
# CentOS openvz case 
yum install -y make bison flex vzkernel-devel gcc gcc-c++

Build PF_RING kernel module:

cd kernel
make
make install
modprobe pf_ring

You can use precompiled and statically linced version of this tool without any compiling:

mkdir /root/fastnetmon
cd /root/fastnetmon
wget  https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/fastnetmon -Ofastnetmon
chmod +x fastnetmon
./fastnetmon eth0

If you want to use static version you can skip this guide to part about “networks_list”.

Build lib:

# Debian
apt-get install -y libnuma-dev
# CentOS
yum install -y numactl-devel
cd /usr/src/PF_RING-6.0.2/userland/lib
./configure --prefix=/opt/pf_ring
make
make install

Install FastNetMon:

# Debian 7 Wheezy
   apt-get install -y git  g++ gcc libboost-all-dev make libgpm-dev libncurses5-dev liblog4cpp5-dev libnuma-dev libgeoip-dev libhiredis-dev libpcap-dev
   # CentOS 
   yum install -y git make gcc gcc-c++ boost-devel GeoIP-devel log4cpp-devel ncurses-devel glibc-static ncurses-static gpm-static gpm-devel 

   # For compiling on CentOS please remove line "STATIC = -static" from file Makefile and replace line "LIBS += -lboost_thread" by line "LIBS += -lboost_thread-mt"

   cd /usr/src
   git clone https://github.com/FastVPSEestiOu/fastnetmon.git
   cd fastnetmon

Build FastNetMon with cmake:

cd /usr/src/fastnetmon
mkdir build
cd build
cmake ..
make

You should start fastnetmon using this options:

LD_LIBRARY_PATH=/opt/pf_ring/lib/ ./fastnetmon eth3,eth4

If you want to avoid LD_LIBRARY_PATH on every call you should add pf_ring path to system:

echo "/opt/pf_ring/lib" > /etc/ld.so.conf.d/pf_ring.conf
ldconfig -v

It’s REQUIRED to add all your networks in CIDR form to file /etc/networks_list if form when one subnet on one line. Please aggregate your networks because long networks list will significatly slow down programm. And please change REDIS_SUPPORT = yes to no in Makefile if you do not need traffic counting feature. When you running this software in OpenVZ node you may did not specify networks explicitly, we can read it from file /proc/vz/veip.

You can add whitelist subnets in similar form to /etc/networks_whitelist (CIDR masks too).
Copy standard config file to /etc:

cp fastnetmon.conf /etc/fastnetmon.conf

Start it:

./fastnetmon eth1,eth2

Enable programm start on server startup, please add to /etc/rc.local this lines:

screen -S fastnetmon -d -m /root/fastnetmon/fastnetmon

When incoming or outgoing attack arrives programm call bash script (when it exists): /usr/local/bin/notify_about_attack.sh two times. First time when threshold exceed (at this step we know IP, direction and power of attack). Second when we collect 100 packets for detailed audit what did happens.

Downlod : zipball  | or git clone  | Our post Before
Author : Pavel Odintsov  pavel.odintsov@gmail.com License: GPLv2

androtools is Android malware static & dynamic analysis tool optimized for automated analysis. This work was motivated observing real-world needs for Police Officer and Malware Analysts who want to quickly check the malware’s specifics and detect type of Android malware briefly. This androtools supports Automated action in dynamic analysis which analyst don’t need to click button or activate & deactivate Device Admin. This total action only cost less then 1 minutes

Example Output Android Malware Analysis Report

Specifics about androtools:
– Automated click, button detection, activate & deactivate Device Admin from Device
– DEX class parse, string parse
– IP, Email, URL Searching in DEX, SO File
– APK File Similarity from user’s analysis history (fuzzyhash)
– APK Filetype Analysis
– AndroidManifest.xml Information
– Certification Information
– String XML Information
– Packet Data from Device
– Application Data Section Read & Write status
– Logcat Data when Application Run

User Guide
How to use :
1. git clone https://github.com/bunseokbot/androtools.git
2. python androtools.py <APK_MALWARE_FILE_PATH> <OUTPUT_HTML_PATH> Analysis Complete!

Pre-Install :
analyst have to install tcpdump in Android Virtual Device and ssdeep in Environment. or

Download : Master.zip (1.7 MB)  | Clone Url
Source : https://github.com/bunseokbot | androtools – developer Kim Namjun(@bunseokbot)

Dnsforwarder is a designed for anti-spoofing tool.
Latest version 5.0.11:
– Bug Fixing Compiling on win x86 and win x64

A dnsforwarder designed for anti-spoofing

configure parameters:
–enable-downloader =
+ Select the library or calling program when downloading Hosts and GFW List

Options:
+ libcurl: call libcurl, coupled with the introduction of this option will depend libcurl (default)
+ wget: wget to download the execution file, which some did libcurl but Busybox (Busybox generally with wget) environment under applicable
+ do not use the download function, you can not use the network function Hosts and GFW List

—enable-base64decoder =
+ When using select Base64 decoding library or program
+ Base64 decoding in decoding GFW List

Options:
– openssl: openssl call decoding library, add this option will be introduced openssl (libcrypto) depend on (the default)
– uudecode: execution uudecode (Busybox generally with) decoding
– If neither openssl nor uudecode (Busybox), then choose uudecode
–enable-static
+ Statically link all libraries
–enable-android
+ If the target is androideabi, please turn on this option. Production on Android toolchain, please Google “Android Standalone Toolchain”, while paying attention to use the “libc.so” on the phone, “libm.so” and “libthread_db.so” replace tool chain corresponding file.

Dependencies :
For Linux:
– pthread;
– libcurl (optional);
– openssl (optional).
+ Macros needed to be declared while compiling :
For Linux: None.

For Windows x86 (at least Windows XP)
– WIN32
For Windows x86-64 (at least Windows Vista):
– WIN32
– WIN64
Usage :

Usage : dnsforwarder [args].
 [args] is case sensitivity and can be zero or more (in any order) of:
  -f <FILE>  Use configuration <FILE> instead of the default one.
  -q         Quiet mode. Do not print any information.
  -e         Show only error messages.
  -d         Daemon mode. Running at background.
  -P         Try to probe all the fake IP addresses held in false DNS responses.

  -p         Prepare needed environment.

  -h         Show this help.

Output format:
 Date & Time [Udp|Tcp|Cache|Hosts|Refused|Blocked][Client IP][Type in querying][Domain in querying] : Message size
    Results

Download : dnsforwarder-5.zip  | Clone Url
Source : https://github.com/holmium

Maldrolyzer is a Simple framework to extract “actionable” data from Android malware (C&Cs, phone numbers etc.)
Changelog 30.03.2015 :
+ Templates.py ; Modules
+ maldrolyzer.py ; Reorganization + xbot007 decoder
+ Plugin ; xbot007 plugin now covers the ‘%’ version

Installation:
You have to install the following packets before you start using this project:
+ Androguard (https://github.com/androguard/androguard)
+ PyCrypto (easy_install pycrypto)
+ pyelftools (easy_install pyelftools)

Architecture :
Idea is really simple and modular. The project has couple of directories, which host a place for you static analysis or output processing:
+ plugins – this is were the code responsible for the malware identification and data extraction is. Every class has to inherit from Plugin class from templates. ** Method recon idetifies the malware – put there all of the code you need to make sure you can extract the data. ** Method extract does the usual extraction. There is no specific format for the extracted data, but it’s good to keep it in Python dictionary, so that the ouput processors could read it in a uniform way.
+ processing – this is were you put classes that inherit from OutputProcessor class. They are invoked after the data extraction and get the extracted info. ** process method takes the data and produces some kind of a result (i.e. adds a file or C&C to you database, checks if the C&C is live etc.)
If you want to contribute, write a plugin that decodes some new malware family. It’s easy, just look at the existing plugins.

Usage :
So, you have an APK sample and you don’t know what it is and where is the C&C? Type:

python maldrolyzer.py [sample_path]

If maldrolyzer knows the malware family it will display some useful information like:

{'c2': ['http://esaphapss.net/bn/save_message.php'],
 'malware': 'xbot007',
 'md5': 'ce17e4b04536deac4672b98fbee905e0',
 'sha1': 'a48a2b8a5e1cae168ea42bd271f5b5a0c65f59a9',
 'sha256': 'c3a24d1df11baf2614d7b934afba897ce282f961e2988ac7fa85e270e3b3ea7d',
 'sha512': 'a47f3db765bff9a8d794031632a3cf98bffb3e833f90639b18be7e4642845da2ee106a8947338b9244f50b918a32f1a6a952bb18a1f86f8c176e81c2cb4862b9'}

Download : Master.zip  | Clone Url
Source : https://github.com/maldroid

Detects abnormal number of handle creations in an attempt to identify crypto ransomware encryption, or destructive malware in action

handle_monitor – Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) using handle heurustics.

Usage:
handle_monitor.exe <optional arguments>

Optional parameters:
/cycles=X – Set number of cycles before a review [Default: 10]
/threshold=X – Set suspicion threshold for number of new handles [Default: 10]
/pause=X – Set pause in milliseconds between cycles [Default: 1000]
/signed – Include signed executables in review process
/suspend – Suspend processes identified as suspicious
/verbose – Display verbose progress messages

How it works:
1. Index all file handles from all running processes
2. Pauses for /pause=X amount of time
3. Checks again, adding new handles to the index, and keeping a tally
4. After /cycles=X iterations, perform an analysis
5. Analysis checks whether any processes have created /threshold=X or more new handles
6. If so, will either raise an alert, or /suspend the process (if required)

By default, it only looks for unsigned executables (to reduce noise), but signed can be included with /signed

Download :
handle_monitor_x86.exe  | handle_monitor_x64.exe
hm_test_x86.exe
hm_test_x64.exe
v1.0.zip
v1.0.tar.gz
Source : https://github.com/adamkramer

Change and updates 04.03.2015 jRat Rat Config Extractor :
+__description__ = ‘jRat Rat Config Extractor’
+__author__ = ‘Kevin Breen http://techanarchy.net http://malwareconfig.com’
+__version__ = ‘0.3’
+__date__ = ‘2015/04/03′

jRat Rat Config Extractor

Ratdecoders : a collection of Python Scripts that will extract and decode the configuration settings from common rats.

see the allocated address of the memory in the EAX register: 0x40B61B

Here is a list of the currently supported RATS:
– Adwind
– Albertino Advanced RAT
– Arcom
– BlackNix
– BlackShades
– Blue Banana
– Bozok
– ClientMesh
– CyberGate
– DarkComet
– drakddoser
– DarkRat
– Graeme
– jRat
– LostDoor
– LuxNet
– njRat
– Pandora
– PoisionIvy
– Punisher
– SpyGate
– SmallNet
– Unrecom
– Vantom
– Vertex
– VirusRat
– xtreme

Upcoming RATS :
– NetWire
– Gh0st
– Plasma
– Any Other Rats i can find.

Requirements :
There are several modules that are required and each script is different, Please check the individual scripts. This list is a complete listing of all the Python Modules across all decoders

pefile – https://code.google.com/p/pefile/
pycrypto – https://pypi.python.org/pypi/pycrypto/2.6.1
pype32 – https://github.com/crackinglandia/pype32

ToDo :
There will be more decoders coming Finish the Recursive mode on several of the Decoders

Reference :
Malware.lu for the initial xtreme Rat Writeup – https://code.google.com/p/malware-lu/wiki/en_xtreme_RAT

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweet and reply ) – http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html

Shawn Denbow and Jesse Herts for their paper here – http://www.matasano.com/research/PEST-CONTROL.pdf

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/kevthehermit

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

./VolDiff.sh path/to/baseline.raw path/to/infected.raw profile
"profile" should be "Win7SP0x86" or "Win7SP1x64" etc.

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

PC-RESEARCHERS$ ./VolDiff.sh 
 _    __      ______  _ ________
| |  / /___  / / __ \(_) __/ __/
| | / / __ \/ / / / / / /_/ /_  
| |/ / /_/ / / /_/ / / __/ __/  
|___/\____/_/_____/_/_/ /_/     

Volatility analysis report generated by VolDiff v0.9.1 (https://github.com/aim4r/VolDiff).

Suspicious new netscan entries
=========================================================================

Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x3da3f618         TCPv4    172.16.108.128:139             0.0.0.0:0            LISTENING        4        System         
0x3daeccf8         TCPv4    0.0.0.0:80                     0.0.0.0:0            LISTENING        2108     explorer.exe   
0x3dad8008         TCPv4    172.16.108.128:49167           62.24.131.168:80     CLOSED           924      svchost.exe    
0x3fc7b630         TCPv4    172.16.108.128:49164           65.55.50.157:443     CLOSED           924      svchost.exe    
0x3fc8b5f0         TCPv4    172.16.108.128:49165           62.24.131.168:80     CLOSED           924      svchost.exe    
0x3fdf2348         TCPv4    172.16.108.128:49168           87.236.215.151:80    CLOSED           2108     explorer.exe   


Suspicious new pslist entries
=========================================================================

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x855c9738 wuauclt.exe            3976    924      5       97      1      0 2015-04-18 22:58:09 UTC+0000                                 
0x872de0c0 cmd.exe                1184   1544      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x8510c980 ipconfig.exe           2544   1184      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x85123030 conhost.exe            2560    360      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x8510c980 ipconfig.exe           2544   1184      0 --------      0      0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  


Suspicious new psscan entries
=========================================================================

Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                   
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000003dade0c0 cmd.exe            1184   1544 0x3ee13380 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003fd0c980 ipconfig.exe       2544   1184 0x3ee135c0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003f9c9738 wuauclt.exe        3976    924 0x3ee134e0 2015-04-18 22:58:09 UTC+0000                                 
0x000000003fd0c980 ipconfig.exe       2544   1184 0x3ee135c0 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  
0x000000003fd23030 conhost.exe        2560    360 0x3ee13500 2015-04-18 22:58:29 UTC+0000   2015-04-18 22:58:29 UTC+0000  

Suspicious new ldrmodules entries
=========================================================================

Pid      Process              Base       InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
     360 csrss.exe            0x4a040000 True   False  True  \Windows\System32\csrss.exe
     424 csrss.exe            0x011a0000 False  False  False \Windows\Fonts\vga850.fon
    1096 svchost.exe          0x00220000 True   False  True  \Windows\System32\svchost.exe
    1324 spoolsv.exe          0x009d0000 False  False  False \Windows\System32\spool\drivers\w32x86\3\fr-FR\PS5UI.DLL.mui
    2108 explorer.exe         0x04990000 False  False  False \Windows\System32\fr-FR\crypt32.dll.mui
    2108 explorer.exe         0x020b0000 False  False  False \Windows\System32\fr-FR\mpr.dll.mui
    2108 explorer.exe         0x040b0000 False  False  False \Windows\System32\fr-FR\urlmon.dll.mui
    2108 explorer.exe         0x06b80000 False  False  False \Windows\System32\imageres.dll
    2108 explorer.exe         0x04a70000 False  False  False \Windows\System32\fr-FR\oleaccrc.dll.mui
    2108 explorer.exe         0x03690000 False  False  False \Windows\System32\fr-FR\user32.dll.mui
    2108 explorer.exe         0x02280000 False  False  False \Windows\System32\fr-FR\shdocvw.dll.mui
    2108 explorer.exe         0x046e0000 False  False  False \Windows\System32\fr-FR\KernelBase.dll.mui
    2108 explorer.exe         0x03700000 False  False  False \Windows\System32\fr-FR\winmm.dll.mui
    2108 explorer.exe         0x02270000 False  False  False \Windows\System32\fr-FR\imageres.dll.mui
    3976 wuauclt.exe          0x00ac0000 True   False  True  \Windows\System32\wuauclt.exe
    3976 wuauclt.exe          0x00100000 False  False  False \Windows\System32\oleaccrc.dll
    3976 wuauclt.exe          0x00310000 False  False  False \Windows\System32\fr-FR\wucltux.dll.mui


Suspicious new malfind entries
=========================================================================

Process: explorer.exe Pid: 2108 Address: 0x22f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x022f0000  4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00   MZ..............
0x022f0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x022f0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x022f0030  00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00   ............@...

