# Directory Structure
```
├── .gitignore
├── .pre-commit-config.yaml
├── attachments
│ ├── architecture-diagram.svg
│ ├── Claude-Config.png
│ ├── Cursor-Config.png
│ ├── project-presentation.pdf
│ ├── Vol-MCP.drawio
│ └── Vol-MCP.drawio.png
├── available-plugins.json
├── bandit-config.yml
├── bridge_mcp_volatility.py
├── get_malware_yara_rules.py
├── malware_rules_index.json
├── malware_rules.yar
├── README.md
├── requirements.txt
├── rules
│ ├── .github
│ │ ├── FUNDING.yml
│ │ ├── ISSUE_TEMPLATE
│ │ │ ├── bug_report.md
│ │ │ └── new-rule-request.md
│ │ └── workflows
│ │ └── main.yml
│ ├── .gitmodules
│ ├── .travis.yml
│ ├── antidebug_antivm
│ │ └── antidebug_antivm.yar
│ ├── antidebug_antivm_index.yar
│ ├── capabilities
│ │ └── capabilities.yar
│ ├── capabilities_index.yar
│ ├── crypto
│ │ └── crypto_signatures.yar
│ ├── crypto_index.yar
│ ├── cve_rules
│ │ ├── CVE-2010-0805.yar
│ │ ├── CVE-2010-0887.yar
│ │ ├── CVE-2010-1297.yar
│ │ ├── CVE-2012-0158.yar
│ │ ├── CVE-2013-0074.yar
│ │ ├── CVE-2013-0422.yar
│ │ ├── CVE-2015-1701.yar
│ │ ├── CVE-2015-2426.yar
│ │ ├── CVE-2015-2545.yar
│ │ ├── CVE-2015-5119.yar
│ │ ├── CVE-2016-5195.yar
│ │ ├── CVE-2017-11882.yar
│ │ ├── CVE-2018-20250.yar
│ │ └── CVE-2018-4878.yar
│ ├── cve_rules_index.yar
│ ├── deprecated
│ │ ├── Android
│ │ │ ├── Android_adware.yar
│ │ │ ├── Android_AliPay_smsStealer.yar
│ │ │ ├── Android_Amtrckr_20160519.yar
│ │ │ ├── Android_ASSDdeveloper.yar
│ │ │ ├── Android_AVITOMMS.yar
│ │ │ ├── Android_Backdoor_script.yar
│ │ │ ├── Android_Backdoor.yar
│ │ │ ├── Android_BadMirror.yar
│ │ │ ├── Android_Banker_Acecard.yar
│ │ │ ├── Android_BatteryBot_ClickFraud.yar
│ │ │ ├── Android_Clicker_G.yar
│ │ │ ├── Android_Copy9.yar
│ │ │ ├── Android_DeathRing.yar
│ │ │ ├── Android_Dectus_rswm.yar
│ │ │ ├── Android_Dendroid_RAT.yar
│ │ │ ├── Android_Dogspectus.yar
│ │ │ ├── Android_fake_mario_app
│ │ │ ├── Android_FakeApps.yar
│ │ │ ├── Android_FakeBank_Fanta.yar
│ │ │ ├── Android_Finspy.yar
│ │ │ ├── Android_generic_adware.yar
│ │ │ ├── Android_generic_smsfraud.yar
│ │ │ ├── Android_Godless.yar
│ │ │ ├── Android_HackintTeam_Implant.yar
│ │ │ ├── Android_Libyan_Scorpions.yar
│ │ │ ├── Android_malware_Advertising.yar
│ │ │ ├── Android_malware_banker.yar
│ │ │ ├── Android_malware_ChinesePorn.yar
│ │ │ ├── Android_malware_Dropper.yar
│ │ │ ├── Android_malware_Fake_MosKow.yar
│ │ │ ├── Android_malware_HackingTeam.yar
│ │ │ ├── Android_Malware_Ramsonware.yar
│ │ │ ├── Android_malware_SMSsender.yar
│ │ │ ├── Android_Malware_Tinhvan.yar
│ │ │ ├── Android_Malware_Towelroot.yar
│ │ │ ├── Android_malware_xbot007.yar
│ │ │ ├── Android_MalwareCertificates.yar
│ │ │ ├── Android_mapin.yar
│ │ │ ├── Android_Marcher_2.yar
│ │ │ ├── Android_MazarBot_z.yar
│ │ │ ├── Android_Metasploit_Payload.yar
│ │ │ ├── Android_Metasploit.yar
│ │ │ ├── Android_OmniRat.yar
│ │ │ ├── Android_Overlayer.yar
│ │ │ ├── Android_Pink_Locker.yar
│ │ │ ├── Android_Polish_Bankbot.yar
│ │ │ ├── Android_pornClicker.yar
│ │ │ ├── Android_RuMMS.yar
│ │ │ ├── Android_SandroRat.yar
│ │ │ ├── Android_sk_bankTr.yar
│ │ │ ├── Android_SlemBunk.yar
│ │ │ ├── Android_SMSFraud.yar
│ │ │ ├── Android_SpyAgent.yar
│ │ │ ├── Android_Spynet.yar
│ │ │ ├── Android_SpyNote.yar
│ │ │ ├── Android_Spywaller.yar
│ │ │ ├── Android_Switcher.yar
│ │ │ ├── Android_Tachi.yar
│ │ │ ├── Android_Tempting_Cedar_Spyware.yar
│ │ │ ├── Android_Tordow.yar
│ │ │ ├── Android_Triada_Banking.yar
│ │ │ ├── Android_Trojan_Dendroid.yar
│ │ │ ├── Android_Trojan_Droidjack.yar
│ │ │ ├── Android_VikingOrder.yar
│ │ │ └── Android_VirusPolicia.yar
│ │ ├── bank_rule.yar
│ │ └── Malware
│ │ └── MALW_Retefe.yar
│ ├── email
│ │ ├── attachment.yar
│ │ ├── EMAIL_Cryptowall.yar
│ │ ├── Email_fake_it_maintenance_bulletin.yar
│ │ ├── Email_generic_phishing.yar
│ │ ├── Email_PHP_Mailer.yar
│ │ ├── Email_quota_limit_warning.yar
│ │ ├── email_Ukraine_BE_powerattack.yar
│ │ ├── eml
│ │ │ ├── davivienda.eml
│ │ │ ├── transferencia1.eml
│ │ │ └── transferencia2.eml
│ │ ├── extortion_email.yar
│ │ ├── image.yar
│ │ ├── scam.yar
│ │ └── urls.yar
│ ├── email_index.yar
│ ├── exploit_kits
│ │ ├── EK_Angler.yar
│ │ ├── EK_Blackhole.yar
│ │ ├── EK_BleedingLife.yar
│ │ ├── EK_Crimepack.yar
│ │ ├── EK_Eleonore.yar
│ │ ├── EK_Fragus.yar
│ │ ├── EK_Phoenix.yar
│ │ ├── EK_Sakura.yar
│ │ ├── EK_ZeroAcces.yar
│ │ ├── EK_Zerox88.yar
│ │ └── EK_Zeus.yar
│ ├── exploit_kits_index.yar
│ ├── index_gen.sh
│ ├── index_w_mobile.yar
│ ├── index.yar
│ ├── LICENSE
│ ├── maldocs
│ │ ├── Maldoc_APT_OLE_JSRat.yar
│ │ ├── Maldoc_APT10_MenuPass.yar
│ │ ├── Maldoc_APT19_CVE-2017-0199.yar
│ │ ├── Maldoc_Contains_VBE_File.yar
│ │ ├── Maldoc_CVE_2017_11882.yar
│ │ ├── Maldoc_CVE_2017_8759.yar
│ │ ├── Maldoc_CVE-2017-0199.yar
│ │ ├── Maldoc_DDE.yar
│ │ ├── Maldoc_Dridex.yar
│ │ ├── Maldoc_hancitor_dropper.yar
│ │ ├── Maldoc_Hidden_PE_file.yar
│ │ ├── Maldoc_malrtf_ole2link.yar
│ │ ├── Maldoc_MIME_ActiveMime_b64.yar
│ │ ├── Maldoc_PDF.yar
│ │ ├── Maldoc_PowerPointMouse.yar
│ │ ├── maldoc_somerules.yar
│ │ ├── Maldoc_Suspicious_OLE_target.yar
│ │ ├── Maldoc_UserForm.yar
│ │ ├── Maldoc_VBA_macro_code.yar
│ │ └── Maldoc_Word_2007_XML_Flat_OPC.yar
│ ├── maldocs_index.yar
│ ├── malware
│ │ ├── 000_common_rules.yar
│ │ ├── APT_APT1.yar
│ │ ├── APT_APT10.yar
│ │ ├── APT_APT15.yar
│ │ ├── APT_APT17.yar
│ │ ├── APT_APT29_Grizzly_Steppe.yar
│ │ ├── APT_APT3102.yar
│ │ ├── APT_APT9002.yar
│ │ ├── APT_Backspace.yar
│ │ ├── APT_Bestia.yar
│ │ ├── APT_Blackenergy.yar
│ │ ├── APT_Bluetermite_Emdivi.yar
│ │ ├── APT_C16.yar
│ │ ├── APT_Carbanak.yar
│ │ ├── APT_Careto.yar
│ │ ├── APT_Casper.yar
│ │ ├── APT_CheshireCat.yar
│ │ ├── APT_Cloudduke.yar
│ │ ├── APT_Cobalt.yar