0x22f0000 4d               DEC EBP
0x22f0001 5a               POP EDX
0x22f0002 0000             ADD [EAX], AL
0x22f0004 0000             ADD [EAX], AL
0x22f0006 0000             ADD [EAX], AL
0x22f0008 0000             ADD [EAX], AL
0x22f000a 0000             ADD [EAX], AL
0x22f000c 0000             ADD [EAX], AL
0x22f000e 0000             ADD [EAX], AL
0x22f0010 0000             ADD [EAX], AL
0x22f0012 0000             ADD [EAX], AL
0x22f0014 0000             ADD [EAX], AL
0x22f0016 0000             ADD [EAX], AL
0x22f0018 0000             ADD [EAX], AL
0x22f001a 0000             ADD [EAX], AL
0x22f001c 0000             ADD [EAX], AL
0x22f001e 0000             ADD [EAX], AL
0x22f0020 0000             ADD [EAX], AL
0x22f0022 0000             ADD [EAX], AL
0x22f0024 0000             ADD [EAX], AL
0x22f0026 0000             ADD [EAX], AL
0x22f0028 0000             ADD [EAX], AL
0x22f002a 0000             ADD [EAX], AL
0x22f002c 0000             ADD [EAX], AL
0x22f002e 0000             ADD [EAX], AL
0x22f0030 0000             ADD [EAX], AL
0x22f0032 0000             ADD [EAX], AL
0x22f0034 0000             ADD [EAX], AL
0x22f0036 0000             ADD [EAX], AL
0x22f0038 0000             ADD [EAX], AL
0x22f003a 0000             ADD [EAX], AL
0x22f003c 40               INC EAX
0x22f003d 0000             ADD [EAX], AL
0x22f003f 00               DB 0x0


Process: explorer.exe Pid: 2108 Address: 0x10060000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 65537, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x10060000  55 89 e5 53 57 56 81 ec 9c 01 00 00 8b 45 08 c7   U..SWV.......E..
0x10060010  45 ec 04 00 00 00 8b 4d ec c7 45 c0 01 00 00 00   E......M..E.....
0x10060020  8b 55 c0 c7 85 e8 fe ff ff 01 00 00 00 8b b5 e8   .U..............
0x10060030  fe ff ff c7 85 18 ff ff ff 20 00 00 00 c6 85 53   ...............S

0x10060000 55               PUSH EBP
0x10060001 89e5             MOV EBP, ESP
0x10060003 53               PUSH EBX
0x10060004 57               PUSH EDI
0x10060005 56               PUSH ESI
0x10060006 81ec9c010000     SUB ESP, 0x19c
0x1006000c 8b4508           MOV EAX, [EBP+0x8]
0x1006000f c745ec04000000   MOV DWORD [EBP-0x14], 0x4
0x10060016 8b4dec           MOV ECX, [EBP-0x14]
0x10060019 c745c001000000   MOV DWORD [EBP-0x40], 0x1
0x10060020 8b55c0           MOV EDX, [EBP-0x40]
0x10060023 c785e8feffff01000000 MOV DWORD [EBP-0x118], 0x1
0x1006002d 8bb5e8feffff     MOV ESI, [EBP-0x118]
0x10060033 c78518ffffff20000000 MOV DWORD [EBP-0xe8], 0x20
0x1006003d c6               DB 0xc6
0x1006003e 85               DB 0x85
0x1006003f 53               PUSH EBX


Suspicious new timeliner entries
=========================================================================

1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49164 -> 65.55.50.157:443| 924/TCPv4/CLOSED/0x3fc7b630
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49165 -> 62.24.131.168:80| 924/TCPv4/CLOSED/0x3fc8b5f0
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49167 -> 62.24.131.168:80| 924/TCPv4/CLOSED/0x3dad8008
1970-01-01 00:00:00 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:49168 -> 87.236.215.151:80| 2108/TCPv4/CLOSED/0x3fdf2348
2015-04-18 22:49:24 UTC+0000|[PROCESS]| lsm.exe| PID: 524/PPID: 412/POffset: 0x3e014030
2015-04-18 22:49:24 UTC+0000|[PROCESS]| services.exe| PID: 508/PPID: 412/POffset: 0x2594c3a8
2015-04-18 22:49:24 UTC+0000|[PROCESS]| winlogon.exe| PID: 480/PPID: 404/POffset: 0x3e368628
2015-04-18 22:49:25 UTC+0000|[PROCESS]| svchost.exe| PID: 640/PPID: 508/POffset: 0x3e072c48
2015-04-18 22:49:26 UTC+0000|[PROCESS]| vmtoolsd.exe| PID: 1544/PPID: 508/POffset: 0x3e178130
2015-04-18 22:49:27 UTC+0000|[PROCESS]| TPAutoConnSvc.| PID: 1792/PPID: 508/POffset: 0x3e1bbd40
2015-04-18 22:49:32 UTC+0000|[PROCESS]| conhost.exe| PID: 2184/PPID: 424/POffset: 0x3da32030
2015-04-18 22:49:32 UTC+0000|[PROCESS]| explorer.exe| PID: 2108/PPID: 2084/POffset: 0x3da16828
2015-04-18 22:51:27 UTC+0000|[PROCESS]| mscorsvw.exe| PID: 3176/PPID: 508/POffset: 0x3e135538
2015-04-18 22:56:42 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:546 -> *:*| 756/UDPv6//0x3fd00008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| ::1:1900 -> *:*| 3140/UDPv6//0x3df328f0
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 127.0.0.1:1900 -> *:*| 3140/UDPv4//0x3f930008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 127.0.0.1:58120 -> *:*| 3140/UDPv4//0x3fce9008
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| ::1:58118 -> *:*| 3140/UDPv6//0x3f930a58
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:137 -> *:*| 4/UDPv4//0x3fac8640
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:138 -> *:*| 4/UDPv4//0x3da0e2d0
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:1900 -> *:*| 3140/UDPv4//0x3e1db610
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:58119 -> *:*| 3140/UDPv4//0x3fc51990
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:1900 -> *:*| 3140/UDPv6//0x3dc2ec70
2015-04-18 22:56:43 UTC+0000|[NETWORK CONNECTION]| fe80::2587:a98d:6d2c:9d30:58117 -> *:*| 3140/UDPv6//0x3fdc2e98
2015-04-18 22:58:09 UTC+0000|[PROCESS]| wuauclt.exe| PID: 3976/PPID: 924/POffset: 0x3f9c9738
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:0 -> *:*| 1232/UDPv4//0x3f297f50
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:5355 -> *:*| 1232/UDPv4//0x3f9346f8
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 0.0.0.0:5355 -> *:*| 1232/UDPv4//0x3fac7110
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| :::0 -> *:*| 1232/UDPv6//0x3f297f50
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| 172.16.108.128:68 -> *:*| 756/UDPv4//0x3faa0238
2015-04-18 22:58:29 UTC+0000|[NETWORK CONNECTION]| :::5355 -> *:*| 1232/UDPv6//0x3f9346f8
2015-04-18 22:58:29 UTC+0000|[PROCESS]| cmd.exe| PID: 1184/PPID: 1544/POffset: 0x3dade0c0 End: 2015-04-18 22:58:29 UTC+0000
2015-04-18 22:58:29 UTC+0000|[PROCESS]| conhost.exe| PID: 2560/PPID: 360/POffset: 0x3fd23030 End: 2015-04-18 22:58:29 UTC+0000
2015-04-18 22:58:29 UTC+0000|[PROCESS]| ipconfig.exe| PID: 2544/PPID: 1184/POffset: 0x3fd0c980 End: 2015-04-18 22:58:29 UTC+0000


Suspicious new svcscan entries
=========================================================================

Process ID: -
Service State: SERVICE_STOPPED
Binary Path: -
Process ID: 876
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Process ID: 924
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\system32\svchost.exe -k netsvcs


Suspicious new cmdline entries
=========================================================================

wuauclt.exe pid:   3976
Command line : "C:\Windows\system32\wuauclt.exe"
************************************************************************
cmd.exe pid:   1184
conhost.exe pid:   2560
ipconfig.exe pid:   2544


Suspicious new mutantscan entries
=========================================================================

Offset(P)              #Ptr     #Hnd Signal Thread           CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x000000003da022f8        3        2      1 0x00000000           HGFSMUTEX
0x000000003da3e120        2        1      1 0x00000000           5827a689a8a470200835d840817112f0
0x000000003daaab90        2        1      1 0x00000000           WininetProxyRegistryMutex
0x000000003df68d60        2        1      0 0x855d8248 2108:1140 41df362a3f3d701bb5b5749a3e43f484
0x000000003e171b68        5        4      1 0x00000000           d3b1bbc7-c020-4056-9ded-7c6f40b5a2fc
0x000000003f984208        2        1      0 0x852c41d0 2108:3712 ad1751de900a1713cecd716adfda611f
0x000000003f99a228        2        1      1 0x00000000           WininetStartupMutex
0x000000003f9ddef8        2        1      0 0x872aabe0  2108:668 cb16681dee85a67993f0759da19566be
0x000000003fcd69a0        2        1      1 0x00000000           WininetConnectionMutex

Suspicious new getsids entries
=========================================================================

wuauclt.exe (3976): S-1-5-21-2921091077-2763243831-321783825-1000 (victim)
wuauclt.exe (3976): S-1-5-21-2921091077-2763243831-321783825-513 (Domain Users)
wuauclt.exe (3976): S-1-1-0 (Everyone)
wuauclt.exe (3976): S-1-5-32-544 (Administrators)
wuauclt.exe (3976): S-1-5-32-545 (Users)
wuauclt.exe (3976): S-1-5-4 (Interactive)
wuauclt.exe (3976): S-1-2-1 (Console Logon (Users who are logged onto the physical console))
wuauclt.exe (3976): S-1-5-11 (Authenticated Users)
wuauclt.exe (3976): S-1-5-15 (This Organization)
wuauclt.exe (3976): S-1-5-5-0-276475 (Logon Session)
wuauclt.exe (3976): S-1-2-0 (Local (Users with the ability to log in locally))
wuauclt.exe (3976): S-1-5-64-10 (NTLM Authentication)
wuauclt.exe (3976): S-1-16-8192 (Medium Mandatory Level)
cmd.exe (1184): S-1-5-18 (Local System)
cmd.exe (1184): S-1-5-32-544 (Administrators)
cmd.exe (1184): S-1-1-0 (Everyone)
cmd.exe (1184): S-1-5-11 (Authenticated Users)
cmd.exe (1184): S-1-16-16384 (System Mandatory Level)
conhost.exe (2560): S-1-5-18 (Local System)
conhost.exe (2560): S-1-5-32-544 (Administrators)
conhost.exe (2560): S-1-1-0 (Everyone)
conhost.exe (2560): S-1-5-11 (Authenticated Users)
conhost.exe (2560): S-1-16-16384 (System Mandatory Level)
ipconfig.exe (2544): S-1-5-18 (Local System)
ipconfig.exe (2544): S-1-5-32-544 (Administrators)
ipconfig.exe (2544): S-1-1-0 (Everyone)
ipconfig.exe (2544): S-1-5-11 (Authenticated Users)
ipconfig.exe (2544): S-1-16-16384 (System Mandatory Level)

Bash Script :

#!/bin/bash
# VolDiff malware analysis script.
# Written by Houcem Hachicha aka @aim4r.

version="0.9.1"

################################ PRINT AMAZING BANNER ################################
echo -e " _    __      ______  _ ________"
echo -e "| |  / /___  / / __ \(_) __/ __/"
echo -e "| | / / __ \/ / / / / / /_/ /_  "
echo -e "| |/ / /_/ / / /_/ / / __/ __/  "
echo -e "|___/\____/_/_____/_/_/ /_/     "

echo -e "\nVolDiff: Malware Memory Footprint Analysis (v$version)"
################################ HELP SECTION ################################
if [[ $@ =~ "--help" ]] ; then
  echo -e "\nUsage: ./VolDiff.sh BASELINE_IMAGE INFECTED_IMAGE PROFILE [OPTION]"
  echo -e "\nDirections:" 
  echo -e "1. Capture a memory dump of a clean Windows system and save it as \"baseline.raw\". This image will serve as a baseline for the analysis."
  echo -e "2. Execute your malware sample on the same system, then take a second memory dump and save it as \"infected.raw\""
  echo -e "3. Run VolDiff as follows: \"./VolDiff.sh baseline.raw infected.raw <profile>\" where <profile> is Win7SP0x86 or Win7SP1x64 etc"
  echo -e "VolDiff will save the output of a selection of volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, suspicious drivers etc)."
  echo -e "\nOptions:"
  echo -e "--dependencies	display information about script dependencies and exit"
  echo -e "--help		display this help and exit"
  echo -e "--add-hints	add useful hints to the report"
  echo -e "--no-report	do not create a report"
  echo -e "--version	display script version information and exit"
  echo -e "\nTested using Volatility 2.4 (vol.py) on Windows 7 images."
  echo -e "Report bugs to houcem.hachicha[@]gmail.com"
  exit
fi

################################ VERSION INFORMATION SECTION ################################
if [[ $@ =~ "--version" ]] ; then
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  echo -e "Written by Houcem Hachicha @aim4r. Report bugs to houcem.hachicha[@]gmail.com."
  exit
fi

################################ DEPENDENCIES SECTION ################################
if [[ $@ =~ "--dependencies" ]] ; then
  echo -e "Requires volatility 2.4 (vol.py) to be installed."
  exit
fi

################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################

if [[ -f $1 ]] ; then
  baseline_memory_image=$1
  echo -e "Path to baseline memory image: $baseline_memory_image..."
elif [[ -f baseline.raw ]] ; then
  baseline_memory_image=baseline.raw
  echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
elif [[ -f baseline.vmem ]] ; then
  baseline_memory_image=baseline.vmem
  echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
else
  echo -e "Please specify a path to a baseline memory image."
  exit
fi

if [[ -f $2 ]]; then
  infected_memory_image=$2
  echo -e "Path to infected memory image: $infected_memory_image..."
elif [[ -f infected.raw ]] ; then
  infected_memory_image=infected.raw
  echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
elif [[ -f infected.vmem ]] ; then
  infected_memory_image=infected.vmem
  echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
else
  echo -e "Please specify a path to a memory image of an infected system."
  exit
fi

if [[ -z $3 ]] ; then
  #profile=Win7SP1x64
  profile=Win7SP0x86
  echo -e "Profile is not specified. Using default ($profile)..." 
elif [[ $3 != Win7SP1x64 ]] &&  [[ $3 != Win7SP0x86 ]] ; then
  profile=$3
  echo -e "WARNING: This script was only tested using Win7SP0x86 and Win7SP1x64 profiles. The specified profile ($profile) seems different!" 
else
  profile=$3
  echo -e "Profile: $profile..."
fi

################################ CREATING REPORT FOLDERS ################################
starttime=$(date +%s)
output_dir=VolDiff_$(date +%F_%R)
report=VolDiff-report.txt
mkdir $output_dir

################################ RUNING VOLATILITY PLUGINS ################################
echo -e "Running a selection of volatility plugins..."
for plugin in timeliner strings handles psxview netscan getsids pslist psscan cmdline consoles dlllist svcscan mutantscan drivermodule driverscan devicetree modscan callbacks ldrmodules privs orphanthreads malfind  
do
  echo -e "Volatility plugin "$plugin" execution in progress..."
  mkdir $output_dir/$plugin
  if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]] ; then
    vol.py --profile=$profile -f $baseline_memory_image $plugin --silent &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin --silent &> $output_dir/$plugin/infected-$plugin.txt 
  elif [[ $plugin = "orphanthreads" ]]  ; then
    vol.py --profile=$profile -f $baseline_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/baseline-orphanthreads.txt
    vol.py --profile=$profile -f $infected_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/infected-orphanthreads.txt
  # running timeliner in background (time consuming)
  elif [[ $plugin = "timeliner" ]] ; then
    vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt &
    vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt &
  elif [[ $plugin = "strings" ]] ; then
    mkdir $output_dir/$plugin/ips-domains
    strings -a -td $baseline_memory_image > $output_dir/$plugin/baseline-$plugin.txt 
    strings -a -td $infected_memory_image > $output_dir/$plugin/infected-$plugin.txt
    diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin --string-file=$output_dir/$plugin/diff-$plugin.txt &> $output_dir/$plugin/diff-$plugin-vol.txt
    rm $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt
  elif [[ $plugin = "malfind" ]] ; then
    mkdir $output_dir/$plugin/dump-dir-baseline
    mkdir $output_dir/$plugin/dump-dir-infected
    vol.py --profile=$profile -f $baseline_memory_image $plugin -D $output_dir/$plugin/dump-dir-baseline &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin -D $output_dir/$plugin/dump-dir-infected &> $output_dir/$plugin/infected-$plugin.txt
  else
    vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt
    vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt
  fi
done
wait

################################ DIFFING VOLATILITY RESULTS ################################
echo -e "Diffing output results..."
for plugin in timeliner psxview netscan getsids pslist psscan cmdline consoles dlllist handles svcscan mutantscan drivermodule driverscan devicetree callbacks ldrmodules privs orphanthreads malfind
do
  diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
done

################################ STRINGS ANALYSIS ################################
echo -e "Hunting for IPs, domains and email addresses in memory strings..."
cat $output_dir/strings/diff-strings-vol.txt | perl -e 'while(<>){if(/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/){print $_;}}' &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt
cat $output_dir/strings/diff-strings-vol.txt | perl -e 'while(<>){ if(/(http|https|ftp|mail)\:[\/\w.]+/){print $_;}}' &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt
cat $output_dir/strings/diff-strings-vol.txt | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" &>> $output_dir/strings/ips-domains/diff-ips-domains-vol.txt


################################ REPORT CREATION ################################
if [[ $@ =~ "--no-report" ]] ; then 
  endtime=$(date +%s)
  echo -e "\nAll done in $(($endtime - $starttime)) seconds. No report created." 
  exit
fi
echo -e "Creating a report..."
touch $output_dir/$report
echo -e " _    __      ______  _ ________" >> $output_dir/$report
echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
echo -e "\nVolatility analysis report generated by VolDiff v$version (https://github.com/aim4r/VolDiff/)." >> $output_dir/$report
echo -e "Report bugs to houcem.hachicha[@]gmail.com." >> $output_dir/$report
    
for plugin in netscan pslist psscan psxview ldrmodules malfind timeliner svcscan cmdline consoles drivermodule driverscan modscan callbacks orphanthreads devicetree mutantscan getsids privs
do
  echo -e "\n\nSuspicious new $plugin entries" >> $output_dir/$report
  echo -e "=========================================================================\n" >> $output_dir/$report
  if [[ -s $output_dir/$plugin/diff-$plugin.txt ]] ; then
     # special processing for psxview
    if [[ $plugin = "psxview" ]] ; then
      cat $output_dir/psxview/diff-psxview.txt | grep "[0-9] False" > $output_dir/psxview/hidden.tmp
      if [[ -s $output_dir/psxview/hidden.tmp ]] ; then
        sed -n '2p' $output_dir/psxview/infected-psxview.txt >> $output_dir/$report
        sed -n '3p' $output_dir/psxview/infected-psxview.txt >> $output_dir/$report
        cat $output_dir/psxview/hidden.tmp >> $output_dir/$report
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/psxview/hidden.tmp
    # processing pslist and psscan output
    elif [[ $plugin = "pslist"  ]] || [[ $plugin = "psscan"  ]] ; then
     sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
     sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
     cat $output_dir/$plugin/baseline-$plugin.txt | tr -s ' ' | cut -d " " -f 3 > $output_dir/$plugin/baseline-pids.temp
     cat $output_dir/$plugin/infected-$plugin.txt | tr -s ' ' | cut -d " " -f 3  > $output_dir/$plugin/infected-pids.temp
     diff $output_dir/$plugin/baseline-pids.temp $output_dir/$plugin/infected-pids.temp | grep -E "^>" | sed 's/^..//' | uniq &>> $output_dir/$plugin/unique-new-pids.temp
     while read pid; do
       cat $output_dir/$plugin/infected-$plugin.txt | grep $pid >> $output_dir/$report
     done < $output_dir/$plugin/unique-new-pids.temp
     rm $output_dir/$plugin/baseline-pids.temp $output_dir/$plugin/infected-pids.temp $output_dir/$plugin/unique-new-pids.temp  
    # processing ldrmodules output
    elif [[ $plugin = "ldrmodules"  ]] ; then
      cat $output_dir/$plugin/diff-$plugin.txt | grep "False" >> $output_dir/$plugin/$plugin.tmp
      if [[ -s $output_dir/$plugin/ldrmodules.tmp ]] ; then
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/$plugin.tmp >> $output_dir/$report  
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/$plugin/$plugin.tmp
    # filtering timeliner results
    elif [[ $plugin = "timeliner" ]] ; then 
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PROCESS" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "NETWORK CONNECT" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PE HEADER (module)" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/diff-$plugin.txt | grep "PE HEADER (exe)" >> $output_dir/$plugin/$plugin.tmp
     cat $output_dir/$plugin/$plugin.tmp | sort >> $output_dir/$report
     rm $output_dir/$plugin/$plugin.tmp
    # processing plugins that don't need output formatting
    elif [[ $plugin = "devicetree" ]] || [[ $plugin = "orphanthreads" ]] || [[ $plugin = "cmdline" ]] || [[ $plugin = "consoles" ]] || [[ $plugin = "svcscan" ]] || [[ $plugin = "malfind" ]] || [[ $plugin = "getsids" ]] ; then
      cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
    # processing other plugins
    else
      sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
      sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
      cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
    fi
    # additional processing for malfind dumped processes 
    if [[ $plugin = "malfind" ]] ; then      
      echo -e "\n\nSuspicious ips/domains/emails found in dumped processes (malfind)" >> $output_dir/$report
      echo -e "=========================================================================\n" >> $output_dir/$report
      strings -a -td $output_dir/malfind/dump-dir-infected/* > $output_dir/malfind/dump-dir-infected/malfind-strings.temp 
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -oE '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      cat $output_dir/malfind/dump-dir-infected/malfind-strings.temp | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp
      if [[ -s $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp ]] ; then
        cat $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp >> $output_dir/$report  
      else
        echo "None" >> $output_dir/$report
      fi
      rm $output_dir/malfind/dump-dir-infected/infected-ip-domains.temp $output_dir/malfind/dump-dir-infected/malfind-strings.temp
    fi
    # adding comments (help for further analysis)
    if [[ $@ =~ "--add-hints" ]] ; then 
      if [[ $plugin = "drivermodule" ]] ; then 
        echo -e "\nHint: Drivers without a module (UNKNOWN) should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "driverscan" ]] ; then 
        echo -e "\nHint: Drivers that have no associated service should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "netscan" ]] ; then 
        echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the domains in memory strings." >> $output_dir/$report
      fi
      if [[ $plugin = "privs" ]] ; then 
        echo -e "\nHint: privs was run with the -s switch. It will only show the privileges that were not enabled by default." >> $output_dir/$report
      fi
      if [[ $plugin = "malfind" ]] ; then
        echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VT. IPs and domains from the entire memory image were dumped to disk under $output_dir/strings/ips-domains (too verbose to be included here). Use grep -A 10 and -B 10 to investigate strings located next to suspicious ones. Note that strings/diff-strings-vol.txt includes strings and associated PIDs, and thus should be grepped for suspicious PIDs, or strings." >> $output_dir/$report
      fi
      if [[ $plugin = "getsids" ]] ; then 
        echo -e "\nHint: Check the output of handles for suspicious processes, and grep for mutants, then Google those. Also grep the output of ldrmodules for any hidden dlls associated with suspicious processes. Note that the procexedump and dlldump volatility plugins can be used to respectively dump processes and DLLs from memory to disk." >> $output_dir/$report
      fi
      if [[ $plugin = "mutantscan" ]] ; then 
        echo -e "\nHint: Google mutants associated with suspicious processes." >> $output_dir/$report
      fi
      if [[ $plugin = "ldrmodules" ]] ; then 
        echo -e "\nHint: DLLs that are not located under System32 can be suspicious." >> $output_dir/$report
      fi
    fi
  else
    echo "None" >> $output_dir/$report
  fi
done
echo -e "\nEnd of report." >> $output_dir/$report

endtime=$(date +%s)
echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."