│ │ ├── APT_Codoso.yar
│ │ ├── APT_CrashOverride.yar
│ │ ├── APT_DeepPanda_Anthem.yar
│ │ ├── APT_DeputyDog.yar
│ │ ├── APT_Derusbi.yar
│ │ ├── APT_DPRK_ROKRAT.yar
│ │ ├── APT_Dubnium.yar
│ │ ├── APT_Duqu2.yar
│ │ ├── APT_Emissary.yar
│ │ ├── APT_EnergeticBear_backdoored_ssh.yar
│ │ ├── APT_eqgrp_apr17.yar
│ │ ├── APT_Equation.yar
│ │ ├── APT_EQUATIONGRP.yar
│ │ ├── APT_fancybear_dnc.yar
│ │ ├── APT_fancybear_downdelph.yar
│ │ ├── APT_FiveEyes.yar
│ │ ├── APT_furtim.yar
│ │ ├── APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar
│ │ ├── APT_Grasshopper.yar
│ │ ├── APT_Greenbug.yar
│ │ ├── APT_Grizzlybear_uscert.yar
│ │ ├── APT_HackingTeam.yar
│ │ ├── APT_Hellsing.yar
│ │ ├── APT_HiddenCobra.yar
│ │ ├── APT_Hikit.yar
│ │ ├── APT_Industroyer.yar
│ │ ├── APT_Irontiger.yar
│ │ ├── APT_Kaba.yar
│ │ ├── APT_Ke3Chang_TidePool.yar
│ │ ├── APT_KeyBoy.yar
│ │ ├── APT_LotusBlossom.yar
│ │ ├── APT_Minidionis.yar
│ │ ├── APT_Mirage.yar
│ │ ├── APT_Molerats.yar
│ │ ├── APT_Mongall.yar
│ │ ├── APT_MoonlightMaze.yar
│ │ ├── APT_NGO.yar
│ │ ├── APT_Oilrig.yar
│ │ ├── APT_OpClandestineWolf.yar
│ │ ├── APT_OPCleaver.yar
│ │ ├── APT_OpDustStorm.yar
│ │ ├── APT_OpPotao.yar
│ │ ├── APT_Passcv.yar
│ │ ├── APT_PCclient.yar
│ │ ├── APT_Pipcreat.yar
│ │ ├── APT_Platinum.yar
│ │ ├── APT_Poseidon_Group.yar
│ │ ├── APT_Prikormka.yar
│ │ ├── APT_PutterPanda.yar
│ │ ├── APT_RedLeaves.yar
│ │ ├── APT_Regin.yar
│ │ ├── APT_RemSec.yar
│ │ ├── APT_Sauron_extras.yar
│ │ ├── APT_Sauron.yar
│ │ ├── APT_Scarab_Scieron.yar
│ │ ├── APT_Seaduke.yar
│ │ ├── APT_Shamoon_StoneDrill.yar
│ │ ├── APT_Snowglobe_Babar.yar
│ │ ├── APT_Sofacy_Bundestag.yar
│ │ ├── APT_Sofacy_Fysbis.yar
│ │ ├── APT_Sofacy_Jun16.yar
│ │ ├── APT_Sphinx_Moth.yar
│ │ ├── APT_Stuxnet.yar
│ │ ├── APT_Terracota.yar
│ │ ├── APT_ThreatGroup3390.yar
│ │ ├── APT_TradeSecret.yar
│ │ ├── APT_Turla_Neuron.yar
│ │ ├── APT_Turla_RUAG.yar
│ │ ├── APT_Unit78020.yar
│ │ ├── APT_UP007_SLServer.yar
│ │ ├── APT_Uppercut.yar
│ │ ├── APT_Waterbug.yar
│ │ ├── APT_WildNeutron.yar
│ │ ├── APT_Windigo_Onimiki.yar
│ │ ├── APT_Winnti.yar
│ │ ├── APT_WoolenGoldfish.yar
│ │ ├── EXPERIMENTAL_Beef.yar
│ │ ├── GEN_PowerShell.yar
│ │ ├── MalConfScan.yar
│ │ ├── MALW_adwind_RAT.yar
│ │ ├── MALW_AgentTesla_SMTP.yar
│ │ ├── MALW_AgentTesla.yar
│ │ ├── MALW_Alina.yar
│ │ ├── MALW_AlMashreq.yar
│ │ ├── MALW_Andromeda.yar
│ │ ├── MALW_Arkei.yar
│ │ ├── MALW_Athena.yar
│ │ ├── MALW_ATM_HelloWorld.yar
│ │ ├── MALW_Atmos.yar
│ │ ├── MALW_ATMPot.yar
│ │ ├── MALW_AZORULT.yar
│ │ ├── MALW_BackdoorSSH.yar
│ │ ├── MALW_Backoff.yar
│ │ ├── MALW_Bangat.yar
│ │ ├── MALW_Batel.yar
│ │ ├── MALW_BlackRev.yar
│ │ ├── MALW_BlackWorm.yar
│ │ ├── MALW_Boouset.yar
│ │ ├── MALW_Bublik.yar
│ │ ├── MALW_Buzus_Softpulse.yar
│ │ ├── MALW_CAP_HookExKeylogger.yar
│ │ ├── MALW_Chicken.yar
│ │ ├── MALW_Citadel.yar
│ │ ├── MALW_Cloaking.yar
│ │ ├── MALW_Cookies.yar
│ │ ├── MALW_Corkow.yar
│ │ ├── MALW_Cxpid.yar
│ │ ├── MALW_Cythosia.yar
│ │ ├── MALW_DDoSTf.yar
│ │ ├── MALW_Derkziel.yar
│ │ ├── MALW_Dexter.yar
│ │ ├── MALW_DiamondFox.yar
│ │ ├── MALW_DirtJumper.yar
│ │ ├── MALW_Eicar.yar
│ │ ├── MALW_Elex.yar
│ │ ├── MALW_Elknot.yar
│ │ ├── MALW_Emotet.yar
│ │ ├── MALW_Empire.yar
│ │ ├── MALW_Enfal.yar
│ │ ├── MALW_Exploit_UAC_Elevators.yar
│ │ ├── MALW_Ezcob.yar
│ │ ├── MALW_F0xy.yar
│ │ ├── MALW_FakeM.yar
│ │ ├── MALW_FALLCHILL.yar
│ │ ├── MALW_Fareit.yar
│ │ ├── MALW_Favorite.yar
│ │ ├── MALW_FUDCrypt.yar
│ │ ├── MALW_Furtim.yar
│ │ ├── MALW_Gafgyt.yar
│ │ ├── MALW_Genome.yar
│ │ ├── MALW_Glasses.yar
│ │ ├── MALW_Gozi.yar
│ │ ├── MALW_Grozlex.yar
│ │ ├── MALW_Hajime.yar
│ │ ├── MALW_hancitor.yar
│ │ ├── MALW_Hsdfihdf_banking.yar
│ │ ├── MALW_Httpsd_ELF.yar
│ │ ├── MALW_IcedID.yar
│ │ ├── MALW_Iexpl0ree.yar
│ │ ├── MALW_IMuler.yar
│ │ ├── MALW_Install11.yar
│ │ ├── MALW_Intel_Virtualization.yar
│ │ ├── MALW_IotReaper.yar
│ │ ├── MALW_Jolob_Backdoor.yar
│ │ ├── MALW_Kelihos.yar
│ │ ├── MALW_KeyBase.yar
│ │ ├── MALW_KINS.yar
│ │ ├── MALW_kirbi_mimikatz.yar
│ │ ├── MALW_Korlia.yar
│ │ ├── MALW_Korplug.yar
│ │ ├── MALW_Kovter.yar
│ │ ├── MALW_kpot.yar
│ │ ├── MALW_Kraken.yar
│ │ ├── MALW_Kwampirs.yar
│ │ ├── MALW_Lateral_Movement.yar
│ │ ├── MALW_Lenovo_Superfish.yar
│ │ ├── MALW_LinuxBew.yar
│ │ ├── MALW_LinuxHelios.yar
│ │ ├── MALW_LinuxMoose.yar
│ │ ├── MALW_LostDoor.yar
│ │ ├── MALW_LuaBot.yar
│ │ ├── MALW_LuckyCat.yar
│ │ ├── MALW_LURK0.yar
│ │ ├── MALW_MacControl.yar
│ │ ├── MALW_MacGyver.yar
│ │ ├── MALW_Madness.yar
│ │ ├── MALW_Magento_backend.yar
│ │ ├── MALW_Magento_frontend.yar
│ │ ├── MALW_Magento_suspicious.yar
│ │ ├── MALW_Mailers.yar
│ │ ├── MALW_marap.yar
│ │ ├── MALW_MedusaHTTP_2019.yar
│ │ ├── MALW_Miancha.yar
│ │ ├── MALW_MiniAsp3_mem.yar
│ │ ├── MALW_Mirai_Okiru_ELF.yar
│ │ ├── MALW_Mirai_Satori_ELF.yar
│ │ ├── MALW_Mirai.yar
│ │ ├── MALW_Miscelanea_Linux.yar
│ │ ├── MALW_Miscelanea.yar
│ │ ├── MALW_Monero_Miner_installer.yar
│ │ ├── MALW_MSILStealer.yar
│ │ ├── MALW_Naikon.yar
│ │ ├── MALW_Naspyupdate.yar
│ │ ├── MALW_NetTraveler.yar
│ │ ├── MALW_NionSpy.yar
│ │ ├── MALW_Notepad.yar
│ │ ├── MALW_NSFree.yar
│ │ ├── MALW_Odinaff.yar
│ │ ├── MALW_Olyx.yar
│ │ ├── MALW_OSX_Leverage.yar
│ │ ├── MALW_PE_sections.yar
│ │ ├── MALW_PittyTiger.yar
│ │ ├── MALW_PolishBankRat.yar
│ │ ├── MALW_Ponmocup.yar
│ │ ├── MALW_Pony.yar
│ │ ├── MALW_Predator.yar
│ │ ├── MALW_PubSab.yar
│ │ ├── MALW_PurpleWave.yar
│ │ ├── MALW_Pyinstaller_OSX.yar
│ │ ├── MALW_Pyinstaller.yar
│ │ ├── MALW_PyPI.yar
│ │ ├── MALW_Quarian.yar
│ │ ├── MALW_Rebirth_Vulcan_ELF.yar
│ │ ├── MALW_Regsubdat.yar
│ │ ├── MALW_Rockloader.yar
│ │ ├── MALW_Rooter.yar
│ │ ├── MALW_Rovnix.yar
│ │ ├── MALW_Safenet.yar
│ │ ├── MALW_Sakurel.yar
│ │ ├── MALW_Sayad.yar
│ │ ├── MALW_Scarhikn.yar
│ │ ├── MALW_Sendsafe.yar
│ │ ├── MALW_Shamoon.yar
│ │ ├── MALW_shifu_shiz.yar
│ │ ├── MALW_Shifu.yar
│ │ ├── MALW_sitrof_fortis_scar.yar
│ │ ├── MALW_Skeleton.yar
│ │ ├── MALW_Spora.yar
│ │ ├── MALW_Sqlite.yar
│ │ ├── MALW_Stealer.yar
│ │ ├── MALW_Surtr.yar
│ │ ├── MALW_T5000.yar
│ │ ├── MALW_Tedroo.yar
│ │ ├── MALW_Tinba.yar
│ │ ├── MALW_TinyShell_Backdoor_gen.yar
│ │ ├── MALW_Torte_ELF.yar
│ │ ├── MALW_TreasureHunt.yar
│ │ ├── MALW_TrickBot.yar
│ │ ├── MALW_TRITON_HATMAN.yar
│ │ ├── MALW_TRITON_ICS_FRAMEWORK.yar
│ │ ├── MALW_Trumpbot.yar
│ │ ├── MALW_Upatre.yar
│ │ ├── MALW_Urausy.yar
│ │ ├── MALW_Vidgrab.yar
│ │ ├── MALW_viotto_keylogger.yar
│ │ ├── MALW_Virut_FileInfector_UNK_VERSION.yar
│ │ ├── MALW_Volgmer.yar
│ │ ├── MALW_Wabot.yar
│ │ ├── MALW_Warp.yar
│ │ ├── MALW_Wimmie.yar
│ │ ├── MALW_xDedic_marketplace.yar
│ │ ├── MALW_XHide.yar
│ │ ├── MALW_XMRIG_Miner.yar
│ │ ├── MALW_XOR_DDos.yar
│ │ ├── MALW_Yayih.yar
│ │ ├── MALW_Yordanyan_ActiveAgent.yar
│ │ ├── MALW_Zegost.yar
│ │ ├── MALW_Zeus.yar
│ │ ├── Operation_Blockbuster
│ │ │ ├── cert_wiper.yara
│ │ │ ├── DeltaCharlie.yara
│ │ │ ├── general.yara
│ │ │ ├── HotelAlfa.yara
│ │ │ ├── IndiaAlfa.yara
│ │ │ ├── IndiaBravo.yara
│ │ │ ├── IndiaCharlie.yara
│ │ │ ├── IndiaDelta.yara
│ │ │ ├── IndiaEcho.yara
│ │ │ ├── IndiaGolf.yara
│ │ │ ├── IndiaHotel.yara
│ │ │ ├── IndiaJuliett.yara
│ │ │ ├── IndiaWhiskey.yara
│ │ │ ├── KiloAlfa.yara
│ │ │ ├── LimaAlfa.yara
│ │ │ ├── LimaBravo.yara
│ │ │ ├── LimaCharlie.yara
│ │ │ ├── LimaDelta.yara
│ │ │ ├── mastersig
│ │ │ ├── PapaAlfa.yara
│ │ │ ├── RomeoAlfa.yara
│ │ │ ├── RomeoBravo.yara
│ │ │ ├── RomeoCharlie.yara
│ │ │ ├── RomeoDelta.yara
│ │ │ ├── RomeoEcho.yara
│ │ │ ├── RomeoFoxtrot_mod.yara
│ │ │ ├── RomeoGolf_mod.yara
│ │ │ ├── RomeoHotel.yara
│ │ │ ├── RomeoWhiskey.yara
│ │ │ ├── sharedcode.yara
│ │ │ ├── SierraAlfa.yara
│ │ │ ├── SierraBravo.yara
│ │ │ ├── SierraCharlie.yara
│ │ │ ├── SierraJuliettMikeOne.yara
│ │ │ ├── SierraJuliettMikeTwo.yara
│ │ │ ├── suicidescripts.yara
│ │ │ ├── TangoAlfa.yara
│ │ │ ├── TangoBravo.yara
│ │ │ ├── UniformAlfa.yara
│ │ │ ├── UniformJuliett.yara
│ │ │ ├── WhiskeyAlfa.yara
│ │ │ ├── WhiskeyBravo_mod.yara
│ │ │ ├── WhiskeyCharlie.yara
│ │ │ └── WhiskeyDelta.yara
│ │ ├── POS_Bernhard.yar
│ │ ├── POS_BruteforcingBot.yar
│ │ ├── POS_Easterjack.yar
│ │ ├── POS_FastPOS.yar
│ │ ├── POS_LogPOS.yar
│ │ ├── POS_MalumPOS.yar
│ │ ├── POS_Mozart.yar
│ │ ├── POS.yar
│ │ ├── RANSOM_.CRYPTXXX.yar
│ │ ├── RANSOM_777.yar
│ │ ├── RANSOM_acroware.yar
│ │ ├── RANSOM_Alpha.yar
│ │ ├── RANSOM_BadRabbit.yar
│ │ ├── RANSOM_Cerber.yar
│ │ ├── RANSOM_Comodosec.yar
│ │ ├── RANSOM_Crypren.yar
│ │ ├── RANSOM_Cryptolocker.yar
│ │ ├── RANSOM_CryptoNar.yar
│ │ ├── RANSOM_DMALocker.yar
│ │ ├── RANSOM_DoublePulsar_Petya.yar
│ │ ├── RANSOM_Erebus.yar
│ │ ├── RANSOM_GoldenEye.yar
│ │ ├── RANSOM_GPGQwerty.yar
│ │ ├── RANSOM_jeff_dev.yar
│ │ ├── RANSOM_locdoor.yar
│ │ ├── RANSOM_Locky.yar
│ │ ├── RANSOM_Maze.yar
│ │ ├── RANSOM_MS17-010_Wannacrypt.yar
│ │ ├── RANSOM_PetrWrap.yar
│ │ ├── RANSOM_Petya_MS17_010.yar
│ │ ├── RANSOM_Petya.yar
│ │ ├── RANSOM_Pico.yar
│ │ ├── RANSOM_Revix.yar
│ │ ├── RANSOM_SamSam.yar
│ │ ├── RANSOM_Satana.yar
│ │ ├── RANSOM_screenlocker_5h311_1nj3c706.yar
│ │ ├── RANSOM_Shiva.yar
│ │ ├── RANSOM_shrug2.yar
│ │ ├── RANSOM_Sigma.yar
│ │ ├── RANSOM_Snake.yar
│ │ ├── RANSOM_Stampado.yar
│ │ ├── RANSOM_termite.yar
│ │ ├── RANSOM_TeslaCrypt.yar
│ │ ├── RANSOM_Tox.yar
│ │ ├── RAT_Adwind.yar
│ │ ├── RAT_Adzok.yar
│ │ ├── RAT_Asyncrat.yar
│ │ ├── RAT_BlackShades.yar
│ │ ├── RAT_Bolonyokte.yar
│ │ ├── RAT_Bozok.yar
│ │ ├── RAT_Cerberus.yar
│ │ ├── RAT_Crimson.yar
│ │ ├── RAT_CrossRAT.yar
│ │ ├── RAT_CyberGate.yar
│ │ ├── RAT_DarkComet.yar
│ │ ├── RAT_FlyingKitten.yar
│ │ ├── RAT_Gh0st.yar
│ │ ├── RAT_Gholee.yar
│ │ ├── RAT_Glass.yar
│ │ ├── RAT_Havex.yar
│ │ ├── RAT_Hizor.yar
│ │ ├── RAT_Indetectables.yar
│ │ ├── RAT_Inocnation.yar
│ │ ├── RAT_jRAT.yar
│ │ ├── RAT_Meterpreter_Reverse_Tcp.yar
│ │ ├── RAT_Nanocore.yar
│ │ ├── RAT_NetwiredRC.yar
│ │ ├── RAT_Njrat.yar
│ │ ├── RAT_Orcus.yar
│ │ ├── RAT_PlugX.yar
│ │ ├── RAT_PoetRATDoc.yar
│ │ ├── RAT_PoetRATPython.yar
│ │ ├── RAT_PoisonIvy.yar
│ │ ├── RAT_Ratdecoders.yar
│ │ ├── RAT_Sakula.yar
│ │ ├── RAT_ShadowTech.yar
│ │ ├── RAT_Shim.yar
│ │ ├── RAT_Terminator.yar
│ │ ├── RAT_xRAT.yar
│ │ ├── RAT_xRAT20.yar
│ │ ├── RAT_Xtreme.yar
│ │ ├── RAT_ZoxPNG.yar
│ │ ├── TOOLKIT_Chinese_Hacktools.yar
│ │ ├── TOOLKIT_Dubrute.yar
│ │ ├── TOOLKIT_exe2hex_payload.yar
│ │ ├── TOOLKIT_FinFisher_.yar
│ │ ├── TOOLKIT_Gen_powerkatz.yar
│ │ ├── TOOLKIT_Mandibule.yar
│ │ ├── TOOLKIT_PassTheHash.yar
│ │ ├── TOOLKIT_Powerstager.yar
│ │ ├── TOOLKIT_Pwdump.yar
│ │ ├── TOOLKIT_Redteam_Tools_by_GUID.yar
│ │ ├── TOOLKIT_Redteam_Tools_by_Name.yar
│ │ ├── TOOLKIT_Solarwinds_credential_stealer.yar
│ │ ├── TOOLKIT_THOR_HackTools.yar
│ │ └── TOOLKIT_Wineggdrop.yar
│ ├── malware_index.yar
│ ├── mobile_malware
│ │ └── .gitKeep
│ ├── mobile_malware_index.yar
│ ├── packers
│ │ ├── Javascript_exploit_and_obfuscation.yar
│ │ ├── JJencode.yar
│ │ ├── packer_compiler_signatures.yar
│ │ ├── packer.yar
│ │ ├── peid.yar
│ │ └── tweetable-polyglot-png.yar
│ ├── packers_index.yar
│ ├── README.md
│ ├── utils
│ │ ├── base64.yar
│ │ ├── domain.yar
│ │ ├── ip.yar
│ │ ├── magic.yar
│ │ ├── README
│ │ ├── suspicious_strings.yar
│ │ ├── url.yar
│ │ └── virustotal.yar
│ ├── webshells
│ │ ├── WShell_APT_Laudanum.yar
│ │ ├── WShell_ASPXSpy.yar
│ │ ├── WShell_ChinaChopper.yar
│ │ ├── Wshell_ChineseSpam.yar
│ │ ├── WShell_Drupalgeddon2_icos.yar
│ │ ├── Wshell_fire2013.yar
│ │ ├── WShell_PHP_Anuna.yar