Source : https://github.com/aim4r

Malscan : Robust ClamAV-based malware scanner for web servers.

Version 1.4.3 Released: May 5, 2015 :
+ Bugfix: Corrected a logging path issue. All log files will now be correctly generated in the ‘log’ directory inside your chosen path in conf.malscan
+ Bugfix: Corrected the URL for the custom virus definitions
+ Feature: Included freshclam updates within the cron_update.sh script

Features :
– Multiple channels of malware signatures
— RFX Networks Signatures
— Metasploit Signatures
— JoshGrancell.com Signatures
— ClamAV Main Signatures
– Multiple Detection Methods
— Standard HEX or MD5 based detections
— String length detections
— MimeType mismatch detections
– Easy File Quarantining
– Built-in new file signature generation
– Customizable email notifications

Installation :
Step 1: Install ClamAV on your server
For Redhat/CentOS:
— Install the EPEL Repository using yum install epel-release
— Install clamav using yum install clamav
For Debian/Ubuntu, install directly from the repositories using apt-get install clamav
Step 2: Navigate to your clamav directory.
— For RedHat/CentOS: cd /usr/local/share/clamav
— For Debian/Ubuntu: cd /var/lib/clamav
Step 3: Clone this git repository with git clone https://github.com/jgrancell/Malscan.git
Step 4: Run the cron_update.sh script to update the signatures and build any needed directories/binaries with ./cron_update.sh
Step 5: Set the cron_update.sh to run at least daily through crontab -e setting the cronjob to run daily
– Daily: 0 2 * * * /path/to/clamav/cron_update.sh
– Twice Daily: 0 */2 * * * /path/to/clamav/cron_update.sh
*NOTE: If running daily, ensure that the update is run BEFORE any scheduled scans.*
Step 6: Run the scanner as needed
— Manually: malscan -[options] /path/to/target/directory/or/file
— Via Cronjob: 30 3 * * * /usr/local/bin/malscan -[options] /path/to/target/directory/or/file

Bash Script :

#!/bin/bash
# Malscan - Enhanced ClamAV Scanning System
# Written by Josh Grancell

VERSION="1.4.3"
DATE="May 5 2015"

## Identifying where we're running the script from
SOURCE="${BASH_SOURCE[0]}"
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
  SOURCE="$(readlink "$SOURCE")"
  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"

## Loading the configuration file from the Malscan directory
source /"$DIR"/"conf.malscan"
LOGDIR="$MAINDIR/log"
####################
## DOING THE WORK ##
####################

## Parsing through the arguments
if [[ $# -eq 0 || "$1" == "-h" || "$1" == "--help" ]]; then
	## Help functionality
	echo "Malscan version $VERSION compiled on $DATE"
	echo "Configuration options can be found in conf.malscan"
	echo "Usage: malscan [options] /path/to/scanned/directory"
	echo "       -s  -- Scan the specified file or directory"
	echo "       -q  -- Quarantine a file"
	echo "       -m  -- Checks the extension to verify it matches the MIME"
	echo "       -l  -- Checks files for lines over a certain length"
	echo "       -r  -- Report a file."
	echo "       -n  -- Send email notification."
	echo "       -h  -- Display this help text"
	echo "       -v  -- Display version information"
	echo "Malscan is a robust file scanning toll that combines the"
	echo "ClamAV virus scanner with enhanced definition sets."
	exit 1	
elif [[ $# == 1 ]]; then
	if [[ "$1" == "-v" ]]; then
		echo "Malscan version $VERSION -- last update $DATE"
		exit 0
	elif [[ -f "$1" || -d "$1" ]]; then
		AVSCAN=1
		TARGET="$1"
	else
		## Help functionality
		echo "Malscan version $VERSION compiled on $DATE"
		echo "Usage: malscan [options] /path/to/scanned/directory/or/file"
		echo "       -q|--quarantine  -- Quarantine a file"
		echo "       -m|--mime-check  -- Checks the extension to verify it matches the MIME"
		echo "       -l|--line-length -- Checks files for lines over a certain length"
		echo "       -r|--report      -- Report a file."
		echo "       -n|--notify      -- Send email notification. This flag cannot be used by itself, and must be followed by -r, -q, or -m."
		echo "       -h|--help        -- See this text"
		echo "       -v|--version     -- See version information"
		echo "Malscan is a robust file scanning toll that combines the"
		echo "ClamAV virus scanner with enhanced definition sets."
		exit 1	
	fi
elif [[ $# -eq 2 ]]; then
	## Setting the scanning target
	TARGET="$2"

	## Enabling Quarantine
	if [[ "$1" =~ q ]]; then
		QUARANTINE=1
	fi

	# Enabling mime-type scanning
	if [[ "$1" =~ m ]]; then
		MIMESCAN=1
	fi

	# Enabling line length scanning
	if [[ "$1" =~ l ]]; then
		LENGTHSCAN=1
	fi

	# Enabling signature reporting
	if [[ "$1" =~ r ]]; then
		REPORT=1
	fi

	# Enabling email notification
	if [[ "$1" =~ n ]]; then
		NOTIFICATION=1
	fi

	# Enabling full scan
	if [[ "$1" =~ s ]]; then
		AVSCAN=1
	fi
elif [[ -d "$1" || -f "$1" ]]; then
	AVSCAN=1
else
	## Help functionality
	echo "Malscan version $VERSION compiled on $DATE"
	echo "Usage: malscan [options] /path/to/scanned/directory"
	echo "       -q|--quarantine  -- Quarantine a file"
	echo "       -m|--mime-check  -- Checks the extension to verify it matches the MIME"
	echo "       -l|--line-length -- Checks files for lines over a certain length"
	echo "       -r|--report      -- Report a file."
	echo "       -n|--notify      -- Send email notification. This flag cannot be used by itself, and must be followed by -r, -q, or -m."
	echo "       -h|--help        -- See this text"
	echo "       -v|--version     -- See version information"
	echo "Malscan is a robust file scanning toll that combines the"
	echo "ClamAV virus scanner with enhanced definition sets."
	exit 1
fi

## Defining the lengthscan function
function lengthscan {
	#Creating the logging directories
	LENGTHLOG="$LOGDIR"/'length-scan-'$(date +%F-%s)
	TEMPLOG=$(mktemp)	

	# Building the whitelist
	LENGTH_IGNORE=${LENGTH_WHITELIST//,/ -not -name }

	echo -e "\033[32mScanning $TARGET for files with strings longer than $LENGTH_MINIMUM characters: \033[37m"

	while IFS= read -r FILE
	do
		SIZE=$(wc -L "$FILE" | awk '{$1}')
		if [[ "$SIZE" -ge "$LENGTH_MIMIMUM" ]]; then
            echo -ne "\033[35m"
            echo "DETECTION: $FILE has been detected with a line length of $SIZE." | tee -a "$LENGTHLOG"
            echo -ne "\033[37m"
        fi
    done < <(find "$TARGET" -type f -not -name "$LENGTH_IGNORE" -print0)		

	# Checking to see if we have hits.
	if [[ -f "$LENGTHLOG" ]]; then
		# Notifying of detections
		echo -e "\033[31mSee $LENGTHLOG for a full list of detected files.\033[37m"

		# If remote logging is enabled, reporting this to our remote SSH server
		if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
			rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
		fi

		DETECTION=1
	else
		# No detections
		echo -ne "\033[32m"
		echo "No suspicious files detected." | tee -a "$LENGTHLOG"
		echo -ne "\033[37m"
		DETECTION=0
	fi
}

## Defining the mimescan function
function mimescan {
	# Creating the logging directories
	MIMELOG="$LOGDIR"/'mimecheck-'$(date +%F-%s)
	TEMPLOG=$(mktemp)

	# Sed'ing the whitelist into something we can use with find
	MIME_IGNORE=${MIME_WHITELIST//,/ -not -name }

	echo -ne "\033[32mCompiling a full list of potential files... "
	find "$TARGET" -not -name "$MIME_IGNORE" -regextype posix-extended -regex '.*.(jpg|png|gif|swf|txt|pdf)' >>"$TEMPLOG"
	echo "Completed!"
	echo -e "Searching found files for any MIME mismatch against the given extensions.\033[37m"	

	# Working through the temporary file list to match files with mimetypes.
	while IFS= read -r FILE; do
                if file "$FILE" | egrep -q '(jpg|png|gif|swf|txt|pdf).*?(PHP)'; then
                        if  [ "$(basename $FILE)" != "license.txt" ]; then
                                echo -ne "\033[35m"
                                echo "DETECTION: $FILE has been detected as a PHP file with a non-matching extension." | tee -a "$MIMELOG"
                                echo -ne "\033[37m"
                        fi
                fi
	done < <(cat "$TEMPLOG")

	# Checking to see if we have hits.
	if [[ -f "$MIMELOG" ]]; then
		# Notifying of detections
		echo -e "\033[31mSee $MIMELOG for a full list of detected files.\033[37m"

		# If remote logging is enabled, reporting this to our remote SSH server
		if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
			rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
		fi

		DETECTION=1
	else
		# No detections
		echo -ne "\033[32m"
		echo "No suspicious files detected." | tee -a "$MIMELOG"
		echo -ne "\033[37m"
		DETECTION=0
	fi
}

## Defining the scanning function
function avscan {

	CLAMSCAN=$(which clamscan)

	# Setting up the whitelist
	AVSCAN_IGNORE=${AVSCAN_WHITELIST//,/ --exclude=}

	# Creating the scan log file for this scan
	SCANLOG="$LOGDIR"/$(date +%F-%s)

	# Outputting the scanning information to stdout as well as the log file
	echo -ne "\033[31m"
	echo "--exclude=$AVSCAN_IGNORE" | xargs "$CLAMSCAN" -d "$MAINDIR"/rfxn.hdb -d "$MAINDIR"/rfxn.ndb -d "$MAINDIR"/custom.hdb -d "$MAINDIR"/custom.ndb -i -r --no-summary "$TARGET" | tee -a "$SCANLOG"
	echo -ne "\033[37m"

	## If no files were found, we'll add a note into the scanlog accordingly.
	if [[ ! -s "$SCANLOG" ]]; then
		echo -ne "\033[32m"
		echo "Malware scan completed. No malicious files found." | tee -a "$SCANLOG"
		echo -ne "\033[37m"
		DETECTION=0
	else
		echo -e "\033[31mSee $SCANLOG for a full list of detected files.\033[37m"
	fi

}

## Defining the quarantine function
function quarantine {
		## This logic actively quarantines files that are not on our whitelist
		while read -r; do
			ABSPATH=$(readlink -f "$REPLY")
			
			## Setting the detection variable to 1, which allows us to parse the correct notification
			if [[ -f "$ABSPATH" ]]; then
				DETECTION=1
			fi
			
			# Building the file structure for quarantine
			DIR=$(dirname "$ABSPATH")
			FILE=$(basename "$ABSPATH")
			mkdir -p "$QDIR"/"$DIR"
			mv "$ABSPATH" "$QDIR""$ABSPATH"

			# If remote quarantine is set up, copying these files to the remote quarantine server
			if [[ "$REMOTE_QUARANTINE_ENABLED" == 1 ]]; then
				rsync -avzP "$QDIR"/ -e ssh "$REMOTE_SSH:$REMOTE_QUARANTINE" >> /dev/null
			fi

			# Setting the files to 000 permissions so they cannot be accessed
			chmod 000 "$QDIR""$ABSPATH"
			echo -e "\033[36m$FILE quarantined and locked down in $QDIR and sent to Centauri.\033[37m" | tee -a "$LOGDIR"/quarantine.log
		done < <(cat"$SCANLOG" | cut -d: -f1)
}

function notification {
	if [[ "$DETECTION" == 1 ]]; then
		EMAIL_TMP=$(mktemp)
		{
		echo "To:$EMAIL"
		echo "From:automated-malscan-service@campbellmarketing.services"
		echo "Subject: Malware Detections: $HOSTNAME - $(date)" 
		echo "MIME-Version: 1.0"
		echo "Content-Type: text/html; charset="us-ascii" "
		echo "Content-Disposition: inline"
		echo "<!DOCTYPE html>"
		echo "<html> <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">"	
		echo "<body>"

		if [[ -n "$QUARANTINE" && -n "$AVSCAN" ]]; then
			echo "Malicious and/or suspicious files have been quarantined on $HOSTNAME. Please see $LOGDIR/quarantine.log for further information.<br />"
		elif [[ -n "$AVSCAN" ]]; then
			echo "Malicious and/or suspicious files have been identified on $HOSTNAME but HAVE NOT been quarantined. Please see $SCANLOG for further information.<br />"
		fi

		if [[ -n "$MIMECHECK" ]]; then
			echo "PHP files have been detected on $HOSTNAME that are using suspicious file extension types. Please see $MIMELOG for additional information, and investigate each file for whitelisting or quarantining.<br />"
		fi

		if [[ -n "$LENGTHSCAN" ]]; then
			echo "Files have been detected that exceed the line length threshold, and may be suspicious. Please see $LENGTHLOG for additional information, and investigate each file for whitelisting or quarantining.<br />"
		fi
		} >> "$EMAIL_TMP"

		sendmail -i -t < "$EMAIL_TMP"	
	fi
}

function report {
	# Creating the report file name
	REPORTFILE="$LOGDIR"/report-"$HOSTNAME"-$(date +%s).log

	# Generating the malware signature
	sigtool --md5 "$TARGET" >> "$REPORTFILE"

	# If remote logging is enabled, reporting this to our remote SSH server
	if [[ "$REMOTE_LOGGING_ENABLED" == 1 ]]; then
		rsync -avzP "$REPORTFILE" -e ssh "$REMOTE_SSH:$REMOTE_LOGGING"/"$HOSTNAME"/
	fi

	echo -e "\033[36mFile signatured generated and reported to Centauri for inclusion in the DB.\033[37m"
	exit 0
}


# Executing the Functions
if [[ -n "$REPORT" ]]; then
	report
fi

if [[ -n "$MIMESCAN" ]]; then
	mimescan
fi

if [[ -n "$LENGTHSCAN" ]]; then
	lengthscan
fi

if [[ -n "$AVSCAN" ]]; then
	avscan
	if [[ -n "$QUARANTINE" ]]; then
		quarantine
	fi
fi

if [[ -n "$NOTIFICATION" ]]; then
	notification
fi

# Cleaning up by chowning everything ot the clam user
chown -R "$USER":"$USER" "$MAINDIR"

exit 0

Download : Master.zip  | Clone Url
Source : https://github.com/jgrancell

Latest Version v-1.2:
+ Added checks to search for executables/DLLs loaded from TEMP folders
+ Added checks to search for keylogger artifacts
+ Added a check to dump and analyse the hosts file
+ Added a routine to compute a list of unique IPs from netscan output
+ Minor bug fixes and enhancements

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

Use Directions:
1.Capture a memory dump of a clean Windows system and save it as “baseline.raw”. This image will serve as a baseline for the analysis.
2.Execute your malware sample on the same system, then take a second memory dump and save it as “infected.raw”.
3.Run VolDiff:

./VolDiff.sh path/to/baseline.raw path/to/infected.raw profile
"profile" should be "Win7SP0x86" or "Win7SP1x64" etc.

VolDiff will save the output of a selection of Volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, drivers etc).

Example Output :

Volatility analysis report generated by VolDiff.
Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.

Suspicious new connections (netscan)
=========================================================================

Proto    Local Address                  Foreign Address      State            Pid      Owner 
TCPv4    172.16.108.128:139             0.0.0.0:0            LISTENING        4        System 
TCPv4    172.16.108.128:49167           62.24.131.168:80     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49164           65.55.50.157:443     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49165           62.24.131.168:80     CLOSED           924      svchost.exe 
TCPv4    172.16.108.128:49168           87.236.215.151:80    CLOSED           2108     explorer.exe

Suspicious new processes (psscan)
=========================================================================

Offset(P)          Name                PID   PPID PDB        Time created                    
------------------ ---------------- ------ ------ ---------- ------------------------------ 
0x000000003fc7f030 kmaxqsj.exe        2300   4044 0x3ebed520 2015-05-02 19:33:07 UTC+0000  
0x000000003fc8ed40 malwr.exe          2908   4020 0x3ebed540 2015-05-02 19:32:45 UTC+0000  

Potential process injection (malfind)
=========================================================================

Process: kmaxqsj.exe Pid: 2300 Address: 0x400000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 165, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00400000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x00400010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x00400020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00400030  00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00   ................