│ │ ├── WShell_PHP_in_images.yar
│ │ └── WShell_THOR_Webshells.yar
│ └── webshells_index.yar
├── setup.cfg
├── start_sse_server.py
└── vol_wrapper.py
```
# Files
--------------------------------------------------------------------------------
/rules/mobile_malware/.gitKeep:
--------------------------------------------------------------------------------
```
```
--------------------------------------------------------------------------------
/rules/.gitmodules:
--------------------------------------------------------------------------------
```
[submodule "utils/yara-forensics"]
path = utils/yara-forensics
url = https://github.com/Xumeiquer/yara-forensics.git
```
--------------------------------------------------------------------------------
/rules/.travis.yml:
--------------------------------------------------------------------------------
```yaml
language: c
sudo: required
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y automake libtool make gcc pkg-config flex bison libjansson-dev libmagic-dev libssl-dev jq
# Yara
- wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara-latest.tar.gz
- mkdir yara
- tar -xzvf yara-latest.tar.gz -C yara --strip-components 1
# Compile Yara
- cd yara
# Update per issue 176
- sed -i 's/#define RE_MAX_SPLIT_ID 128/#define RE_MAX_SPLIT_ID 255/g' libyara/include/yara/limits.h
- ./bootstrap.sh
- ./configure --enable-cuckoo --enable-magic --with-crypto
- make
- sudo make install
- sudo ldconfig
- cd ../
script:
- echo "test" > testfile
- FALLO=0
- for i in $(ls *_index.yar); do echo $i; yara -w $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
- exit $FALLO
```
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
```yaml
default_stages: [pre-commit]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-merge-conflict
- id: debug-statements
- repo: https://github.com/asottile/pyupgrade
rev: v3.17.0
hooks:
- id: pyupgrade
args: [--py310-plus]
- repo: https://github.com/psf/black
rev: 24.8.0
hooks:
- id: black
- repo: https://github.com/PyCQA/isort
rev: 5.13.2
hooks:
- id: isort
- repo: https://github.com/PyCQA/flake8
rev: 7.1.1
hooks:
- id: flake8
args: ["--config=setup.cfg"]
additional_dependencies: [flake8-isort]
- repo: https://github.com/PyCQA/bandit
rev: "1.7.0"
hooks:
- id: bandit
args: ["-r", "--configfile=bandit-config.yml"]
- repo: https://github.com/zricethezav/gitleaks
rev: "v8.0.4"
hooks:
- id: gitleaks
ci:
autoupdate_schedule: weekly
skip: []
submodules: false
```
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
```
# Project specific
memory_dump/*
*.mov
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
# Translations
*.mo
*.pot
# Django stuff:
staticfiles/
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# Environments
.venv
myenv/
venv/
ENV/
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
### Node template
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
# Runtime data
pids
*.pid
*.seed
*.pid.lock
# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov
# Coverage directory used by tools like istanbul
coverage
# nyc test coverage
.nyc_output
# Bower dependency directory (https://bower.io/)
bower_components
# node-waf configuration
.lock-wscript
# Compiled binary addons (http://nodejs.org/api/addons.html)
build/Release
# Dependency directories
node_modules/
jspm_packages/
# Typescript v1 declaration files
typings/
# Optional npm cache directory
.npm
# Optional eslint cache
.eslintcache
# Optional REPL history
.node_repl_history
# Output of 'npm pack'
*.tgz
# Yarn Integrity file
.yarn-integrity
### Linux template
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
### VisualStudioCode template
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace
# Local History for Visual Studio Code
.history/
### Windows template
# Windows thumbnail cache files
Thumbs.db
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msm
*.msp
# Windows shortcuts
*.lnk
### macOS template
# General
*.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
### SublimeText template
# Cache files for Sublime Text
*.tmlanguage.cache
*.tmPreferences.cache
*.stTheme.cache
# Workspace files are user-specific
*.sublime-workspace
# Project files should be checked into the repository, unless a significant
# proportion of contributors will probably not be using Sublime Text
# *.sublime-project
# SFTP configuration file
sftp-config.json
# Package control specific files
Package Control.last-run
Package Control.ca-list
Package Control.ca-bundle
Package Control.system-ca-bundle
Package Control.cache/
Package Control.ca-certs/
Package Control.merged-ca-bundle
Package Control.user-ca-bundle
oscrypto-ca-bundle.crt
bh_unicode_properties.cache
# Sublime-github package stores a github token in this file
# https://packagecontrol.io/packages/sublime-github
GitHub.sublime-settings
### Vim template
# Swap
[._]*.s[a-v][a-z]
[._]*.sw[a-p]
[._]s[a-v][a-z]
[._]sw[a-p]
# Session
Session.vim
# Temporary
.netrwhist
# Auto-generated tag files
tags
# Redis dump file
dump.rdb
.pytest_cache/
.ipython/
.env
.envs/*
!.envs/.local/
**/.ipynb_checkpoints/
**/*.xlsx
# Config details for the api access
config_generation/config.py
# Model's inference files
Document_Classifier_inference/model.pt
# Ignore Database Backup files
/backups
*.sql
*.gz
```
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
```markdown
# Volatility3 MCP Server
## Introduction
Volatility3 MCP Server is a powerful tool that connects MCP clients like Claude Desktop with Volatility3, the advanced memory forensics framework. This integration allows LLMs to analyze memory dumps, detect malware, and perform sophisticated memory forensics tasks through a simple, conversational interface.
## Demo
[Demo Video](https://1drv.ms/v/c/b3eb1096e4f4a3a8/EfKIAsM9zUpGtXjJMDn0zywB-R3UnwvYD4yX71q1CinfRw?e=lke0Ox)
You can also find a [detailed presentation](./attachments/project-presentation.pdf) on this tool here.
## What This Solves
Memory forensics is a complex field that typically requires specialized knowledge and command-line expertise. This project bridges that gap by:
- Allowing non-experts to perform memory forensics through natural language
- Enabling LLMs to directly analyze memory dumps and provide insights
- Automating common forensic workflows that would normally require multiple manual steps
- Making memory forensics more accessible and user-friendly
## Features
- **Memory Dump Analysis**: Analyze Windows and Linux memory dumps using various plugins
- **Process Inspection**: List running processes, examine their details, and identify suspicious activity
- **Network Analysis**: Examine network connections to detect command and control servers
- **Cross-Platform Support**: Works with both Windows and Linux memory dumps (macOS support coming soon)
- **Malware Detection**: Scan memory with **YARA rules** to identify known malware signatures
## Configuration
1. Clone this repository:
2. Create a virtual environment:
```bash
python -m venv environ
source environ/bin/activate
```
3. Install the required dependencies:
```bash
pip install -r requirements.txt
```
You can use this project in two ways:
### Option 1: With Claude Desktop
4. Configure Claude Desktop:
- Go to `Claude` -> `Settings` -> `Developer` -> `Edit Config` -> `claude_desktop_config.json` and add the following
```json
{
"mcpServers": {
"volatility3": {
"command": "absolute/path/to/virtual/environment/bin/python3",
"args": [
"absolute/path/to/bridge_mcp_volatility.py"
]
}
}
}
```
5. Restart Claude Desktop and begin analyzing the memory dumps.
### Option 2: With Cursor (SSE Server)
4. Start the SSE server:
```bash
python3 start_sse_server.py
```
4. Configure Cursor to use the SSE server:
- Open Cursor settings
- Navigate to `Features` -> `MCP Servers`
- Add a new MCP server with the URL `http://127.0.0.1:8080/sse`
6. Use the Cursor Composer in agent mode and begin analyzing memory dumps.
## Available Tools
- **initialize_memory_file**: Set up a memory dump file for analysis
- **detect_os**: Identify the operating system of the memory dump
- **list_plugins**: Display all available Volatility3 plugins
- **get_plugin_info**: Get detailed information about a specific plugin
- **run_plugin**: Execute any Volatility3 plugin with custom arguments
- **get_processes**: List all running processes in the memory dump
- **get_network_connections**: View all network connections from the system
- **list_process_open_handles**: Examine files and resources accessed by a process
- **scan_with_yara**: Scan memory for malicious patterns using YARA rules
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
```
--------------------------------------------------------------------------------
/rules/README.md:
--------------------------------------------------------------------------------
```markdown
[](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
# Project
This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.
We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.
# Contribute
If you’re interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.
Twitter account: https://twitter.com/yararules
# Requirements
Yara **version 3.0** or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
You can check your installed version with `yara -v`
Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
~~Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.~~
We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.
# Categories
## Anti-debug/Anti-VM
In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
## Capabilities
In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but may not be malicious indicators on their own.
## CVE Rules
In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
## Crypto
In this section you will find Yara rules aimed toward the detection and existence of cryptographic algorithms.
## Exploit Kits
In this section you will find Yara rules aimed toward the detection and existence of Exploit Kits.
## Malicious Documents
In this section you will find Yara Rules to be used with documents to find if they have been crafted to leverage malicious code.
## Malware
In this section you will find Yara rules specialised toward the identification of well-known malware.
## Packers
In this section you will find Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.
## WebShells
In this section you will find Yara rules specialised toward the identification of well-known webshells.
## Email
In this section you will find Yara rules specialised toward the identification of malicious e-mails.
## Malware Mobile
In this section you will find Yara rules specialised toward the identification of well-known mobile malware.
## Deprecated
In this section you will find Yara rules deprecated.
# Contact
Webpage: https://yara-rules.github.io/blog/
Twitter account: https://twitter.com/yararules
```
--------------------------------------------------------------------------------
/rules/.github/FUNDING.yml:
--------------------------------------------------------------------------------
```yaml
liberapay: yararules
```
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
```
mcp>=1.6.0
volatility3>=2.11.0
yara-python>=4.5.1
```
--------------------------------------------------------------------------------
/rules/.github/ISSUE_TEMPLATE/new-rule-request.md:
--------------------------------------------------------------------------------
```markdown
---
name: New rule request
about: Suggest a new rule for this project
title: "[New Rule]"
labels: new rule
assignees: ''
---
**Is your feature request related to an article or investigation? Please describe.**
A clear and concise description of what the article or investigation is.
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
```
--------------------------------------------------------------------------------
/rules/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
```markdown
---
name: Bug report
about: Create a report to help us improve
title: "[BUG]"
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Yara version [e.g. 3.11.0]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
```
--------------------------------------------------------------------------------
/bandit-config.yml:
--------------------------------------------------------------------------------
```yaml
# bandit-config.yml
skips:
- B101 # Skip assert used (often used in tests)
exclude:
- ./tests/ # Exclude test directories
- ./migrations/ # Exclude migration directories
- ./venv/ # Exclude virtual environment
- ./environ/ # Exclude virtual environment
tests:
- B105 # Include test for hardcoded password strings
- B602 # Include test for subprocess call with shell equals true
profiles:
default:
include:
- all
exclude:
- B101 # Exclude assert used
- B401 # Exclude test for import telnetlib
- B403 # Exclude import from the pickle module
severity: 'MEDIUM'
confidence: 'MEDIUM'
```
--------------------------------------------------------------------------------
/rules/.github/workflows/main.yml:
--------------------------------------------------------------------------------
```yaml
name: CI
on:
# Trigger the workflow on push or pull request,
# but only for the master branch
push:
branches:
- master
pull_request:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.head_ref }}
- name: Run gen index
run: "./index_gen.sh"
shell: bash
- name: Add & Commit
uses: github-actions-x/[email protected]
with:
commit-message: 'Index updated'
name: '${{ secrets.GH_USER }}'
email: '${{ secrets.GH_EMAIL }}'
push-branch: ${{ github.head_ref }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Push
uses: ad-m/[email protected]
with:
github_token: ${{ secrets.GH_TOKEN }}
branch: ${{ github.head_ref }}
```
--------------------------------------------------------------------------------
/rules/index_gen.sh:
--------------------------------------------------------------------------------
```bash
#!/bin/bash
function get_folders {
local INDECES=()
AVOID="utils|deprecated"
for folder in $(ls -d */ | grep -vE $AVOID); do
INDECES+="$folder "
done
INDECES+=". "
echo "$INDECES"
}
function gen_index {
IDX_NAME=$1
BASE=$2
INC_MOBILE=$3
> $IDX_NAME
if [ x"$4" != x ]; then
echo -e "/*$4*/" > $IDX_NAME
fi
OS=$(uname)
AVOID="_?index.yara?|index_|utils|deprecated"
if [ x"$BASE" == x"." ]; then
if [ $INC_MOBILE == false ]; then
AVOID+="|Mobile"
fi
if [ $OS == "Darwin" ]; then
find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
else
# Linux version and potentialy Cygwin
find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
fi
else
if [ $OS == "Darwin" ]; then
find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
else
# Linux version and potentialy Cygwin
find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
fi
fi
}
## Main
echo " **************************"
echo " Yara-Rules"
echo " Index generator"
echo " **************************"
INC_MOBILE=true
for folder in $(get_folders)
do
if [ x"$folder" == x"." ]; then
BASE="."