0x400000 4d               DEC EBP
0x400001 5a               POP EDX
0x400002 90               NOP
0x400003 0003             ADD [EBX], AL
0x400005 0000             ADD [EAX], AL
0x400007 000400           ADD [EAX+EAX], AL
0x40000a 0000             ADD [EAX], AL
0x40000c ff               DB 0xff

Suspicious driver modules
===========================================================================

Module                               Driver
------------------------------------ ------
UNKNOWN                              \Driver\storage
UNKNOWN                              \Driver\PGPsdkDriver
UNKNOWN                              \Driver\cipher
UNKNOWN                              \Driver\fileflt
UNKNOWN                              \Driver\TdiFlt2
UNKNOWN                              \Driver\TdiFlt
UNKNOWN                              \Driver\stopsec

Suspicious callbacks
===========================================================================

Type                                 Callback   Module   
------------------------------------ ---------- --------
IoRegisterFsRegistrationChange       0x8549dd08 UNKNOWN  
GenericKernelCallback                0x854a0c88 UNKNOWN  
GenericKernelCallback                0x854964ec UNKNOWN 
GenericKernelCallback                0x854a0d88 UNKNOWN 
GenericKernelCallback                0x854961fa UNKNOWN 
IoRegisterShutdownNotification       0x854a28ca UNKNOWN

Script :

#!/bin/bash
# VolDiff malware analysis script by @aim4r

version="1.2.0"

################################ PRINT VOLDIFF BANNER ################################
echo -e " _    __      ______  _ ________"
echo -e "| |  / /___  / / __ \(_) __/ __/"
echo -e "| | / / __ \/ / / / / / /_/ /_  "
echo -e "| |/ / /_/ / / /_/ / / __/ __/  "
echo -e "|___/\____/_/_____/_/_/ /_/     "

echo -e "\nVolDiff: Malware Memory Footprint Analysis (v$version)"

################################ HELP ################################
if [[ $@ =~ "--help" ]] ; then
  echo -e "\nUsage: ./VolDiff.sh [BASELINE_IMAGE] INFECTED_IMAGE PROFILE [OPTIONS]"
  echo -e "\nUse directions:"
  echo -e "1. Capture a memory dump of a clean Windows system and save it as \"baseline.raw\". This image will serve as a baseline for the analysis."
  echo -e "2. Execute your malware sample on the same system, then capture a second memory dump and save it as \"infected.raw\"."
  echo -e "3. Run VolDiff as follows: \"./VolDiff.sh baseline.raw infected.raw <profile>\" where <profile> is Win7SP0x86 or Win7SP1x64 etc."
  echo -e "VolDiff will save the output of a selection of volatility plugins for both memory images (baseline and infected), then it will create a report to highlight notable changes (new processes, network connections, injected code, suspicious drivers etc)."
  echo -e "\nVolDiff can also be used to analyse a single memory image."
  echo -e "\nOptions:"
  echo -e "--help            display this help and exit"
  echo -e "--version         display version information and exit"
  echo -e "--dependencies    display information about script dependencies and exit"
  echo -e "--malware-checks  hunt and report suspicious anomalies (slow, recommended)"
  echo -e "--no-report       do not create a report"
  echo -e "\nTested using Volatility 2.4 (vol.py) on Windows 7 images."
  echo -e "Report bugs to houcem.hachicha[@]gmail.com"
  exit
fi

################################ VERSION INFORMATION ################################
if [[ $@ =~ "--version" ]] ; then
  echo -e "This is free software: you are free to change and redistribute it."
  echo -e "There is NO WARRANTY, to the extent permitted by law."
  echo -e "Written by @aim4r. Report bugs to houcem.hachicha[@]gmail.com."
  exit
fi

################################ DEPENDENCIES ################################
if [[ $@ =~ "--dependencies" ]] ; then
  echo -e "Requires volatility 2.4 (vol.py) to be installed."
  exit
fi

################################ DECLARING LIST OF VOLATILITY PLUGINS TO PROCESS ################################
# volatility plugins to run:
declare -a plugins_to_run=("handles" "psxview" "netscan" "iehistory" "getsids" "pslist" "psscan" "cmdline" "consoles" "dlllist" "filescan" "shimcache" "shelbags" "sessions" "messagehooks" "eventhooks" "svcscan" "envars" "mutantscan" "symlinkscan" "atoms" "atomscan" "drivermodule" "mftparser" "driverscan" "devicetree" "modules" "modscan" "unloadedmodules" "callbacks" "ldrmodules" "privs" "hashdump" "orphanthreads" "malfind" "idt" "gdt" "driverirp" "deskscan" "timers" "gditimers" "ssdt")

# volatility plugins to report on (order matters!) / dual mode:
declare -a plugins_to_report=("pslist" "psscan" "psxview" "netscan" "iehistory" "malfind" "sessions" "privs" "messagehooks" "eventhooks" "envars" "shimcache" "shelbags" "cmdline" "consoles" "hashdump" "drivermodule" "driverscan" "driverirp" "modules" "modscan" "unloadedmodules" "devicetree" "callbacks" "orphanthreads" "mutantscan" "symlinkscan" "ssdt")

# volatility plugins to report on (order matters!) / standalone mode:
declare -a plugins_to_report_standalone=("netscan" "psscan" "psxview" "malfind" "cmdline" "consoles" "iehistory")

################################ HARDCODED REGEX EXPRESSIONS ################################
hacker_process_regex="at.exe|chtask.exe|clearev|ftp.exe|net.exe|nbtstat.exe|net1.exe|ping.exe|powershell|procdump.exe|psexec|quser.exe|reg.exe|regsvr32.exe|schtasks|systeminfo.exe|taskkill.exe|timestomp|winrm|wmic|xcopy.exe"
hacker_dll_regex="mimilib.dll|sekurlsa.dll|wceaux.dll|iamdll.dll"

# suspicious process names
l33t_process_name="snss|crss|cssrs|csrsss|lass|isass|lssass|lsasss|scvh|svch0st|svhos|svchst|svchosts|lsn|g0n|l0g|nvcpl|rundii|wauclt|spscv|spppsvc|sppscv|sppcsv|taskchost|tskhost|msorsv|corsw|arch1ndex|wmipvr|wmiprse|runddl"

# usual process list
usual_processes="sppsvc.exe|audiodg.exe|mscorsvw.exe|SearchIndexer|TPAutoConnSvc|TPAutoConnect|taskhost.exe|smss.exe|crss.exe|wininit.exe|services.exe|lsass.exe|svchost.exe|lsm.exe|explorer.exe|winlogon|conhost.exe|dllhost.exe|spoolsv.exe|vmtoolsd.exe|WmiPrvSE.exe"

# regexes used to analyse imports
password_extract_imports="SamLookupDomainInSamServer|NlpGetPrimaryCredential|LsaEnumerateLogonSessions|SamOpenDomain|SamOpenUser|SamGetPrivateData|SamConnect|SamRidToSid|PowerCreateRequest|SeDebugPrivilege|SystemFunction006|SystemFunction040"
process_injection_imports="VirtualAllocEx|AllocateVirtualMemory|VirtualProtectEx|ProtectVirtualMemory|CreateProcess|LoadLibrary|LdrLoadDll|CreateToolhelp32Snapshot|QuerySystemInformation|EnumProcesses|WriteProcessMemory|WriteVirtualMemory|CreateRemoteThread|ResumeThread|SetThreadContext|SetContextThread|QueueUserAPC|QueueApcThread|WinExec"
web_imports="DeleteUrlCacheEntry|CreateUrlCacheEntry|HttpSendRequestA|HttpSendRequestW|HttpSendRequestExA|HttpSendRequestExW|URLDownloadToFileA|WSASocket|WSASend|WSARecv|WS2_32"
service_imports="CreateService|StartService|NdrClientCall2|NtLoadDriver"
uac_bypass_imports="AllocateAndInitializeSid|EqualSid|RtlQueryElevationFlags|GetTokenInformation|GetSidSubAuthority|GetSidSubAuthorityCount"
anti_debug_imports="CheckRemoteDebugger|DebugActiveProcess|FindWindow|GetLastError|GetWindowThreadProcessId|IsDebugged|IsDebuggerPresent|NtCreateThreadEx|NtGlobalFlags|NtSetInformationThread|OutputDebugString|pbIsPresent|Process32First|Process32Next|TerminateProcess|ThreadHideFromDebugger|UnhandledExceptionFilter|ZwQueryInformation"
misc_imports="CreateFile|NtSetSystemInformation|NtQuerySystemInformation|GetCurrentProcess|GetStartupInfo|GlobalAddAtomA|Sleep|RegOpenKeyEx|RegQueryValueEx|GetModuleFileName|WriteFile"

# regexes used to analyse strings (from process executables)
web_regex_str="cookie|download|mozilla|post|proxy|responsetext|socket|useragent|user-agent|urlmon|user_agent|WebClient|winhttp|http"
antivirus_regex_str="antivir|avast|avcons|avgctrl|avginternet|avira|bitdefender|checkpoint|comodo|F-Secure|firewall|kaspersky|mcafee|norton|norman|safeweb|sophos|symantec|windefend"
virtualisation_regex_str="000569|001C14|080027|citrix|parallels|proxmox|qemu|SbieDll|Vbox|VMXh|virm|virtualbox|virtualpc|vmsrvc|vpc|winice|vmware|xen"
sandbox_regex_str="anubis|capturebat|cuckoo|deepfreeze|debug|fiddler|fireeye|noriben|perl|python|sandb|schmidti|snort|tcpdump|wireshark"
sysinternals_regex_str="filemon|sysinternal|procmon|psexec|regmon|sysmon"
shell_regex_str="shellexecute|shell32"
keylogger_regex_str="backspace|klog|keylog|shift"
filepath_regex_str='C:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*'
password_regex_str="brute|credential|creds|mimikatz|passwd|password|pwd|sniff|stdapi|WCEServicePipe|wce_krbtkts"
powershell_regex_str="powerview|powershell"
infogathering_regex_str="gethost|wmic|GetVolumeInformation"
banking_regex_str="banc|banco|bank|Barclays|hsbc|jpmorgan|lloyds|natwest|paypal|santander"
socialsites_regex_str="facebook|instagram|linkedin|twitter|yahoo|youtube"
exec_regex_str="\.bat|\.cmd|\.class|\.exe|\.jar|\.js|\.jse|\.SCR|\.VBE|\.vbs"
crypto_regex_str="bitlocker|crypt|truecrypt|veracrypt"
other_regex_str="admin|backdoor|botnet|chrome|clearev|currentversion|firefox|hosts|login|malware|netsh|registry|rootkit|sleep|smtp|timestomp|torrent|Trojan|UserInit"

################################ RUNNING MODE ################################
if [[ -f $2 ]] ; then
  mode="dual"
else
  mode="standalone"
fi

################################################################## ENTER DUAL MODE ################################################################## 

################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################
if [[ $mode = "dual" ]] ; then 
  if [[ -f $1 ]] ; then
    baseline_memory_image=$1
    echo -e "Path to baseline memory image: $baseline_memory_image..."
  elif [[ -f baseline.raw ]] ; then
    baseline_memory_image=baseline.raw
    echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
  elif [[ -f baseline.vmem ]] ; then
    baseline_memory_image=baseline.vmem
    echo -e "Path to baseline memory image is not valid or was not specified. Using default ($baseline_memory_image)..."
  else
    echo -e "Please specify a path to a baseline memory image."
    exit
  fi

  if [[ -f $2 ]]; then
    infected_memory_image=$2
    echo -e "Path to infected memory image: $infected_memory_image..."
  elif [[ -f infected.raw ]] ; then
    infected_memory_image=infected.raw
    echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
  elif [[ -f infected.vmem ]] ; then
    infected_memory_image=infected.vmem
    echo -e "Path to infected memory image is not valid or was not specified. Using default ($infected_memory_image)..."
  else
    echo -e "Please specify a path to a memory image of an infected system."
    exit
  fi

  if [[ -z $3 ]] ; then
    profile=Win7SP0x86
    echo -e "Profile is not specified. Using default ($profile)..."
  elif [[ $3 != Win7SP1x64 ]] &&  [[ $3 != Win7SP0x86 ]] &&  [[ $3 != Win7SP0x64 ]] &&  [[ $3 != Win7SP1x86 ]] ; then
    profile=$3
    echo -e "WARNING: This script was only tested using Windows 7 profiles. The specified profile ($profile) seems different!" 
  else
    profile=$3
    echo -e "Profile: $profile..."
  fi

  ################################ CREATING FOLDER TO STORE OUTPUT ################################
  starttime=$(date +%s)
  output_dir=VolDiff_$(date +%F_%R)
  mkdir $output_dir
  mkdir $output_dir/tmpfolder

  ################################ RUNNING VOLATILITY PLUGINS ################################
  echo -e "Running a selection of volatility plugins (time consuming)..."
  for plugin in "{plugins_to_run[@]}" 
  do
    echo -e "Volatility plugin "$plugin" execution in progress..."
    mkdir $output_dir/$plugin
    if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]]  || [[ $plugin = "envars" ]] ; then
      vol.py --profile=$profile -f $baseline_memory_image $plugin --silent &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin --silent &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    elif [[ $plugin = "orphanthreads" ]]  ; then
      vol.py --profile=$profile -f $baseline_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/baseline-orphanthreads.txt &
      vol.py --profile=$profile -f $infected_memory_image threads -F OrphanThread &> $output_dir/orphanthreads/infected-orphanthreads.txt &
      wait
    elif [[ $plugin = "psxview" ]]  ; then
      vol.py --profile=$profile -f $baseline_memory_image psxview -R &> $output_dir/psxview/baseline-psxview.txt &
      vol.py --profile=$profile -f $infected_memory_image psxview -R &> $output_dir/psxview/infected-psxview.txt &
      wait
    elif [[ $plugin = "malfind" ]] ; then
      mkdir $output_dir/$plugin/dump-dir-baseline
      mkdir $output_dir/$plugin/dump-dir-infected
      vol.py --profile=$profile -f $baseline_memory_image $plugin -D $output_dir/$plugin/dump-dir-baseline &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin -D $output_dir/$plugin/dump-dir-infected &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    else
      vol.py --profile=$profile -f $baseline_memory_image $plugin &> $output_dir/$plugin/baseline-$plugin.txt &
      vol.py --profile=$profile -f $infected_memory_image $plugin &> $output_dir/$plugin/infected-$plugin.txt &
      wait
    fi
  done
  wait

  ################################ DIFFING VOLATILITY RESULTS ################################
  echo -e "Diffing output results..."
  for plugin in "{plugins_to_run[@]}"
  do
    diff $output_dir/$plugin/baseline-$plugin.txt $output_dir/$plugin/infected-$plugin.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/$plugin/diff-$plugin.txt
  done

  ################################ DUMPING NEW PROCESSES TO DISK ################################
  echo -e "Dumping new processes to disk..."
  cat $output_dir/psscan/diff-psscan.txt | tr -s ' ' | cut -d " " -f 3 | sort | uniq >  $output_dir/tmpfolder/new-procpids.tmp
  mkdir $output_dir/procdump
  while read newpid ; do
    vol.py --profile=$profile -f $infected_memory_image procdump -D $output_dir/procdump/ -p $newpid &> /dev/null
  done < $output_dir/tmpfolder/new-procpids.tmp
  wait


  if [[ $@ =~ "--malware-checks" ]] ; then
    touch $output_dir/tmpfolder/malware-checks.tmp
    echo -e "Hunting for process anomalies..."

    ################################ MALWARE CHECKS - NETWORK ################################

    # compute unique IPs from netscan output:
    cat $output_dir/netscan/diff-netscan.txt | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq | grep -v -E "127\.0\.0\.1|0\.0\.0\.0" > $output_dir/tmpfolder/netscan-uniq-ips.tmp
    if [[ -s $output_dir/tmpfolder/netscan-uniq-ips.tmp ]]; then
      echo -e "\n\nUnique IP addresses from netscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/netscan-uniq-ips.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - PROCESS ANOMALIES ################################

    # verify PID of System process = 4
    cat $output_dir/psscan/infected-psscan.txt | grep " System " | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/system-pids.tmp
    while read pid; do
      if [[ $pid != "4" ]] ; then
        echo -e "\nSuspicious 'System' process running with PID $pid (expected PID is 4)." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/system-pids.tmp

    # verify that only one instance of certain processes is running:
    for process in " services.exe" " System" " wininit.exe" " smss.exe" " lsass.exe" " lsm.exe" " explorer.exe"; do
      if [[ "$(cat $output_dir/psscan/infected-psscan.txt | grep $process | wc -l)" != "1" ]] ; then
        echo -e "\n\nMultiple instances of$process were detected." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/psscan/infected-psscan.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # verify that some processes do not have a child:
    for process in "lsass.exe" "lsm.exe"; do
      cat $output_dir/psscan/infected-psscan.txt | grep $process | tr -s ' ' | cut -d " " -f 3 >> $output_dir/tmpfolder/cpids.tmp
    done
    cat $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d " " -f 4 >> $output_dir/tmpfolder/ppids.tmp
    while read pid; do
      while read ppid; do
        if [[ "$pid" == "$ppid" ]]; then
          echo -e "\n\nProcess with (PID $ppid) is not supposed to be a parent." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/ppids.tmp
    done < $output_dir/tmpfolder/cpids.tmp

    # verify child/parent process relationships:
    for child in " svchost.exe" " smss.exe" " conhost.exe" " audiodg.exe" " services.exe" " lsass.exe" " lsm.exe" " taskhost.exe" " spoolsv.exe" " sppsvc.exe" " taskhost.exe" " mscorsvw.exe" " TPAutoConnSvc" " SearchIndexer" " WmiPrvSE.exe" ; do
      if [[ $child = " sppsvc.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " mscorsvw.exe" ]] || [[ $child = " TPAutoConnSvc" ]] || [[ $child = " SearchIndexer" ]] || [[ $child = " svchost.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " spoolsv.exe" ]] ; then parent=" services.exe"; fi
      if [[ $child = " smss.exe" ]]; then parent=" System"; fi
      if [[ $child = " conhost.exe" ]]; then parent=" csrss.exe"; fi
      if [[ $child = " WmiPrvSE.exe" ]] || [[ $child = " audiodg.exe" ]] ; then parent=" svchost.exe"; fi
      if [[ $child = " services.exe" ]] || [[ $child = " lsass.exe" ]] || [[ $child = " lsm.exe" ]]; then parent=" wininit.exe"; fi
      if grep $child $output_dir/psscan/infected-psscan.txt > /dev/null ; then
        if [[ "$(cat $output_dir/psscan/infected-psscan.txt | grep $parent | wc -l)" = "1" ]] ; then
          cat $output_dir/psscan/infected-psscan.txt | grep $child | tr -s ' ' | cut -d " " -f 4 > $output_dir/tmpfolder/child-ppids.tmp
          parent_pid="$(cat $output_dir/psscan/infected-psscan.txt | grep $parent | tr -s ' ' | cut -d ' ' -f 3)"
          while read ppid; do
            ppid=$( printf $ppid )
            parent_pid=$( printf $parent_pid )
            if [[ $ppid != $parent_pid ]] ; then
              tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2-3 | grep -i " "$ppid | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppidprocess.tmp
              if [[ -s $output_dir/tmpfolder/ppidprocess.tmp ]] ; then   
                ppidlines=`cat $output_dir/tmpfolder/ppidprocess.tmp | wc -l`  &> /dev/null
                if [[ $ppidlines = 1 ]] ; then
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid (`cat $output_dir/tmpfolder/ppidprocess.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                else
                  cat $output_dir/tmpfolder/ppidprocess.tmp | tr '\n' ' ' > $output_dir/tmpfolder/ppparents.tmp
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid ( multiple associated processes: `cat $output_dir/tmpfolder/ppparents.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                fi
              else
                echo -e "\n\nUnexpected parent process for$child: PPID $ppid (could not map associated process name) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
              fi
            fi     
          done < $output_dir/tmpfolder/child-ppids.tmp
        fi
      fi
    done