IDX_NAME="index_w_mobile.yar"
echo "[+] Generating index_w_mobile..."
else
BASE=$(echo $folder | rev | cut -c 2- | rev)
IDX_NAME="$BASE"_index.yar
echo "[+] Generating $BASE index..."
fi
gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
if [ x"$folder" == x"." ]; then
INC_MOBILE=false
IDX_NAME="index.yar"
gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
echo "[+] Generating index..."
fi
done
```
--------------------------------------------------------------------------------
/start_sse_server.py:
--------------------------------------------------------------------------------
```python
from mcp.server.fastmcp import FastMCP
from starlette.applications import Starlette
from mcp.server.sse import SseServerTransport
from starlette.requests import Request
from starlette.routing import Mount, Route
from mcp.server import Server
import uvicorn
import argparse
import os
from bridge_mcp_volatility import mcp
def create_starlette_app(mcp_server: Server, *, debug: bool = False) -> Starlette:
"""Create a Starlette application that can serve the provided mcp server with SSE."""
sse = SseServerTransport("/messages/")
async def handle_sse(request: Request) -> None:
async with sse.connect_sse(
request.scope,
request.receive,
request._send,
) as (read_stream, write_stream):
await mcp_server.run(
read_stream,
write_stream,
mcp_server.create_initialization_options(),
)
return Starlette(
debug=debug,
routes=[
Route("/sse", endpoint=handle_sse),
Mount("/messages/", app=sse.handle_post_message),
],
)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Run Volatility3 MCP SSE-based server')
parser.add_argument('--host', default='127.0.0.1', help='Host to bind to')
parser.add_argument('--port', type=int, default=8080, help='Port to listen on')
parser.add_argument('--debug', action='store_true', help='Enable debug mode')
args = parser.parse_args()
mcp_server = mcp._mcp_server
# Create the Starlette app with SSE support
starlette_app = create_starlette_app(mcp_server, debug=args.debug)
# Print the SSE URL for Cursor to connect to
sse_url = f"http://{args.host}:{args.port}/sse"
print(f"\n=== Volatility3 MCP Server ===")
print(f"Server running at: http://{args.host}:{args.port}")
print(f"SSE URL for Cursor: {sse_url}")
print(f"Copy this URL into Cursor's MCP configuration")
print(f"==============================\n")
# Run the server
uvicorn.run(starlette_app, host=args.host, port=args.port)
```
--------------------------------------------------------------------------------
/get_malware_yara_rules.py:
--------------------------------------------------------------------------------
```python
"""
This script downloads and processes YARA rules from the Yara-Rules GitHub repository.
It filters out incompatible rules, handles duplicates, and merges them into a single file.
It also creates an index file for quick rule lookup.
Since it is already included in the repo, you won't need to run it.
However, you might want to refresh the rules periodically.
"""
import json
import os
import re
import shutil
def get_rules_from_git():
shutil.rmtree("./rules", ignore_errors=True)
os.system("git clone https://github.com/Yara-Rules/rules.git")
# Remove .git directory
shutil.rmtree("./rules/.git", ignore_errors=True)
def list_yara_files():
all_yara_files = []
for root, directories, filenames in os.walk("./rules/malware"):
print("Processing " + root)
filenames.sort()
for file_name in filenames:
rule_filename, rule_file_extension = os.path.splitext(file_name)
if rule_file_extension == ".yar" or rule_file_extension == ".yara":
all_yara_files.append(os.path.join(root, file_name))
return all_yara_files
def remove_incompatible_imports(files):
filtered_files = []
for yara_file in files:
with open(yara_file, errors="ignore") as fd:
yara_in_file = fd.read()
if not (
('import "math"' in yara_in_file)
or ('import "cuckoo"' in yara_in_file)
or ('import "hash"' in yara_in_file)
or ("imphash" in yara_in_file)
):
filtered_files.append(yara_file)
return filtered_files
def fix_duplicated_rules(files):
filtered_files = []
first_elf = True
to_delete = False
for yara_file in files:
print("Processing " + yara_file)
with open(yara_file, errors="ignore") as fd:
yara_in_file = fd.readlines()
for line in yara_in_file:
if line.strip() == "private rule is__elf {":
if first_elf:
first_elf = False
else:
to_delete = True
if not to_delete:
filtered_files.append(line)
if (not first_elf) and line.strip() == "}":
to_delete = False
filtered_files.append("\n")
return filtered_files
def merge_rules(all_rules):
with open("malware_rules.yar", "w") as fd:
fd.write("".join(all_rules))
def create_rule_index(yara_file):
"""Create an index of rule names and their definitions."""
rule_index = {}
with open(yara_file, errors="ignore") as f:
content = f.read()
# Find all rule definitions, including those with tags
# This pattern captures both the rule name and any tags that follow
rule_pattern = re.compile(r"rule\s+(\w+)(?:\s*:\s*([\w\s]+))?\s*{", re.MULTILINE)
for match in rule_pattern.finditer(content):
rule_name = match.group(1)
tags = match.group(2).strip() if match.group(2) else None
start_pos = match.start()
# Find the end of the rule (closing brace)
brace_count = 0
end_pos = start_pos
for i in range(start_pos, len(content)):
if content[i] == "{":
brace_count += 1
elif content[i] == "}":
brace_count -= 1
if brace_count == 0:
end_pos = i + 1
break
rule_definition = content[start_pos:end_pos].strip()
# Store the rule by its base name
rule_index[rule_name] = rule_definition
# If the rule has tags, also store it with the full name including tags
if tags:
full_rule_name = f"{rule_name} : {tags}"
rule_index[full_rule_name] = rule_definition
# Save the index to a JSON file
with open("malware_rules_index.json", "w") as f:
json.dump(rule_index, f, indent=2)
print(f"Created rule index with {len(rule_index)} entries")
def main():
get_rules_from_git()
all_yara_files = list_yara_files()
all_yara_filtered_1 = remove_incompatible_imports(all_yara_files)
all_yara_filtered_2 = fix_duplicated_rules(all_yara_filtered_1)
merge_rules(all_yara_filtered_2)
create_rule_index("malware_rules.yar")
if __name__ == "__main__":
main()
```
--------------------------------------------------------------------------------
/attachments/architecture-diagram.svg:
--------------------------------------------------------------------------------
```
<svg viewBox="0 0 800 500" xmlns="http://www.w3.org/2000/svg">
<!-- Background -->
<rect width="800" height="500" fill="#f8f9fa" rx="10" ry="10" />
<!-- MCP Clients -->
<rect x="50" y="80" width="150" height="100" rx="5" ry="5" fill="#d1e7dd" stroke="#0f5132" stroke-width="2" />
<text x="125" y="110" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">MCP Clients</text>
<text x="125" y="135" font-family="Arial" font-size="12" text-anchor="middle">Claude Desktop</text>
<text x="125" y="155" font-family="Arial" font-size="12" text-anchor="middle">Cursor</text>
<text x="125" y="175" font-family="Arial" font-size="12" text-anchor="middle">Other MCP Clients</text>
<!-- MCP Bridge Server -->
<rect x="300" y="50" width="200" height="300" rx="5" ry="5" fill="#cfe2ff" stroke="#084298" stroke-width="2" />
<text x="400" y="80" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Volatility3 MCP Server</text>
<text x="400" y="100" font-family="Arial" font-size="12" text-anchor="middle" font-style="italic">(Python Middleware)</text>
<!-- MCP Tools -->
<rect x="325" y="120" width="150" height="150" rx="5" ry="5" fill="#e2e3e5" stroke="#41464b" stroke-width="1" />
<text x="400" y="140" font-family="Arial" font-size="14" text-anchor="middle" font-weight="bold">MCP Tools</text>
<text x="400" y="165" font-family="Arial" font-size="11" text-anchor="middle">initialize_memory_file</text>
<text x="400" y="185" font-family="Arial" font-size="11" text-anchor="middle">get_processes</text>
<text x="400" y="205" font-family="Arial" font-size="11" text-anchor="middle">get_network_connections</text>
<text x="400" y="225" font-family="Arial" font-size="11" text-anchor="middle">scan_with_yara</text>
<text x="400" y="245" font-family="Arial" font-size="11" text-anchor="middle">run_plugin</text>
<text x="400" y="265" font-family="Arial" font-size="11" text-anchor="middle">...</text>
<!-- Volatility3 Framework -->