    # verify that every process has a parent (except for explorer.exe, csrss.exe, wininit.exe and winlogon.exe)
    mkdir $output_dir/tmpfolder/ppids
    tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 4 | sort | uniq | grep -v "^0$" > $output_dir/tmpfolder/ppids/ppids.temp
    tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 3 | sort | uniq > $output_dir/tmpfolder/ppids/pids.temp
    while read ppid; do 
      if ! grep -E "^$ppid$" $output_dir/tmpfolder/ppids/pids.temp > /dev/null ; then
        tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2,3,4 | grep -E " $ppid$" | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppids/processes-$ppid.temp
        cat $output_dir/tmpfolder/ppids/processes-$ppid.temp | tr '\n' ' ' > $output_dir/tmpfolder/ppids/processes-$ppid-space.temp
        if  ! grep -E -i "explorer.exe|csrss.exe|wininit.exe|winlogon.exe" $output_dir/tmpfolder/ppids/processes-$ppid-space.temp > /dev/null ; then 
          echo -e "\n\nPPID $ppid does not have an associated process." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/infected-psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi 
      fi
    done < $output_dir/tmpfolder/ppids/ppids.temp

    # verify processes are running in expected sessions:
    for process in " wininit.exe" " services.exe" " lsass.exe" " svchost.exe" " lsm.exe" " winlogon.exe" ; do
      if [[ $process = " csrss.exe" ]] || [[ $process = " wininit.exe" ]] || [[ $process = " services.exe" ]] || [[ $process = " lsass.exe" ]] || [[ $process = " svchost.exe" ]]|| [[ $process = " lsm.exe" ]]; then session="0" ; fi
      if [[ $process = " winlogon.exe" ]]; then session="1" ; fi
      cat $output_dir/pslist/infected-pslist.txt | grep $process | tr -s ' ' | cut -d ' ' -f 7 > $output_dir/tmpfolder/process_sessions.tmp
      while read psession ; do
        if [[ $psession != $session ]] ; then
          echo -e "\n\nProcess$process running in unexpected session ($psession instead of $session)." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/pslist/infected-pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/pslist/infected-pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/pslist/infected-pslist.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/process_sessions.tmp
    done

    # check process executable path:
    for process in "smss.exe" "crss.exe" "wininit.exe" "services.exe" "lsass.exe" "svchost.exe" "lsm.exe" "explorer.exe" "winlogon"; do
      if [[ $process == "smss.exe" ]]; then processpath="\systemroot\system32\smss.exe" ; fi
      if [[ $process == "crss.exe" ]]; then processpath="\windows\system32\csrss.exe" ; fi
      if [[ $process == "wininit.exe" ]]; then processpath="\windows\system32\wininit.exe" ; fi
      if [[ $process == "services.exe" ]]; then processpath="\windows\system32\services.exe" ; fi
      if [[ $process == "lsass.exe" ]]; then processpath="\windows\system32\lsass.exe" ; fi
      if [[ $process == "svchost.exe" ]]; then processpath="\windows\system32\svchost.exe" ; fi
      if [[ $process == "lsm.exe" ]]; then processpath="\windows\system32\lsm.exe" ; fi
      if [[ $process == "explorer.exe" ]]; then processpath="\windows\explorer.exe" ; fi
      if [[ $process == "winlogon.exe" ]]; then processpath="\windows\system32\winlogon.exe" ; fi
      if [[ $process == "sppsvc.exe" ]]; then processpath="\windows\system32\sppsvc.exe" ; fi
      cat $output_dir/dlllist/infected-dlllist.txt | grep -i -A 1 $process | grep "Command line" | grep -o '\\.*' | cut -d ' ' -f 1 | tr '[:upper:]' '[:lower:]' | sed 's,\\,\\\\,g' > $output_dir/tmpfolder/path_list.tmp
      if [[ -s $output_dir/tmpfolder/path_list.tmp ]]; then
        while read path; do
          if [[ "$path" != "$processpath" ]]; then
            echo -e "\n\nProcess running from unusual path." >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "Process $process is running from $path instead of $processpath" >> $output_dir/tmpfolder/malware-checks.tmp
          fi
        done < $output_dir/tmpfolder/path_list.tmp
      fi
    done

    # verify if any processes have suspicious l33t names:
    cat $output_dir/psscan/infected-psscan.txt | grep -E -i $l33t_process_name > $output_dir/tmpfolder/suspicious_process.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_process.tmp ]]; then
      echo -e "\n\nProcesses with suspicious names." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_process.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # verify if any hacker tools were used in process list:
    cat $output_dir/psscan/infected-psscan.txt | grep -E -i $hacker_process_regex > $output_dir/tmpfolder/suspicious_tools.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_tools.tmp ]]; then
      echo -e "\n\nProcesses that may have been used for lateral movement, exfiltration etc." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/infected-psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_tools.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # detect process hollowing:
    mkdir $output_dir/tmpfolder/hollowing
    vol.py --profile=$profile -f $infected_memory_image procdump -u -D $output_dir/tmpfolder/hollowing/ &> /dev/null
    cat $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 2 | cut -d '.' -f 1 | sort | uniq > $output_dir/tmpfolder/process-names.tmp
    tail -n +4 $output_dir/tmpfolder/process-names.tmp > $output_dir/tmpfolder/procnames.tmp
    while read process ; do
      cat $output_dir/psscan/infected-psscan.txt | grep -i $process | tr -s ' ' | cut -d ' ' -f 3 > $output_dir/tmpfolder/$process-pids.tmp
      touch $output_dir/tmpfolder/$process-size.tmp
      while read pid ; do
        ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1 >> $output_dir/tmpfolder/$process-size.tmp
      done < $output_dir/tmpfolder/$process-pids.tmp
      cat $output_dir/tmpfolder/$process-size.tmp | uniq > $output_dir/tmpfolder/$process-size-uniq.tmp
      lines=`wc -l < $output_dir/tmpfolder/$process-size-uniq.tmp`
      if [[ $lines != 1 ]] && [[ $lines != 0 ]]  ; then 
        echo -e "\n\nPotential process hollowing detected in $process (based on size)." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "Process    PID  Size" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "-----------------------------------" >> $output_dir/tmpfolder/malware-checks.tmp
        while read pid ; do
          echo -e "$process    $pid  `ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1`" >> $output_dir/tmpfolder/malware-checks.tmp
        done < $output_dir/tmpfolder/$process-pids.tmp   
      fi
    done < $output_dir/tmpfolder/procnames.tmp

    # detect processes with exit time but active threads:
    cat $output_dir/psxview/diff-psxview.txt | tr -s ' ' | cut -d ' ' -f 1,2,6,13 | grep "UTC" | grep "True" | cut -d ' ' -f 1 > $output_dir/tmpfolder/exit_with_threads.tmp
    if [[ -s $output_dir/tmpfolder/exit_with_threads.tmp ]]; then
      echo -e "\n\nProcess(es) with exit time and active threads running." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psxview/infected-psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psxview/infected-psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      while read procname ; do 
        cat $output_dir/psxview/diff-psxview.txt | grep $procname >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/exit_with_threads.tmp
    fi

    # check if any process has domain or enterprise admin privileges:
    cat $output_dir/getsids/diff-getsids.txt | egrep '(Domain Admin|Enterprise Admin|Schema Admin)' > $output_dir/tmpfolder/suspicious_privlege.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_privlege.tmp ]]; then
      echo -e "\n\nProcess(es) with domain or enterprise admin privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_privlege.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has debug privileges:
    cat $output_dir/privs/diff-privs.txt | grep -i "debug" > $output_dir/tmpfolder/debug_privs.tmp
    if [[ -s $output_dir/tmpfolder/debug_privs.tmp ]]; then
      echo -e "\n\nProcess(es) with debug privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/privs/infected-privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/privs/infected-privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/debug_privs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a raw socket handle:
    cat $output_dir/handles/diff-handles.txt | grep -F "\Device\RawIp" > $output_dir/tmpfolder/raw_socket.tmp
    if [[ -s $output_dir/tmpfolder/raw_socket.tmp ]]; then
      echo -e "\n\nRaw socket handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/raw_socket.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a handle to a remote mapped share:
    cat $output_dir/handles/diff-handles.txt | grep -F "\\\\Device\\\\(LanmanRedirector|Mup)" > $output_dir/tmpfolder/remote_shares.tmp
    if [[ -s $output_dir/tmpfolder/remote_shares.tmp ]]; then
      echo -e "\n\nRemote share handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/infected-handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/remote_shares.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - DLLs ################################

    # find suspicious new DLLs (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep -o -E "C:.*.dll" | grep -v -i "System32" | uniq | sort > $output_dir/tmpfolder/dlls.tmp
    if [[ -s $output_dir/tmpfolder/dlls.tmp ]] ; then
      echo -e "\n\nNew DLLs (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlls.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atoms):
    cat $output_dir/atoms/diff-atoms.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atoms.tmp
    if [[ -s $output_dir/tmpfolder/atoms.tmp ]] ; then
      echo -e "\n\nNew DLLs (atoms)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atoms/infected-atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atoms/infected-atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atoms.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atomscan):
    cat $output_dir/atomscan/diff-atomscan.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atomscan.tmp
    if [[ -s $output_dir/tmpfolder/atomscan.tmp ]] ; then
      echo -e "\n\nNew DLLs (atomscan)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atomscan/infected-atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atomscan/infected-atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atomscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: The DLLs above were potentially injected to genuine processes." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # highlight new hidden DLLs (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep "False" | grep -E -v -i "system32|explorer.exe|iexplore.exe|.fon$" | sort | uniq > $output_dir/tmpfolder/ldrmodules.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodules.tmp ]] ; then
      echo -e "\n\nSuspicious new ldrmodules entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodules.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find highly suspicious DLLs used for password stealing (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i $hacker_dll_regex | sort | uniq > $output_dir/tmpfolder/ldrmodule_hacker.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hacker.tmp ]] ; then
      echo -e "\n\nNew DLLs that may have been used for password theft." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hacker.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find DLLs with no path / no name (indicates process hollowing) (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i "no name" | sort | uniq > $output_dir/tmpfolder/ldrmodule_hollow.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hollow.tmp ]] ; then
      echo -e "\n\nNew DLLs with no path/name (indicates process hollowing)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hollow.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - FILES ################################

    # find DLLs/EXES loaded from temp folders (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep -E -i "TMP|TEMP|AppData" | sort | uniq > $output_dir/tmpfolder/dlllist_temp.tmp
    if [[ -s $output_dir/tmpfolder/dlllist_temp.tmp ]] ; then
      echo -e "\n\nNew DLLs/EXEs loaded from temp folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlllist_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hidden DLLs/EXES (ldrmodules):
    cat $output_dir/ldrmodules/diff-ldrmodules.txt | grep -E -i "False  False  False" | sort | uniq | grep -E -i ".dll$|.exe$" > $output_dir/tmpfolder/ldrmodule_hidden.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hidden.tmp ]] ; then
      echo -e "\n\nNew hidden DLLs/EXEs (ldrmodules)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/infected-ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hidden.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight new suspicious files (filescan):
    cat $output_dir/filescan/diff-filescan.txt | grep -E -i "\\ProgramData|\\Recycle|\\Windows\\Temp|\\Users\\All|\\Users\\Default|\\Users\\Public|\\ProgramData|AppData" | sort | uniq | grep -v -E ".db$|.lnk$|.ini$|.log$" | tr -s ' ' | cut -d ' ' -f 5 | sort | uniq >> $output_dir/tmpfolder/filescan.tmp
    if [[ -s $output_dir/tmpfolder/filescan.tmp ]] ; then
      echo -e "\n\nNew files on disk." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/filescan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight prefetch files:
    cat $output_dir/mftparser/diff-mftparser.txt | grep \.pf$ | awk '{print $NF}' | sort | uniq > $output_dir/tmpfolder/prefetch.tmp
    if [[ -s $output_dir/tmpfolder/prefetch.tmp ]]; then
      echo -e "\n\nNew prefetch artifacts." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/prefetch.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight binaries loaded from TEMP folders:
    cat $output_dir/envars/diff-envars.txt | grep -i "TEMP" > $output_dir/tmpfolder/temp_envars.tmp
    if [[ -s $output_dir/tmpfolder/temp_envars.tmp ]]; then
      echo -e "\n\nPossible binaries loaded from TEMP folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/envars/infected-envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/envars/infected-envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/temp_envars.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find suspicious new executables (dlllist):
    cat $output_dir/dlllist/diff-dlllist.txt | grep "Command line" | grep -E -v -i "system32|explorer.exe|iexplore.exe" | sed -e 's/Command line : //' | sort | uniq > $output_dir/tmpfolder/execs.tmp
    if [[ -s $output_dir/tmpfolder/execs.tmp ]] ; then
      echo -e "\n\nNew executables (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/execs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight alternate data stream files:
    cat $output_dir/mftparser/diff-mftparser.txt | grep "DATA ADS" > $output_dir/tmpfolder/ads.tmp
    if [[ -s $output_dir/tmpfolder/ads.tmp ]]; then
      echo -e "\n\nNew alternate Data Stream (ADS) files." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - MISC ################################

    # find interresting new entries in hosts file
    mkdir $output_dir/tmpfolder/hostsb
    mkdir $output_dir/tmpfolder/hostsi
    qaddressb=$(cat $output_dir/filescan/baseline-filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddressb" ]] ; then 
      vol.py --profile=$profile -f $baseline_memory_image dumpfiles -Q $qaddressb -D $output_dir/tmpfolder/hostsb --name &> /dev/null 
      strings $output_dir/tmpfolder/hostsb/* > $output_dir/tmpfolder/hosts_baseline.tmp  &> /dev/null
    fi
    qaddressi=$(cat $output_dir/filescan/infected-filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddressi" ]] ; then 
      vol.py --profile=$profile -f $infected_memory_image dumpfiles -Q $qaddressi -D $output_dir/tmpfolder/hostsi --name &> /dev/null 
      strings $output_dir/tmpfolder/hostsi/* > $output_dir/tmpfolder/hosts_infected.tmp  &> /dev/null
    fi
    if [[ -s $output_dir/tmpfolder/hosts_baseline.tmp ]] && [[ -s $output_dir/tmpfolder/hosts_infected.tmp ]] ; then
      diff $output_dir/tmpfolder/hosts_baseline.tmp $output_dir/tmpfolder/hosts_infected.tmp | grep -E "^>" | sed 's/^..//' &> $output_dir/tmpfolder/new-hosts.tmp
      if [[ -s $output_dir/tmpfolder/new-hosts.tmp ]] ; then
        echo -e "\n\nChanges in hosts files." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/new-hosts.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi
    
    # find suspicious new desktop instances: 
    cat $output_dir/deskscan/diff-deskscan.txt | grep "Desktop:" >> $output_dir/tmpfolder/deskscan.tmp
    if [[ -s $output_dir/tmpfolder/deskscan.tmp ]] ; then
      echo -e "\n\nNew desktop instances." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/deskscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
            echo -e "\nHint: Use wintree to view a tree of the windows in suspicious desktops." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    ################################ MALWARE CHECKS - PERSISTENCE ################################

    echo -e "Searching for persistence artifacts..."

    # filtering svcscan results:
    cat $output_dir/svcscan/baseline-svcscan.txt | grep -i "Binary Path" | sort | uniq > $output_dir/tmpfolder/baseline-svcscan.tmp
    cat $output_dir/svcscan/infected-svcscan.txt | grep -i "Binary Path" | sort | uniq > $output_dir/tmpfolder/infected-svcscan.tmp
    diff $output_dir/tmpfolder/baseline-svcscan.tmp $output_dir/tmpfolder/infected-svcscan.tmp | grep -E "^>" | sed 's/^..//' > $output_dir/tmpfolder/diff-svcscan.tmp
    if [[ -s $output_dir/tmpfolder/diff-svcscan.tmp ]] ; then
      echo -e "\n\nNew services." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/diff-svcscan.tmp | sed 's,\\,\\\\\\\\,g' > $output_dir/tmpfolder/loop-svcscan.tmp
      while read line ; do 
        cat $output_dir/svcscan/infected-svcscan.txt | grep -B 9 "`echo $line`" >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/loop-svcscan.tmp
    fi

    # find changes in registry keys commonly used for persistence:
    for key in "Microsoft\Windows\CurrentVersion\RunOnce" "Microsoft\Windows\CurrentVersion\Run" "Software\Microsoft\Windows\CurrentVersion\RunOnce" "Software\Microsoft\Windows\CurrentVersion\Run" "Microsoft\Windows\CurrentVersion\RunServices" "Microsoft\Windows\CurrentVersion\RunServicesOnce" "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "Microsoft\Security Center\Svc" ; do
      vol.py --profile=$profile -f $baseline_memory_image printkey -K $key &> $output_dir/tmpfolder/base.tmp &
      vol.py --profile=$profile -f $infected_memory_image printkey -K $key &> $output_dir/tmpfolder/inf.tmp &
      wait
      tr < $output_dir/tmpfolder/base.tmp -d '\000' > $output_dir/tmpfolder/baseline.tmp
      tr < $output_dir/tmpfolder/inf.tmp -d '\000' > $output_dir/tmpfolder/infected.tmp
      diff $output_dir/tmpfolder/baseline.tmp $output_dir/tmpfolder/infected.tmp | grep -E "^>" | sed 's/^..//' &> $output_dir/tmpfolder/diff.tmp
      if [[ -s $output_dir/tmpfolder/diff.tmp ]] ; then
        echo -e "\n\nRegistry key $key changed." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        tail -n +2 $output_dir/tmpfolder/infected.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - KERNEL ################################

    # find keylogger traces in messagehooks:
    cat $output_dir/messagehooks/diff-messagehooks.txt | grep -i "KEYBOARD" > $output_dir/tmpfolder/keyboard_messagehooks.tmp
    if [[ -s $output_dir/tmpfolder/keyboard_messagehooks.tmp ]]; then
      echo -e "\n\nKeylogger traces (messagehooks)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/messagehooks/infected-messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/messagehooks/infected-messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/keyboard_messagehooks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unusual new timers:
    cat $output_dir/timers/diff-timers.txt | grep -E -v -i "ataport.SYS|ntoskrnl.exe|NETIO.SYS|storport.sys|afd.sys|cng.sys|dfsc.sys|discache.sys|HTTP.sys|luafv.sys|ndis.sys|Ntfs.sys|rdbss.sys|rdyboost.sys|spsys.sys|srvnet.sys|srv.sys|tcpip.sys|usbccgp.sys" | sort | uniq >> $output_dir/tmpfolder/timers.tmp
    if [[ -s $output_dir/tmpfolder/timers.tmp ]] ; then
      echo -e "\n\nNew timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set kernel timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find unusual new gditimers:
    cat $output_dir/gditimers/diff-gditimers.txt | grep -E -v -i "dllhost.exe|explorer.exe|csrss.exe" | sort | uniq >> $output_dir/tmpfolder/gditimers.tmp
    if [[ -s $output_dir/tmpfolder/gditimers.tmp ]] ; then
      echo -e "\n\nNew gditimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/gditimers/infected-gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/gditimers/infected-gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/gditimers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find malicious kernel timers:
    cat $output_dir/timers/diff-timers.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_timers.tmp
    if [[ -s $output_dir/tmpfolder/unknown_timers.tmp ]]; then
      echo -e "\n\nNew malicious kernel timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/infected-timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find malicious kernel callbacks:
    cat $output_dir/callbacks/diff-callbacks.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_callbacks.tmp
    if [[ -s $output_dir/tmpfolder/unknown_callbacks.tmp ]]; then
      echo -e "\n\nNew malicious kernel callbacks." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/callbacks/infected-callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/callbacks/infected-callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_callbacks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown drivermodule entries:
    cat $output_dir/drivermodule/diff-drivermodule.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_drivermodule.tmp
    if [[ -s $output_dir/tmpfolder/unknown_drivermodule.tmp ]]; then
      echo -e "\n\nNew suspicious drivermodule entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/drivermodule/infected-drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/drivermodule/infected-drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_drivermodule.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown driverirp entries:
    cat $output_dir/driverirp/diff-driverirp.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_driverirp.tmp
    if [[ -s $output_dir/tmpfolder/unknown_driverirp.tmp ]]; then
      echo -e "\n\nNew suspicious driverirp entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_driverirp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hooked ssdt functions:
    cat $output_dir/ssdt/diff-ssdt.txt | grep -i -E -v '(ntos|win32k)' | grep -i "Entry" > $output_dir/tmpfolder/hooked_ssdt.tmp
    if [[ -s $output_dir/tmpfolder/hooked_ssdt.tmp ]]; then
      echo -e "\n\nNew hooked ssdt functions." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/hooked_ssdt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find manipulated idt entries:
    cat $output_dir/idt/diff-idt.txt | grep -i "rsrc" > $output_dir/tmpfolder/manipulated_idt.tmp
    if [[ -s $output_dir/tmpfolder/manipulated_idt.tmp ]]; then
      echo -e "\n\nManipulated idt entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/idt/infected-idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/idt/infected-idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/manipulated_idt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # display orphan threads:
    cat $output_dir/orphanthreads/diff-orphanthreads.txt > $output_dir/tmpfolder/orphanthreads.tmp
    if [[ -s $output_dir/tmpfolder/orphanthreads.tmp ]]; then
      echo -e "\n\nOrphan threads." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/orphanthreads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - STRINGS ################################

    echo -e "Hunting for badness in memory strings..."
    # dumping and analysing registry for anomalies
    mkdir $output_dir/dumpregistry
    mkdir $output_dir/tmpfolder/baselineregistry
    mkdir $output_dir/dumpregistry/infectedregistry
    vol.py --profile=$profile -f $baseline_memory_image dumpregistry -D $output_dir/tmpfolder/baselineregistry &> /dev/null &
    vol.py --profile=$profile -f $infected_memory_image dumpregistry -D $output_dir/dumpregistry/infectedregistry &> /dev/null &
    wait
    strings -a -td $output_dir/tmpfolder/baselineregistry/* | sort | uniq > $output_dir/tmpfolder/baseline-registry-strings.txt
    strings -a -td $output_dir/dumpregistry/infectedregistry/* | sort | uniq > $output_dir/tmpfolder/infected-registry-strings.txt
    diff $output_dir/tmpfolder/baseline-registry-strings.txt $output_dir/tmpfolder/infected-registry-strings.txt | grep -E "^>" | sed 's/^..//' &> $output_dir/dumpregistry/diff-registry-strings.txt
    # find ips/domains/emails in new registry strings:
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -o -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    cat $output_dir/dumpregistry/diff-registry-strings.txt | grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/diff-reg-ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/diff-reg-ip-domains.tmp ]] ; then
      echo -e "\n\nNew IPs, domains and email addresses found in registry." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/diff-reg-ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    # find other suspicious strings in registry:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/dumpregistry/diff-registry-strings.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in registry." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/dumpregistry/diff-registry-strings.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # running volatility strings plugin
    mkdir $output_dir/strings
    strings -a -td $output_dir/malfind/dump-dir-infected/* > $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    strings -a -td $output_dir/procdump/* >> $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    vol.py --profile=$profile -f $infected_memory_image strings -S --string-file=$output_dir/tmpfolder/process-strings.tmp &> $output_dir/strings/process-strings-vol.txt

    # find ips/domains/emails in strings:
    cat $output_dir/strings/process-strings-vol.txt | grep -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/infected-ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/infected-ip-domains.tmp ]] ; then
      echo -e "\n\nNew IPs, domains and email addresses found in memory strings." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/infected-ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    
    # find other suspicious strings in memory:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in memory." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - IMPORTS ################################

    # analyse import tables in new processes:
    plugin=impscan
    tail -n +4 $output_dir/psscan/diff-psscan.txt | tr -s ' ' | cut -d " " -f 3 | sort | uniq > $output_dir/tmpfolder/procids.tmp
    cat $output_dir/malfind/diff-malfind.txt | grep "Address:" | cut -d ' ' -f 4 | sort | uniq >> $output_dir/tmpfolder/procids.tmp
    cat $output_dir/tmpfolder/procids.tmp | sort | uniq > $output_dir/tmpfolder/pids.tmp
    while read pid; do
      vol.py --profile=$profile -f $memory_image $plugin -p $pid &> $output_dir/tmpfolder/$pid-imports.tmp
      process=`tail -n +4 $output_dir/psscan/infected-psscan.txt | tr -s ' ' | cut -d ' ' -f 1-3 | grep -i " "$pid | cut -d ' ' -f 2 | sort | uniq`
      # searching for anti debug import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $anti_debug_imports > $output_dir/tmpfolder/$pid-imports-susp.tmp
      # search for password extraction import functions 
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $password_extract_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for web request import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $web_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for service import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $service_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for process injection import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $process_injection_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for uac bypass import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $uac_bypass_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for misc import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $misc_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      if [[ -s $output_dir/tmpfolder/$pid-imports-susp.tmp ]] ; then
        echo -e "\n\nSuspicious imports in process $process." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/$pid-imports-susp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/pids.tmp

  fi

  ################################ REPORT CREATION ################################
  if [[ $@ =~ "--no-report" ]] ; then
    endtime=$(date +%s)
    echo -e "\nAll done in $(($endtime - $starttime)) seconds."
    rm -r $output_dir/tmpfolder &> /dev/null
    notify-send "VolDiff execution completed."
    exit
  fi
  echo -e "Creating a report..."
  report=VolDiff-report.txt
  touch $output_dir/$report
  echo -e " _    __      ______  _ ________" >> $output_dir/$report
  echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
  echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
  echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
  echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
  echo -e "\nVolatility analysis report generated by VolDiff v$version." >> $output_dir/$report 
  echo -e "Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.\n" >> $output_dir/$report
  echo -e "Baseline memory image: $baseline_memory_image" >> $output_dir/$report 
  echo -e "Infected memory image: $infected_memory_image" >> $output_dir/$report 
  echo -e "Profile: $profile" >> $output_dir/$report 
  touch $output_dir/tmpfolder/no_new_entries.tmp
  for plugin in "{plugins_to_report[@]}"
  do
    if [[ -s $output_dir/$plugin/diff-$plugin.txt ]] ; then  
      # processing pslist and psscan output:
      if [[ $plugin = "pslist"  ]] || [[ $plugin = "psscan"  ]] ; then
       echo -e "\n\nNew $plugin entries." >> $output_dir/$report
       echo -e "===========================================================================\n" >> $output_dir/$report
       sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
       sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
       cat $output_dir/$plugin/baseline-$plugin.txt | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/baseline-pids.tmp
       cat $output_dir/$plugin/infected-$plugin.txt | tr -s ' ' | cut -d " " -f 3  > $output_dir/tmpfolder/infected-pids.tmp
       diff $output_dir/tmpfolder/baseline-pids.tmp $output_dir/tmpfolder/infected-pids.tmp | grep -E "^>" | sed 's/^..//' | uniq &>> $output_dir/tmpfolder/unique-new-pids.tmp
       while read pid; do
         cat $output_dir/$plugin/infected-$plugin.txt | grep -E "[a-zA-Z] +$pid " >> $output_dir/$report
       done < $output_dir/tmpfolder/unique-new-pids.tmp

      #processing netscan output
      elif [[ $plugin = "netscan"  ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
      #filtering mutantscan output
      elif [[ $plugin = "mutantscan"  ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================" >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt | tr -s ' ' | cut -d ' ' -f 6 | sort | uniq >> $output_dir/$report
        if [[ $@ =~ "--add-hints" ]] ; then
          echo -e "\nHint: Google mutants associated with suspicious processes." >> $output_dir/$report
        fi

      # processing plugins that don't need output formatting:
      elif [[ $plugin = "devicetree" ]] || [[ $plugin = "orphanthreads" ]] || [[ $plugin = "cmdline" ]] || [[ $plugin = "consoles" ]] || [[ $plugin = "svcscan" ]] || [[ $plugin = "driverirp" ]] || [[ $plugin = "malfind" ]] || [[ $plugin = "shellbags" ]] || [[ $plugin = "iehistory" ]] || [[ $plugin = "sessions" ]] || [[ $plugin = "eventhooks" ]] ; then
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report

      # processing other plugins:
      else
        echo -e "\n\nNew $plugin entries." >> $output_dir/$report
        echo -e "===========================================================================\n" >> $output_dir/$report
        sed -n '2p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        sed -n '3p' $output_dir/$plugin/infected-$plugin.txt >> $output_dir/$report
        cat $output_dir/$plugin/diff-$plugin.txt >> $output_dir/$report
      fi
      # adding hints to help in further analysis:
      if [[ $@ =~ "--add-hints" ]] ; then
        if [[ $plugin = "malfind" ]] ; then
          echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VirusTotal." >> $output_dir/$report
        fi
        if [[ $plugin = "drivermodule" ]] ; then
          echo -e "\nHint: Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "driverscan" ]] ; then
          echo -e "\nHint: Drivers that have no associated service should be considered as suspicious. Use moddump -b to dump suspicious drivers from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "psxview" ]] ; then
          echo -e "\nHint: Use procexedump to dump suspcious processes from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "netscan" ]] ; then
          echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the associated domains in memory strings." >> $output_dir/$report
        fi
        if [[ $plugin = "ssdt" ]] ; then
          echo -e "\nHint: Some rootkits manipulate SSDT entries to hide its files or registry entries from usermode." >> $output_dir/$report
        fi
        if [[ $plugin = "iehistory" ]] ; then
          echo -e "\nHint: iehistory can reveal history details of malware that uses the WinINet API." >> $output_dir/$report
        fi
        if [[ $plugin = "envars" ]] ; then
          echo -e "\nHint: Some malware will change the PATH and PATHEXT environment variables." >> $output_dir/$report
        fi
        if [[ $plugin = "messagehooks" ]] ; then
          echo -e "\nHint: messagehooks can detect hooks that attempt to catch user strokes." >> $output_dir/$report
        fi
      fi
    else
      echo -e "$plugin" >> $output_dir/tmpfolder/no_new_entries.tmp 
    fi
  done

  # display list of plugins with no notable changes:
  if [[ -s $output_dir/tmpfolder/no_new_entries.tmp ]]; then
    echo -e "\n\nNo notable changes to highlight from the following plugins." >> $output_dir/$report
    echo -e "===========================================================================\n" >> $output_dir/$report
    cat $output_dir/tmpfolder/no_new_entries.tmp >> $output_dir/$report
  fi

  # display list of plugins hidden from report (verbose):
  echo -e "\n\nPlugins that were executed but are not included in the report above." >> $output_dir/$report
  echo -e "===========================================================================\n" >> $output_dir/$report
  echo -e "filescan\nhandles\ngetsids\ndeskscan\ndlllist\nldrmodules\natoms\nsvcscan\natomscan\nidt\ngdt\ntimers\ngditimers" >> $output_dir/$report

  # add identified process anomalies to the report:
  if [[ $@ =~ "--malware-checks" ]] ; then
    if [[ -s $output_dir/tmpfolder/malware-checks.tmp ]]; then
      echo -e "" >> $output_dir/$report
      echo "   _               _           _         __                 _ _       " >> $output_dir/$report
      echo "  /_\  _ __   __ _| |_   _ ___(_)___    /__\ ___  ___ _   _| | |_ ___ " >> $output_dir/$report
      echo -E " //_\\\\| '_ \\ / _` | | | | / __| / __|  / \\/// _ \\/ __| | | | | __/ __|" >> $output_dir/$report
      echo -E "/  _  \\ | | | (_| | | |_| \\__ \\ \\__ \\ / _  \\  __/\\__ \\ |_| | | |_\\__ \\" >> $output_dir/$report
      echo "\_/ \_/_| |_|\__,_|_|\__, |___/_|___/ \/ \_/\___||___/\__,_|_|\__|___/" >> $output_dir/$report
      echo "                     |___/                                            " >> $output_dir/$report
      cat $output_dir/tmpfolder/malware-checks.tmp >> $output_dir/$report
    fi
  fi

  echo -e "\n\nEnd of report." >> $output_dir/$report
  rm -r $output_dir/tmpfolder &> /dev/null

  endtime=$(date +%s)
  echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."
  notify-send "VolDiff execution completed."

################################################################## ENTER STANDALONE MODE ################################################################## 

elif [[ $mode = "standalone" ]] ; then
  echo -e "Only one memory image specified: enter standalone mode..."
  ################################ SETTING PROFILE AND FINDING PATH TO MEMORY IMAGES ################################
  if [[ -f $1 ]] ; then
    memory_image=$1
    echo -e "Path to memory image: $memory_image..."
  elif [[ -f infected.raw ]] ; then
    memory_image=infected.raw
    echo -e "Path to memory image is not valid or was not specified. Using default ($memory_image)..."
  elif [[ -f infected.vmem ]] ; then
    memory_image=infected.vmem
    echo -e "Path to memory image is not valid or was not specified. Using default ($memory_image)..."
  else
    echo -e "Please specify a path to a memory image."
    exit
  fi
  if [[ -z $2 ]] ; then
    profile=Win7SP0x86
    echo -e "Profile is not specified. Using default ($profile)..."
  elif [[ $2 != Win7SP1x64 ]] &&  [[ $2 != Win7SP0x86 ]] &&  [[ $2 != Win7SP0x64 ]] &&  [[ $2 != Win7SP1x86 ]] ;  then
    profile=$2
    echo -e "WARNING: This script was only tested using Windows 7 profiles. The specified profile ($profile) seems different!" 
  else
    profile=$2
    echo -e "Profile: $profile..."
  fi

  ################################ CREATING FOLDER TO STORE OUTPUT ################################
  starttime=$(date +%s)
  output_dir=VolDiff_$(date +%F_%R)
  mkdir $output_dir
  mkdir $output_dir/tmpfolder

  ################################ RUNNING VOLATILITY PLUGINS ################################
  echo -e "Running a selection of volatility plugins (time consuming)..."
  for plugin in "{plugins_to_run[@]}" 
  do
    echo -e "Volatility plugin "$plugin" execution in progress..."
    mkdir $output_dir/$plugin
    if [[ $plugin = "mutantscan" ]] || [[ $plugin = "handles" ]] || [[ $plugin = "privs" ]]  || [[ $plugin = "envars" ]] ; then
      vol.py --profile=$profile -f $memory_image $plugin --silent &> $output_dir/$plugin/$plugin.txt
    elif [[ $plugin = "orphanthreads" ]]  ; then
      vol.py --profile=$profile -f $memory_image threads -F OrphanThread &> $output_dir/orphanthreads/orphanthreads.txt
    elif [[ $plugin = "psxview" ]]  ; then
      vol.py --profile=$profile -f $memory_image psxview -R &> $output_dir/psxview/psxview.txt
    elif [[ $plugin = "malfind" ]] ; then
      mkdir $output_dir/$plugin/dump-dir
      vol.py --profile=$profile -f $memory_image $plugin -D $output_dir/$plugin/dump-dir &> $output_dir/$plugin/$plugin.txt
    else
      vol.py --profile=$profile -f $memory_image $plugin &> $output_dir/$plugin/$plugin.txt
    fi
  done
  wait

  if [[ $@ =~ "--malware-checks" ]] ; then
    echo -e "Hunting for anomalies in $memory_image processes..."
    touch $output_dir/tmpfolder/malware-checks.tmp

    ################################ MALWARE CHECKS - NETWORK ################################

    # compute unique IPs from netscan output:
    cat $output_dir/netscan/netscan.txt | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq | grep -v -E "127\.0\.0\.1|0\.0\.0\.0" > $output_dir/tmpfolder/netscan-uniq-ips.tmp
    if [[ -s $output_dir/tmpfolder/netscan-uniq-ips.tmp ]]; then
      echo -e "\n\nUnique IP addresses from netscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/netscan-uniq-ips.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - PROCESS CHECKS ################################
   
    # verify PID of System process = 4
    cat $output_dir/psscan/psscan.txt | grep " System " | tr -s ' ' | cut -d " " -f 3 > $output_dir/tmpfolder/system-pids.tmp
    while read pid; do
      if [[ $pid != "4" ]] ; then
        echo -e "\nSuspicious 'System' process running with PID $pid (expected PID 4)." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/system-pids.tmp