<rect x="600" y="150" width="150" height="100" rx="5" ry="5" fill="#f8d7da" stroke="#842029" stroke-width="2" />
<text x="675" y="180" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Volatility3</text>
<text x="675" y="200" font-family="Arial" font-size="12" text-anchor="middle">Memory Forensics</text>
<text x="675" y="220" font-family="Arial" font-size="12" text-anchor="middle">Framework</text>
<!-- Memory Dump -->
<rect x="600" y="300" width="150" height="80" rx="5" ry="5" fill="#fff3cd" stroke="#664d03" stroke-width="2" />
<text x="675" y="340" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Memory Dump</text>
<text x="675" y="360" font-family="Arial" font-size="12" text-anchor="middle">(.raw, .dmp files)</text>
<!-- Input/Output Validator -->
<rect x="350" y="300" width="100" height="40" rx="5" ry="5" fill="#e2e3e5" stroke="#41464b" stroke-width="1" />
<text x="400" y="325" font-family="Arial" font-size="12" text-anchor="middle">Input Validator</text>
<!-- Connections -->
<!-- MCP Clients to MCP Server -->
<line x1="200" y1="130" x2="300" y2="130" stroke="#084298" stroke-width="2" />
<polygon points="295,125 300,130 295,135" fill="#084298" />
<text x="250" y="120" font-family="Arial" font-size="10" text-anchor="middle">MCP Requests</text>
<line x1="300" y1="150" x2="200" y2="150" stroke="#084298" stroke-width="2" />
<polygon points="205,145 200,150 205,155" fill="#084298" />
<text x="250" y="165" font-family="Arial" font-size="10" text-anchor="middle">JSON Responses</text>
<!-- MCP Server to Volatility3 -->
<line x1="500" y1="180" x2="600" y2="180" stroke="#842029" stroke-width="2" />
<polygon points="595,175 600,180 595,185" fill="#842029" />
<text x="550" y="170" font-family="Arial" font-size="10" text-anchor="middle">Plugin Commands</text>
<line x1="600" y1="200" x2="500" y2="200" stroke="#842029" stroke-width="2" />
<polygon points="505,195 500,200 505,205" fill="#842029" />
<text x="550" y="215" font-family="Arial" font-size="10" text-anchor="middle">Analysis Results</text>
<!-- Volatility3 to Memory Dump -->
<line x1="675" y1="250" x2="675" y2="300" stroke="#664d03" stroke-width="2" />
<polygon points="670,295 675,300 680,295" fill="#664d03" />
<text x="700" y="275" font-family="Arial" font-size="10" text-anchor="middle">Analyze</text>
<!-- MCP Server to Input Validator -->
<line x1="400" y1="270" x2="400" y2="300" stroke="#41464b" stroke-width="1.5" />
<polygon points="395,295 400,300 405,295" fill="#41464b" />
<!-- Data Flow Arrows -->
<path d="M 125,200 C 125,240 250,380 400,380 C 550,380 675,380 675,380" stroke="#084298" stroke-width="1.5" stroke-dasharray="5,5" fill="none" />
<polygon points="670,375 675,380 670,385" fill="#084298" />
<text x="400" y="400" font-family="Arial" font-size="14" text-anchor="middle" font-weight="bold">Data Flow</text>
<!-- Title -->
<text x="400" y="30" font-family="Arial" font-size="20" text-anchor="middle" font-weight="bold">Volatility3 MCP Bridge Architecture</text>
</svg>
```
--------------------------------------------------------------------------------
/vol_wrapper.py:
--------------------------------------------------------------------------------
```python
import json
import os
import shutil
import subprocess
import sys
from pathlib import Path
from typing import Any
from volatility3 import framework, plugins
from volatility3.framework import contexts
class VolatilityWrapper:
def __init__(self, memory_file: str):
"""Initialize the Volatility3 wrapper with a memory dump file."""
self.memory_file = Path(memory_file)
if not self.memory_file.exists():
raise FileNotFoundError(f"Memory file not found: {memory_file}")
# Initialize the volatility context
self.context = contexts.Context()
# Import all plugins to ensure they're registered
framework.import_files(plugins, True)
self.available_plugins_with_descriptions = (
self._list_plugins_with_descriptions()
)
self.available_plugins = list(framework.list_plugins().keys())
self.os_type = None
def _sanitize_description(self, description):
"""Sanitize the description by removing newlines and escaping quotes."""
if not description:
return "No description available"
sanitized = description.replace("\n", " ")
sanitized = " ".join(sanitized.split())
return sanitized
def _list_plugins_with_descriptions(self):
"""Get a dictionary of available plugins and their descriptions."""
plugins_with_descriptions = {}
plugin_list = framework.list_plugins()
for plugin_name in sorted(plugin_list.keys()):
plugin_class = plugin_list[plugin_name]
description = "No description available"
if plugin_class.__doc__:
description = plugin_class.__doc__
plugins_with_descriptions[plugin_name] = self._sanitize_description(
description
)
return plugins_with_descriptions
def get_plugin_info(self, plugin_name: str) -> dict[str, Any]:
"""Get detailed information about a specific plugin."""
if plugin_name not in self.available_plugins:
return {"error": f"Plugin {plugin_name} not found"}
return self.available_plugins_with_descriptions[plugin_name]
def detect_os(self) -> str:
"""Detect OS type from which the memory dump was taken"""
os_checks = {"windows": "windows.info.Info", "linux": "banners.Banners"}
for os_type, plugin in os_checks.items():
try:
result = self.run_plugin(plugin_name=plugin)
if os_type in json.dumps(result).lower():
self.os_type = os_type
return os_type
except Exception as e:
print(f"Error checking for {os_type}: {str(e)}")
continue
self.os_type = "unknown"
return "unknown"
def run_plugin(
self, plugin_name: str, args: dict[str, Any] | None = None
) -> list[dict[str, Any]]:
"""Run a Volatility3 plugin and return the results as structured data.
Args:
plugin_name: Name of the plugin to run (e.g., 'windows.pslist.PsList')
Returns:
List of dictionaries containing the plugin results
"""
if args is None:
args = {}
if plugin_name not in self.available_plugins:
return [{"error": f"Plugin {plugin_name} not found"}]
try:
# Find path to vol dynamically
os.environ["PATH"] = (
sys.executable.split("/python3")[0] + ":" + os.environ["PATH"]
)
vol_path = shutil.which("vol")
if not vol_path:
return [{"error": "Could not find 'vol' executable in PATH"}]
cmd = [vol_path, "-r", "json", "-f", str(self.memory_file), plugin_name]
# Add any additional arguments
for arg_name, arg_value in args.items():
if arg_value is True:
cmd.append(f"--{arg_name}")
elif arg_value is not False and arg_value is not None:
cmd.append(f"--{arg_name}")
cmd.append(str(arg_value))
result = subprocess.run(cmd, capture_output=True, text=True, check=False)
# Check for errors
if result.returncode != 0:
return [{"error": f"Plugin execution failed: {result.stderr}"}]
try:
return json.loads(result.stdout)
except json.JSONDecodeError:
# If JSON parsing fails, return the raw output
return [
{
"error": "Failed to parse JSON output",
"raw_output": result.stdout,
}
]
except Exception as e:
return [{"error": f"Error running plugin {plugin_name}: {str(e)}"}]
def get_processes(self) -> list[dict[str, Any]]:
"""Get a list of processes from the memory dump."""
if not hasattr(self, "os_type") or self.os_type is None:
self.detect_os()
if self.os_type == "windows":
return self.run_plugin("windows.pslist.PsList")
elif self.os_type == "linux":
return self.run_plugin("linux.pslist.PsList")
else:
return [
{"error": f"Process listing not supported for OS type: {self.os_type}"}
]
def get_network_connections(self) -> list[dict[str, Any]]:
"""Get network connections from the memory dump."""
if not hasattr(self, "os_type") or self.os_type is None:
self.detect_os()
if self.os_type == "windows":
return self.run_plugin("windows.netscan.NetScan")
elif self.os_type == "linux":
return self.run_plugin("linux.sockstat.Sockstat")
else:
return [
{
"error": f"Network connection listing not supported for OS type: {self.os_type}"
}
]
def list_process_open_handles(self, pid: int) -> dict[str, Any]:
"Lists open handles for a process"
if not hasattr(self, "os_type") or self.os_type is None:
self.detect_os()
args = {"pid": pid}
if self.os_type == "windows":
return self.run_plugin("windows.handles.Handles", args)
elif self.os_type == "linux":
return self.run_plugin("linux.lsof.Lsof", args)
else:
return [
{
"error": f"Listing process open handles not supported for OS type: {self.os_type}"
}
]
def scan_with_yara(self) -> list[dict[str, Any]]:
"""Scan memory with YARA rules.