   # verify that only one instance of certain processes is running:
    for process in " services.exe" " System" " wininit.exe" " smss.exe" " lsass.exe" " lsm.exe" " explorer.exe"; do
      if [[ "$(cat $output_dir/psscan/psscan.txt | grep $process | wc -l)" != "1" ]] ; then
        echo -e "\n\nMultiple instances of$process were detected." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/psscan/psscan.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    # verify that some processes do not have a child:
    for process in "lsass.exe" "lsm.exe"; do
      cat $output_dir/psscan/psscan.txt | grep $process | tr -s ' ' | cut -d " " -f 3 >> $output_dir/tmpfolder/cpids.tmp
    done
    cat $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d " " -f 4 >> $output_dir/tmpfolder/ppids.tmp
    while read pid; do
      while read ppid; do
        if [[ "$pid" == "$ppid" ]]; then
          echo -e "\n\nProcess with (PID $ppid) is not supposed to be a parent." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/ppids.tmp
    done < $output_dir/tmpfolder/cpids.tmp

    # verify child/parent process relationships:
    for child in " svchost.exe" " smss.exe" " conhost.exe" " audiodg.exe" " services.exe" " lsass.exe" " lsm.exe" " taskhost.exe" " spoolsv.exe" " sppsvc.exe" " taskhost.exe" " mscorsvw.exe" " TPAutoConnSvc" " SearchIndexer" " WmiPrvSE.exe" ; do
      if [[ $child = " sppsvc.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " mscorsvw.exe" ]] || [[ $child = " TPAutoConnSvc" ]] || [[ $child = " SearchIndexer" ]] || [[ $child = " svchost.exe" ]] || [[ $child = " taskhost.exe" ]] || [[ $child = " spoolsv.exe" ]] ; then parent=" services.exe" ; fi
      if [[ $child = " smss.exe" ]] ; then parent=" System" ; fi
      if [[ $child = " WmiPrvSE.exe" ]] || [[ $child = " audiodg.exe" ]]  ; then parent=" svchost.exe"; fi
      if [[ $child = " conhost.exe" ]] ; then parent=" csrss.exe" ; fi
      if [[ $child = " services.exe" ]] || [[ $child = " lsass.exe" ]] || [[ $child = " lsm.exe" ]] ; then parent=" wininit.exe" ; fi

      if grep $child $output_dir/psscan/psscan.txt > /dev/null ; then
        if [[ "$(cat $output_dir/psscan/psscan.txt | grep $parent | wc -l)" = "1" ]] ; then
          cat $output_dir/psscan/psscan.txt | grep $child | tr -s ' ' | cut -d " " -f 4 > $output_dir/tmpfolder/child-ppids.tmp
          parent_pid="$(cat $output_dir/psscan/psscan.txt | grep $parent | tr -s ' ' | cut -d ' ' -f 3)"
          while read ppid; do
            ppid=$( printf $ppid )
            parent_pid=$( printf $parent_pid )
            if [[ $ppid != $parent_pid ]] ; then
              tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2-3 | grep -i " "$ppid | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppidprocess.tmp
              if [[ -s $output_dir/tmpfolder/ppidprocess.tmp ]] ; then   
                ppidlines=`cat $output_dir/tmpfolder/ppidprocess.tmp | wc -l`  &> /dev/null
                if [[ $ppidlines = 1 ]] ; then
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid (`cat $output_dir/tmpfolder/ppidprocess.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                else
                  cat $output_dir/tmpfolder/ppidprocess.tmp | tr '\n' ' ' > $output_dir/tmpfolder/ppparents.tmp
                  echo -e "\n\nUnexpected parent process for$child: PPID $ppid ( multiple associated processes: `cat $output_dir/tmpfolder/ppparents.tmp`) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                  echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                  cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
                fi
              else
                echo -e "\n\nUnexpected parent process for$child: PPID $ppid (could not map associated process name) instead of PPID $parent_pid ($parent )." >> $output_dir/tmpfolder/malware-checks.tmp
                echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
                cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
              fi
            fi     
          done < $output_dir/tmpfolder/child-ppids.tmp
        fi
      fi

    done

    # verify that every process has a parent (except for explorer.exe, csrss.exe, wininit.exe and winlogon.exe):
    mkdir $output_dir/tmpfolder/ppids
    tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 4 | sort | uniq | grep -v "^0$" > $output_dir/tmpfolder/ppids/ppids.temp
    tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 3 | sort | uniq > $output_dir/tmpfolder/ppids/pids.temp
    while read ppid; do 
      if ! grep -E "^$ppid$" $output_dir/tmpfolder/ppids/pids.temp > /dev/null ; then
        tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2,3,4 | grep -E " $ppid$" | cut -d ' ' -f 1 | sort | uniq > $output_dir/tmpfolder/ppids/processes-$ppid.temp
        cat $output_dir/tmpfolder/ppids/processes-$ppid.temp | tr '\n' ' ' > $output_dir/tmpfolder/ppids/processes-$ppid-space.temp
        if  ! grep -E -i "explorer.exe|csrss.exe|wininit.exe|winlogon.exe" $output_dir/tmpfolder/ppids/processes-$ppid-space.temp > /dev/null ; then 
          echo -e "\n\nPPID $ppid does not have an associated process." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/psscan/psscan.txt | grep " $ppid " >> $output_dir/tmpfolder/malware-checks.tmp
        fi 
      fi  
    done < $output_dir/tmpfolder/ppids/ppids.temp

    # verify processes are running in expected sessions:
    for process in " wininit.exe" " services.exe" " lsass.exe" " svchost.exe" " lsm.exe" " winlogon.exe" ; do
      if [[ $process = " csrss.exe" ]] || [[ $process = " wininit.exe" ]] || [[ $process = " services.exe" ]] || [[ $process = " lsass.exe" ]] || [[ $process = " svchost.exe" ]]|| [[ $process = " lsm.exe" ]]; then session="0"; fi
      if [[ $process = " winlogon.exe" ]] ; then session="1" ; fi
      cat $output_dir/pslist/pslist.txt | grep $process | tr -s ' ' | cut -d ' ' -f 7 > $output_dir/tmpfolder/process_sessions.tmp
      while read psession; do
        if [[ $psession != $session ]] ; then
          echo -e "\n\nProcess$process running in unexpected session ($psession instead of $session)." >> $output_dir/tmpfolder/malware-checks.tmp
          echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '2p' $output_dir/pslist/pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          sed -n '3p' $output_dir/pslist/pslist.txt >> $output_dir/tmpfolder/malware-checks.tmp
          cat $output_dir/pslist/pslist.txt | grep $process >> $output_dir/tmpfolder/malware-checks.tmp
        fi
      done < $output_dir/tmpfolder/process_sessions.tmp
    done

    # check process executable path:
    for process in "smss.exe" "crss.exe" "wininit.exe" "services.exe" "lsass.exe" "svchost.exe" "lsm.exe" "explorer.exe" "winlogon"; do
      if [[ $process == "smss.exe" ]]; then processpath="\systemroot\system32\smss.exe" ; fi
      if [[ $process == "crss.exe" ]]; then processpath="\windows\system32\csrss.exe" ; fi
      if [[ $process == "wininit.exe" ]]; then processpath="\windows\system32\wininit.exe" ; fi
      if [[ $process == "services.exe" ]]; then processpath="\windows\system32\services.exe" ; fi
      if [[ $process == "lsass.exe" ]]; then processpath="\windows\system32\lsass.exe" ; fi
      if [[ $process == "svchost.exe" ]]; then processpath="\windows\system32\svchost.exe" ; fi
      if [[ $process == "lsm.exe" ]]; then processpath="\windows\system32\lsm.exe" ; fi
      if [[ $process == "explorer.exe" ]]; then processpath="\windows\explorer.exe" ; fi
      if [[ $process == "winlogon.exe" ]]; then processpath="\windows\system32\winlogon.exe" ; fi
      if [[ $process == "sppsvc.exe" ]]; then processpath="\windows\system32\sppsvc.exe" ; fi
      cat $output_dir/dlllist/dlllist.txt | grep -i -A 1 $process | grep "Command line" | grep -o '\\.*' | cut -d ' ' -f 1 | tr '[:upper:]' '[:lower:]' | sed 's,\\,\\\\,g' > $output_dir/tmpfolder/path_list.tmp
      if [[ -s $output_dir/tmpfolder/path_list.tmp ]]; then
        while read path; do
          if [[ "$path" != "$processpath" ]]; then
            echo -e "\n\nProcess running from an unexpected path." >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
            echo -e "Process $process is running from $path instead of $processpath" >> $output_dir/tmpfolder/malware-checks.tmp
          fi
        done < $output_dir/tmpfolder/path_list.tmp
      fi
    done

    # verify if any processes have suspicious l33t names:
    cat $output_dir/psscan/psscan.txt | grep -E -i $l33t_process_name > $output_dir/tmpfolder/suspicious_process.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_process.tmp ]]; then
      echo -e "\n\nProcess with suspicious name." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_process.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # verify if any hacker tools were used in process list:
    cat $output_dir/psscan/psscan.txt | grep -E -i $hacker_process_regex > $output_dir/tmpfolder/suspicious_tools.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_tools.tmp ]]; then
      echo -e "\n\nProcesses that may have been used for lateral movement, exfiltration etc." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psscan/psscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_tools.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # detect process hollowing:
    mkdir $output_dir/tmpfolder/hollowing
    vol.py --profile=$profile -f $memory_image procdump -u -D $output_dir/tmpfolder/hollowing/ &> /dev/null
    cat $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 2 | cut -d '.' -f 1 | sort | uniq > $output_dir/tmpfolder/process-names.tmp
    tail -n +4 $output_dir/tmpfolder/process-names.tmp > $output_dir/tmpfolder/procnames.tmp
    while read process ; do
      cat $output_dir/psscan/psscan.txt | grep -i $process | tr -s ' ' | cut -d ' ' -f 3 > $output_dir/tmpfolder/$process-pids.tmp
      touch $output_dir/tmpfolder/$process-size.tmp
      while read pid ; do
        ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1 >> $output_dir/tmpfolder/$process-size.tmp
      done < $output_dir/tmpfolder/$process-pids.tmp
      cat $output_dir/tmpfolder/$process-size.tmp | uniq > $output_dir/tmpfolder/$process-size-uniq.tmp
      lines=`wc -l < $output_dir/tmpfolder/$process-size-uniq.tmp`
      if [[ $lines != 1 ]] && [[ $lines != 0 ]]  ; then 
        echo -e "\n\nPotential process hollowing detected in $process (based on size)." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "Process    PID  Size" >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "-----------------------------------" >> $output_dir/tmpfolder/malware-checks.tmp
        while read pid ; do
          echo -e "$process    $pid  `ls -l $output_dir/tmpfolder/hollowing/ | tr -s ' ' | cut -d ' ' -f5,9 | grep -i "executable.$pid.exe" | cut -d ' ' -f 1`" >> $output_dir/tmpfolder/malware-checks.tmp
        done < $output_dir/tmpfolder/$process-pids.tmp   
      fi
    done < $output_dir/tmpfolder/procnames.tmp

    # detect processes with exit time but active threads:
    cat $output_dir/psxview/psxview.txt | tr -s ' ' | cut -d ' ' -f 1,2,6,13 | grep "UTC" | grep "True" | cut -d ' ' -f 1 > $output_dir/tmpfolder/exit_with_threads.tmp
    if [[ -s $output_dir/tmpfolder/exit_with_threads.tmp ]]; then
      echo -e "\n\nProcess(es) with exit time and active threads running." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/psxview/psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/psxview/psxview.txt >> $output_dir/tmpfolder/malware-checks.tmp
      while read procname ; do 
        cat $output_dir/psxview/psxview.txt | grep $procname >> $output_dir/tmpfolder/malware-checks.tmp
      done < $output_dir/tmpfolder/exit_with_threads.tmp
    fi

    # check if any proces has domain or enterprise admin privileges:
    cat $output_dir/getsids/getsids.txt | egrep '(Domain Admin|Enterprise Admin|Schema Admin)' > $output_dir/tmpfolder/suspicious_privlege.tmp
    if [[ -s $output_dir/tmpfolder/suspicious_privlege.tmp ]]; then
      echo -e "\n\nProcess(es) with domain or enterprise admin privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/suspicious_privlege.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has debug privileges:
    cat $output_dir/privs/privs.txt | grep -i "debug" > $output_dir/tmpfolder/debug_privs.tmp
    if [[ -s $output_dir/tmpfolder/debug_privs.tmp ]]; then
      echo -e "\n\nProcess(es) with debug privileges." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/privs/privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/privs/privs.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/debug_privs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a raw socket handle:
    cat $output_dir/handles/handles.txt | grep -F "\Device\RawIp" > $output_dir/tmpfolder/raw_socket.tmp
    if [[ -s $output_dir/tmpfolder/raw_socket.tmp ]]; then
      echo -e "\n\nRaw socket handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/raw_socket.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # check if any process has a handle to a remote mapped share:
    cat $output_dir/handles/handles.txt | grep -F "\\\\Device\\\\(LanmanRedirector|Mup)" > $output_dir/tmpfolder/remote_shares.tmp
    if [[ -s $output_dir/tmpfolder/remote_shares.tmp ]]; then
      echo -e "\n\nRemote share handles." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/handles/handles.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/remote_shares.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - DLLs ################################

    # find new dlls (atoms):
    cat $output_dir/atoms/atoms.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atoms.tmp
    if [[ -s $output_dir/tmpfolder/atoms.tmp ]] ; then
      echo -e "\n\nDLLs found in atoms output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atoms/atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atoms/atoms.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atoms.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find new dlls (atomscan):
    cat $output_dir/atomscan/atomscan.txt | grep -i -E ".dll$"  >> $output_dir/tmpfolder/atomscan.tmp
    if [[ -s $output_dir/tmpfolder/atomscan.tmp ]] ; then
      echo -e "\n\nDLLs found in atomscan output." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/atomscan/atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/atomscan/atomscan.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/atomscan.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight hidden DLLs (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep "False" | grep -E -v -i "system32|explorer.exe|iexplore.exe|.fon$" | sort | uniq > $output_dir/tmpfolder/ldrmodules.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodules.tmp ]] ; then
      echo -e "\n\nSuspicious ldrmodules entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodules.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    # find highly suspicious DLLs used for password stealing (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i $hacker_dll_regex | sort | uniq > $output_dir/tmpfolder/ldrmodule_hacker.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hacker.tmp ]] ; then
      echo -e "\n\nDLLs that may have been used for password theft." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hacker.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find DLLs with no path / no name (indicates process hollowing) (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i "no name" | sort | uniq > $output_dir/tmpfolder/ldrmodule_hollow.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hollow.tmp ]] ; then
      echo -e "\n\nDLLs with no path/name (indicates process hollowing)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hollow.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - FILES ################################

    # find DLLs/EXES loaded from temp folders (dlllist):
    cat $output_dir/dlllist/dlllist.txt | grep -E -i "TMP|TEMP|AppData" | sort | uniq > $output_dir/tmpfolder/dlllist_temp.tmp
    if [[ -s $output_dir/tmpfolder/dlllist_temp.tmp ]] ; then
      echo -e "\n\nDLLs/EXEs loaded from temp folders." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/dlllist_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hidden DLLs/EXEs (ldrmodules):
    cat $output_dir/ldrmodules/ldrmodules.txt | grep -E -i "False  False  False" | sort | uniq | grep -E -i ".dll$|.exe$" > $output_dir/tmpfolder/ldrmodule_hidden.tmp
    if [[ -s $output_dir/tmpfolder/ldrmodule_hidden.tmp ]] ; then
      echo -e "\n\nDLLs/EXEs hidden from ldrmodules." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/ldrmodules/ldrmodules.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ldrmodule_hidden.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight prefetch files:
    cat $output_dir/mftparser/mftparser.txt | grep \.pf$ | awk '{print $NF}' | sort | uniq > $output_dir/tmpfolder/prefetch.tmp
    if [[ -s $output_dir/tmpfolder/prefetch.tmp ]]; then
      echo -e "\n\nPrefetch artifacts." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/prefetch.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight binaries loaded from TEMP folders:
    cat $output_dir/envars/envars.txt | grep -i "TEMP" > $output_dir/tmpfolder/temp_envars.tmp
    if [[ -s $output_dir/tmpfolder/temp_envars.tmp ]]; then
      echo -e "\n\nPossible binaries loaded from TEMP folders (envars)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/envars/envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/envars/envars.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/temp_envars.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find interesting executables (dlllist):
    cat $output_dir/dlllist/dlllist.txt | grep "Command line" | grep -E -v -i "system32|explorer.exe|iexplore.exe" | sed -e 's/Command line : //' | sort | uniq > $output_dir/tmpfolder/execs.tmp
    if [[ -s $output_dir/tmpfolder/execs.tmp ]] ; then
      echo -e "\n\nInteresting executables (dlllist)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/execs.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # highlight alternate data stream files:
    cat $output_dir/mftparser/mftparser.txt | grep "DATA ADS" > $output_dir/tmpfolder/ads.tmp
    if [[ -s $output_dir/tmpfolder/ads.tmp ]]; then
      echo -e "\n\nAlternate Data Stream (ADS) files." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - MISC ################################

    # find interresting entries in hosts file
    mkdir $output_dir/tmpfolder/hosts
    qaddress=$(cat $output_dir/filescan/filescan.txt | grep -i -E "etc\\\\hosts$" | tr -s ' ' | cut -d ' ' -f 1)
    if [[ ! -z "$qaddress" ]] ; then 
      vol.py --profile=$profile -f $memory_image dumpfiles -Q $qaddress -D $output_dir/tmpfolder/hosts --name &> /dev/null 
      strings $output_dir/tmpfolder/hosts/* > $output_dir/tmpfolder/hosts.tmp  &> /dev/null
    fi
    if [[ -s $output_dir/tmpfolder/hosts.tmp ]] ; then
      cat $output_dir/tmpfolder/hosts.tmp | grep -v "^#"  > $output_dir/tmpfolder/interresting-hosts.tmp
      if [[ -s $output_dir/tmpfolder/interresting-hosts.tmp ]] ; then
        echo -e "\n\nEntries in hosts files." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/interresting-hosts.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    ################################ MALWARE CHECKS - PERSISTENCE ################################

    echo -e "Searching for persistence artifacts..."

    # highlight temp folders appearing in services:
    cat $output_dir/svcscan/svcscan.txt | grep -i -E "TMP|TEMP|AppData" > $output_dir/tmpfolder/svcscan_temp.tmp
    if [[ -s $output_dir/tmpfolder/svcscan_temp.tmp ]]; then
      echo -e "\n\nTemp folders appearing in services." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/svcscan_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # dump registry keys commonly used for persistence:
    mkdir $output_dir/printkey
    plugin="printkey"
    for key in "Microsoft\Windows\CurrentVersion\RunOnce" "Microsoft\Windows\CurrentVersion\Run" "Software\Microsoft\Windows\CurrentVersion\RunOnce" "Software\Microsoft\Windows\CurrentVersion\Run" "Microsoft\Windows\CurrentVersion\RunServices" "Microsoft\Windows\CurrentVersion\RunServicesOnce" "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "Microsoft\Security Center\Svc" ; do
      vol.py --profile=$profile -f $memory_image $plugin -K $key &>> $output_dir/tmpfolder/printkey.tmp
      tr < $output_dir/tmpfolder/printkey.tmp -d '\000' > $output_dir/printkey/printkey.txt
    done

    # highlight temp folders appearing in dumped registry keys:
    cat $output_dir/printkey/printkey.txt | grep -i -E "TMP|TEMP|AppData" > $output_dir/tmpfolder/printkey_temp.tmp
    if [[ -s $output_dir/tmpfolder/printkey_temp.tmp ]]; then
      echo -e "\n\nTemp folders appearing in dumped registry keys." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/printkey_temp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - KERNEL ################################

    # find keylogger traces in messagehooks:
    cat $output_dir/messagehooks/messagehooks.txt | grep -i "KEYBOARD" > $output_dir/tmpfolder/keyboard_messagehooks.tmp
    if [[ -s $output_dir/tmpfolder/keyboard_messagehooks.tmp ]]; then
      echo -e "\n\nKeylogger traces (messagehooks)." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/messagehooks/messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/messagehooks/messagehooks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/keyboard_messagehooks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unusual timers:
    tail -n +4 $output_dir/timers/timers.txt | grep -E -v -i "ataport.SYS|ntoskrnl.exe|NETIO.SYS|storport.sys|afd.sys|cng.sys|dfsc.sys|discache.sys|HTTP.sys|luafv.sys|ndis.sys|Ntfs.sys|rdbss.sys|rdyboost.sys|spsys.sys|srvnet.sys|srv.sys|tcpip.sys|usbccgp.sys" | sort | uniq >> $output_dir/tmpfolder/timers.tmp
    if [[ -s $output_dir/tmpfolder/timers.tmp ]] ; then
      echo -e "\n\ntimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set kernel timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find unusual gditimers:
    tail -n +4 $output_dir/gditimers/gditimers.txt | grep -E -v -i "dllhost.exe|explorer.exe|csrss.exe" | sort | uniq >> $output_dir/tmpfolder/gditimers.tmp
    if [[ -s $output_dir/tmpfolder/gditimers.tmp ]] ; then
      echo -e "\n\ngditimers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/gditimers/gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/gditimers/gditimers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/gditimers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      if [[ $@ =~ "--add-hints" ]] ; then
        echo -e "\nHint: Malware can set timers to run functions at specified intervals." >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    fi

    # find malicious kernel timers:
    cat $output_dir/timers/timers.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_timers.tmp
    if [[ -s $output_dir/tmpfolder/unknown_timers.tmp ]]; then
      echo -e "\n\nMalicious kernel timers." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/timers/timers.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_timers.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find malicious kernel callbacks:
    cat $output_dir/callbacks/callbacks.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_callbacks.tmp
    if [[ -s $output_dir/tmpfolder/unknown_callbacks.tmp ]]; then
      echo -e "\n\nMalicious kernel callbacks." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/callbacks/callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/callbacks/callbacks.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_callbacks.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown drivermodule entries:
    cat $output_dir/drivermodule/drivermodule.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_drivermodule.tmp
    if [[ -s $output_dir/tmpfolder/unknown_drivermodule.tmp ]]; then
      echo -e "\n\nNew suspicious drivermodule entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/drivermodule/drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/drivermodule/drivermodule.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_drivermodule.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find unknown driverirp entries:
    cat $output_dir/driverirp/driverirp.txt | grep -i "UNKNOWN" > $output_dir/tmpfolder/unknown_driverirp.tmp
    if [[ -s $output_dir/tmpfolder/unknown_driverirp.tmp ]]; then
      echo -e "\n\nNew suspicious driverirp entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/unknown_driverirp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find hooked ssdt functions:
    cat $output_dir/ssdt/ssdt.txt | grep -i -E -v '(ntos|win32k)' | grep -i "Entry" > $output_dir/tmpfolder/hooked_ssdt.tmp
    if [[ -s $output_dir/tmpfolder/hooked_ssdt.tmp ]]; then
      echo -e "\n\nHooked ssdt functions." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/hooked_ssdt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # find suspicious idt entries:
    cat $output_dir/idt/idt.txt | grep -i "rsrc" > $output_dir/tmpfolder/manipulated_idt.tmp
    if [[ -s $output_dir/tmpfolder/manipulated_idt.tmp ]]; then
      echo -e "\n\nSuspicious idt entries." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '2p' $output_dir/idt/idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      sed -n '3p' $output_dir/idt/idt.txt >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/manipulated_idt.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    # display orphan threads:
    tail -n +4 $output_dir/orphanthreads/orphanthreads.txt > $output_dir/tmpfolder/orphanthreads.tmp
    if [[ -s $output_dir/tmpfolder/orphanthreads.tmp ]]; then
      echo -e "\n\nOrphan threads." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/orphanthreads.tmp >> $output_dir/tmpfolder/malware-checks.tmp
    fi

    ################################ MALWARE CHECKS - STRINGS ################################

    echo -e "Hunting for badness in memory strings..."

    # dump unusual processes to disk
    tail -n +4 $output_dir/psscan/psscan.txt | grep -v -i -E $usual_processes | tr -s ' ' | cut -d ' ' -f 1 > $output_dir/tmpfolder/offsets_to_dmp.tmp
    mkdir $output_dir/procdump
    while read offset ; do
      vol.py --profile=$profile -f $memory_image -o $offset procdump -D $output_dir/procdump &> /dev/null &
    done < $output_dir/tmpfolder/offsets_to_dmp.tmp
    wait

    # run volatility strings plugin against [some] processes
    mkdir $output_dir/strings
    strings -a -td $output_dir/malfind/dump-dir/* > $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    strings -a -td $output_dir/procdump/* >> $output_dir/tmpfolder/process-strings.tmp 2> /dev/null
    vol.py --profile=$profile -f $memory_image strings -S --string-file=$output_dir/tmpfolder/process-strings.tmp &> $output_dir/strings/process-strings-vol.txt

    # finding ips/domains/emails in strings:
    cat $output_dir/strings/process-strings-vol.txt | grep -E '\b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    cat $output_dir/strings/process-strings-vol.txt | grep -E "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" | uniq >> $output_dir/tmpfolder/ip-domains.tmp
    if [[ -s $output_dir/tmpfolder/ip-domains.tmp ]] ; then
      echo -e "\n\nIPs, domains and email addresses found in memory strings." >> $output_dir/tmpfolder/malware-checks.tmp
      echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
      cat $output_dir/tmpfolder/ip-domains.tmp | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
    fi
    
    # finding other suspicious strings:
    for pattern in Web Antivirus Virtualisation Sandbox Sysinternals Shell Keylogger Filepath Password Powershell Infogathering Executable Banking Encryption Socialsites Other ; do
      if [[ $pattern == "Web" ]] ; then regex_str=$web_regex_str ; fi
      if [[ $pattern == "Antivirus" ]] ; then regex_str=$antivirus_regex_str ; fi
      if [[ $pattern == "Virtualisation" ]] ; then regex_str=$virtualisation_regex_str ; fi
      if [[ $pattern == "Sandbox" ]] ; then regex_str=$sandbox_regex_str ; fi
      if [[ $pattern == "Sysinternals" ]] ; then regex_str=$sysinternals_regex_str ; fi
      if [[ $pattern == "Shell" ]] ; then regex_str=$shell_regex_str ; fi
      if [[ $pattern == "Keylogger" ]] ; then regex_str=$keylogger_regex_str ; fi
      if [[ $pattern == "Filepath" ]] ; then regex_str=$filepath_regex_str ; fi
      if [[ $pattern == "Password" ]] ; then regex_str=$password_regex_str ; fi
      if [[ $pattern == "Powershell" ]] ; then regex_str=$powershell_regex_str ; fi
      if [[ $pattern == "Infogathering" ]] ; then regex_str=$infogathering_regex_str ; fi
      if [[ $pattern == "Executable" ]] ; then regex_str=$exec_regex_str ; fi
      if [[ $pattern == "Banking" ]] ; then regex_str=$banking_regex_str ; fi
      if [[ $pattern == "Encryption" ]] ; then regex_str=$crypto_regex_str ; fi
      if [[ $pattern == "Socialsites" ]] ; then regex_str=$socialsites_regex_str ; fi
      if [[ $pattern == "Other" ]] ; then regex_str=$other_regex_str ; fi

      if grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt > /dev/null ; then
        echo -e "\n\n$pattern strings found in memory." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        grep -E -i $regex_str $output_dir/strings/process-strings-vol.txt | sort | uniq >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done

    ################################ MALWARE CHECKS - IMPORTS ################################

    # analyse import tables in some processes:
    plugin=impscan
    cat $output_dir/malfind/malfind.txt | grep "Address:" | cut -d ' ' -f 4 | sort | uniq > $output_dir/tmpfolder/procids.tmp
    tail -n +4 $output_dir/psscan/psscan.txt | grep -v -E -i $usual_processes | tr -s ' ' | cut -d " " -f 3 | sort | uniq >> $output_dir/tmpfolder/procids.tmp
    cat $output_dir/tmpfolder/procids.tmp | sort | uniq > $output_dir/tmpfolder/pids.tmp

    while read pid; do
      vol.py --profile=$profile -f $memory_image $plugin -p $pid &> $output_dir/tmpfolder/$pid-imports.tmp
      process=`tail -n +4 $output_dir/psscan/psscan.txt | tr -s ' ' | cut -d ' ' -f 1-3 | grep -i " "$pid | cut -d ' ' -f 2 | sort | uniq`
      # searching for anti debug import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $anti_debug_imports > $output_dir/tmpfolder/$pid-imports-susp.tmp
      # search for password extraction import functions 
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $password_extract_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for web request import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $web_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for service import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $service_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for process injection import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $process_injection_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for uac bypass import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $uac_bypass_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      # searching for misc import functions
      cat $output_dir/tmpfolder/$pid-imports.tmp | grep -i -E $misc_imports >> $output_dir/tmpfolder/$pid-imports-susp.tmp
      if [[ -s $output_dir/tmpfolder/$pid-imports-susp.tmp ]] ; then
        echo -e "\n\nSuspicious imports in process $process." >> $output_dir/tmpfolder/malware-checks.tmp
        echo -e "===========================================================================\n" >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '2p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        sed -n '3p' $output_dir/tmpfolder/$pid-imports.tmp >> $output_dir/tmpfolder/malware-checks.tmp
        cat $output_dir/tmpfolder/$pid-imports-susp.tmp >> $output_dir/tmpfolder/malware-checks.tmp
      fi
    done < $output_dir/tmpfolder/pids.tmp

  fi

  ################################ REPORT CREATION ################################
  if [[ $@ =~ "--no-report" ]] ; then
    endtime=$(date +%s)
    echo -e "\nAll done in $(($endtime - $starttime)) seconds."
    rm -r $output_dir/tmpfolder &> /dev/null
    notify-send "VolDiff execution completed."
    exit
  fi

  echo -e "Creating a report..."
  report=VolDiff-report.txt
  touch $output_dir/$report
  echo -e " _    __      ______  _ ________" >> $output_dir/$report
  echo -e "| |  / /___  / / __ \(_) __/ __/" >> $output_dir/$report
  echo -e "| | / / __ \/ / / / / / /_/ /_  " >> $output_dir/$report
  echo -e "| |/ / /_/ / / /_/ / / __/ __/  " >> $output_dir/$report
  echo -e "|___/\____/_/_____/_/_/ /_/     " >> $output_dir/$report
  echo -e "\nVolatility analysis report generated by VolDiff v$version." >> $output_dir/$report 
  echo -e "Download the latest VolDiff version from https://github.com/aim4r/VolDiff/.\n" >> $output_dir/$report
  echo -e "Memory image: $memory_image" >> $output_dir/$report
  echo -e "Profile: $profile" >> $output_dir/$report 
  touch $output_dir/tmpfolder/no_new_entries.tmp

  for plugin in "{plugins_to_report_standalone[@]}" ; do
    tail -n +2 $output_dir/$plugin/$plugin.txt > $output_dir/tmpfolder/output_test.tmp
    if [[ -s $output_dir/tmpfolder/output_test.tmp ]] ; then
      echo -e "\n\n$plugin output." >> $output_dir/$report
      echo -e "===========================================================================\n" >> $output_dir/$report
      tail -n +2 $output_dir/$plugin/$plugin.txt >> $output_dir/$report
      # adding hints to help in further analysis:
      if [[ $@ =~ "--add-hints" ]] ; then
        if [[ $plugin = "malfind" ]] ; then
          echo -e "\nHint: Suspicious malfind processes were dumped to disk, and can be reversed as normal or uploaded to VirusTotal." >> $output_dir/$report
        fi
        if [[ $plugin = "psscan" ]] ; then
          echo -e "\nHint: Use procexedump to dump suspcious processes from memory to disk." >> $output_dir/$report
        fi
        if [[ $plugin = "netscan" ]] ; then
          echo -e "\nHint: Translate suspicious IPs to domains using Google/VirusTotal, and search for the associated domains in memory strings." >> $output_dir/$report
        fi
        if [[ $plugin = "iehistory" ]] ; then
          echo -e "\nHint: iehistory can reveal history details of malware that uses the WinINet API." >> $output_dir/$report
        fi
      fi
    else
      echo -e "$plugin" >> $output_dir/tmpfolder/no_new_entries.tmp 
    fi
  done

  # display list of plugins with no notable changes:
  if [[ -s $output_dir/tmpfolder/no_new_entries.tmp ]]; then
    echo -e "\n\nNo output to highlight for the following plugins." >> $output_dir/$report
    echo -e "===========================================================================\n" >> $output_dir/$report
    cat $output_dir/tmpfolder/no_new_entries.tmp >> $output_dir/$report
  fi

  # display list of plugins hidden from report:
  echo -e "\n\nPlugins that were executed but are not included in the report." >> $output_dir/$report
  echo -e "===========================================================================\n" >> $output_dir/$report
  echo -e "handles\ngetsids\npslist\ndlllist\nfilescan\nshimcache\nsvcscan\nshelbags\nsessions\nmessagehooks\neventhooks\nenvars\nmutantscan\natoms\natomscan\ndrivermodule\ndriverscan\ndevicetree\nmodules\nmodscan\nunloadedmodules\ncallbacks\nldrmodules\nprivs\norphanthreads\nidt\ngdt\ndriverirp\ndeskscan\ntimers\ngditimers\nssdt" >> $output_dir/$report

  # add identified process anomalies to the report:
  if [[ $@ =~ "--malware-checks" ]] ; then
    if [[ -s $output_dir/tmpfolder/malware-checks.tmp ]]; then
      echo -e "" >> $output_dir/$report
      echo "   _               _           _         __                 _ _       " >> $output_dir/$report
      echo "  /_\  _ __   __ _| |_   _ ___(_)___    /__\ ___  ___ _   _| | |_ ___ " >> $output_dir/$report
      echo -E " //_\\\\| '_ \\ / _` | | | | / __| / __|  / \\/// _ \\/ __| | | | | __/ __|" >> $output_dir/$report
      echo -E "/  _  \\ | | | (_| | | |_| \\__ \\ \\__ \\ / _  \\  __/\\__ \\ |_| | | |_\\__ \\" >> $output_dir/$report
      echo "\_/ \_/_| |_|\__,_|_|\__, |___/_|___/ \/ \_/\___||___/\__,_|_|\__|___/" >> $output_dir/$report
      echo "                     |___/                                            " >> $output_dir/$report
      cat $output_dir/tmpfolder/malware-checks.tmp >> $output_dir/$report
    fi
  fi

  echo -e "\n\nEnd of report." >> $output_dir/$report
  rm -r $output_dir/tmpfolder &> /dev/null
  endtime=$(date +%s)
   echo -e "\nAll done in $(($endtime - $starttime)) seconds, report saved to $output_dir/$report."
  notify-send "VolDiff execution completed."

fi

Download : v1.2.0.zip  | v1.2.0.tar.gz
SOurce : http://aim4r.github.io/VolDiff/ | Our Post Before

CHANGELOG RIPS 0.55:
———————————-
– updated configuration (sources, sinks, sanitization)
– added session fixation detection
– seperated reflection injection from code injection
– changed defaults (subdirs, vuln type)
– referenced user survey

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

Features

• vulnerabilities
• Code Execution
• Command Execution
• Cross-Site Scripting
• Header Injection
• File Disclosure
• File Inclusion
• File Manipulation
• LDAP Injection
• SQL Injection
• Unserialize with POP
• XPath Injection
• … other

code audit interface

• scan and vulnerability statistics
• grouped vulnerable code lines (bottom up or top down)
• vulnerability description with example code, PoC, patch
• exploit creator
• file list and graph (connected by includes)
• function list and graph (connected by calls)
• userinput list (application parameters)
• source code viewer with highlighting
• active jumping between function calls
• search through code by regular expression
• 8 syntax highlighting designs
• … much more

static code analysis

• fast
• tokenizing with PHP tokenizer extension
• taint analysis for 232 sensitive sinks
• inter- and intraprocedural analysis
• handles very PHP-specific behaviour
• handles user-defined securing
• reconstruct file inclusions
• detect blind/non-blind exploitation
• detect backdoors
• 5 verbosity levels
• over 100 testcases

Requirements:
+ web server: Apache or Nginx recommended
+ PHP: latest version recommended
+ browser: Firefox recommended

Installation:
+ Download the latest release
+ Extract the files to your local web server’s document root
+ Make sure your web server has file permissions
+ Make sure your installation is protected from unauthorized access
+ Open your browser at http://localhost/rips-xx/
Download : v0.55.zip  | v0.55.tar.gz
Source : https://github.com/ripsscanner | Our Post Before

Changelog v-2.1.0:

General:
———
Screen output has been improved to provide additional information.

OS support:
————
CUPS detection on Mac OS has been improved. AIX systems will now use csum utility to create host ID. Group check have been altered on AIX, to include the -n ALL. Core dump check on Linux is extended to check for actual values as well.

Software:
———-
McAfee detection has been extended by detecting a running cma binary.Improved detection of pf firewall on BSD and Mac OS. Security patch checking with zypper extended.

Session timeout:
—————–
Tests to determine shell time out setting have been extended to account for AIX, HP-UX and other platforms. It will now determine also if variable is exported as a readonly variable. Related compliance section PCI DSS 8.1.8 has been extended.

Lynis is a system and security auditing tool for Unix/Linux. Main audience of this tool is security consultants, auditors and system administrators. This tool performs a security audit of the system and determines how well it is hardened. Any detected security issues will be provided in the form of a suggestion or warning at the end of the audit. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits, by automation of control testing.

Features :
+ System auditing
+ Hardening suggestions
+ Security scan
+ Vulnerability scan

Download : lynis-2.1.0.tar.gz (180.5 kB)
Source : https://cisofy.com/
Our Post Before : http://seclist.us/updates-lynis-v-1-6-4-is-a-system-and-security-auditing-tool-for-unixlinux.html