Returns:
List of matches with process, rule information, and full rule definition
"""
current_dir = os.path.dirname(os.path.abspath(__file__))
yara_file = os.path.join(current_dir, "malware_rules.yar")
if not os.path.exists(yara_file):
return [{"error": f"YARA rules file not found: {yara_file}"}]
if not hasattr(self, "os_type") or self.os_type is None:
self.detect_os()
# Use yarascan.YaraScan for both Windows and Linux
plugin_name = "yarascan.YaraScan"
args = {"yara-file": yara_file}
results = self.run_plugin(plugin_name, args)
# Return top 10 scan results only because this might overwhelm the MCP Client
results = results[:10]
# If we have results, enhance them with the full rule definitions
if results and not (
isinstance(results, list) and len(results) > 0 and "error" in results[0]
):
# Look for the index file
index_file = os.path.join(
os.path.dirname(yara_file), "malware_rules_index.json"
)
if os.path.exists(index_file):
try:
with open(index_file) as f:
rule_index = json.load(f)
# Add rule definitions to the results
for match in results:
if "Rule" in match and match["Rule"] in rule_index:
match["rule_definition"] = rule_index[match["Rule"]]
except Exception as e:
print(f"Error loading rule index: {str(e)}")
return results
def main():
memory_file = (
"/Users/dkiran/Documents/MCP/volatility3-mcp/memory_dump/linux-sample.mem"
)
vol_wrapper = VolatilityWrapper(memory_file)
print(vol_wrapper.detect_os())
print(vol_wrapper.os_type)
print(vol_wrapper.scan_with_yara())
if __name__ == "__main__":
main()
```
--------------------------------------------------------------------------------
/bridge_mcp_volatility.py:
--------------------------------------------------------------------------------
```python
from typing import Any
from mcp.server.fastmcp import FastMCP
from vol_wrapper import VolatilityWrapper
mcp = FastMCP("volatility3-mcp")
# Global volatility wrapper instance
vol_wrapper = None
@mcp.tool(
description="""Initialize Volatility3 with a memory dump file. This tool MUST be called first before any other
memory analysis tools. Use this tool when:
- You're starting a new memory forensics investigation
- You want to switch to analyzing a different memory dump
- You need to reset the analysis environment
The tool accepts a file path to the memory dump and validates that the file exists and is accessible.
Successful initialization is required for all other tools to function properly."""
)
def initialize_memory_file(file_path: str) -> str:
"""
Initialize the Volatility3 wrapper with a memory dump file.
Args:
file_path: Path to the memory dump file
Returns:
Success or error message
"""
global vol_wrapper
try:
vol_wrapper = VolatilityWrapper(file_path)
return f"Successfully initialized Volatility3 with memory file: {file_path}"
except Exception as e:
return f"Error initializing Volatility3: {str(e)}"
@mcp.tool(
description="""Detect the operating system type from the memory dump. Use this tool when:
- You need to identify the OS of the memory dump before further analysis
- You want to determine which OS-specific plugins are applicable
- You're starting an investigation and need to establish the basic system information
- You need to verify the OS type to select appropriate analysis techniques
The tool attempts to identify if the memory dump is from Windows or Linux by
running OS-specific plugins and analyzing their output. This information is crucial for
selecting the appropriate analysis plugins and interpreting the results correctly."""
)
def detect_os() -> str:
"""
Detect the operating system type from the memory dump.
Returns:
String indicating the OS type: 'windows', 'linux', or 'unknown'
"""
if vol_wrapper is None:
return "Error: Volatility3 not initialized. Call initialize_memory_file first."
os_type = vol_wrapper.detect_os()
if os_type == "unknown":
return "Could not determine the operating system. The memory dump may be corrupted or from an unsupported OS."
else:
return f"Detected operating system: {os_type.capitalize()}"
@mcp.tool(
description="""List all available Volatility3 plugins that can be used for memory analysis. Use this tool when:
- You want to explore what analysis capabilities are available
- You need to find a specific plugin for a particular analysis task
- You're unsure which plugin to use for a specific investigation goal
The tool returns a comprehensive list of plugin names that can be used with the run_plugin tool.
This is useful for discovering available analysis options before diving into specific analyses."""
)
def list_plugins() -> list[str]:
"""
List all available Volatility3 plugins.
Returns:
List of plugin names
"""
if vol_wrapper is None:
return [
"Error: Volatility3 not initialized. Call initialize_memory_file first."
]
return vol_wrapper.available_plugins
@mcp.tool(
description="""Get detailed information about a specific Volatility3 plugin. Use this tool when:
- You need to understand what a plugin does before using it
- You want to learn about the requirements and parameters for a plugin
- You're deciding which plugin is most appropriate for your analysis needs
The tool provides the plugin's description and required parameters, helping you understand
its purpose and how to use it effectively in your investigation."""
)
def get_plugin_info(plugin_name: str) -> str:
"""
Get detailed information about a specific plugin.
Args:
plugin_name: Name of the plugin
Returns:
Plugin information including description and requirements
"""
if vol_wrapper is None:
return {
"error": "Volatility3 not initialized. Call initialize_memory_file first."
}
return vol_wrapper.get_plugin_info(plugin_name)
@mcp.tool(
description="""Run any Volatility3 plugin with custom arguments. This is the most flexible analysis tool that
gives you access to the full range of Volatility3 capabilities. Use this tool when:
- You need to run a specific plugin not covered by the specialized tools
- You want to provide custom arguments to a plugin
- You're performing advanced analysis that requires specific plugin configurations
- You need access to plugins that don't have dedicated wrapper functions
The tool accepts the plugin name and an optional dictionary of arguments specific to that plugin.
Results are returned as structured data that can be further analyzed and interpreted."""
)
def run_plugin(
plugin_name: str, args: dict[str, Any] | None = None
) -> list[dict[str, Any]]:
"""
Run a Volatility3 plugin with optional arguments.
Args:
plugin_name: Name of the plugin to run
args: Optional dictionary of plugin arguments
Returns:
Plugin results as structured data
"""
if vol_wrapper is None:
return [
{"error": "Volatility3 not initialized. Call initialize_memory_file first."}
]
return vol_wrapper.run_plugin(plugin_name, args)
@mcp.tool(
description="""Get a comprehensive list of all processes from the memory dump. This tool should be used when:
- You need to identify running processes at the time of memory capture
- You're looking for suspicious or unexpected processes
- You need process IDs for further analysis of specific processes
- You want to establish a baseline of system activity
The tool returns detailed information about each process including name, PID, PPID, start time,
and memory information. This is often one of the first analyses to perform when investigating
a memory dump to understand what was running on the system."""
)
def get_processes() -> list[dict[str, Any]]:
"""
Get a list of processes from the memory dump.
Returns:
List of processes with details
"""
if vol_wrapper is None:
return [
{"error": "Volatility3 not initialized. Call initialize_memory_file first."}
]
return vol_wrapper.get_processes()
@mcp.tool(
description="""Retrieve all network connections from the memory dump. Use this tool when:
- You're investigating potential command and control (C2) communications
- You need to identify data exfiltration or unauthorized connections
- You want to map process-to-network activity
- You're looking for suspicious IPs, ports, or connection states
The tool returns comprehensive information about each connection including local/remote addresses,
ports, connection state, and the associated process. This is crucial for identifying malicious
network activity and understanding how processes were communicating externally."""
)
def get_network_connections() -> list[dict[str, Any]]:
"""
Get network connections from the memory dump.
Returns:
List of network connections with details
"""
if vol_wrapper is None:
return [
{"error": "Volatility3 not initialized. Call initialize_memory_file first."}
]
return vol_wrapper.get_network_connections()
@mcp.tool(
description="""List open handles for a specific process. Use this tool when:
- You need to investigate which files, registry keys, or other resources a process has open
- You're analyzing potential data exfiltration by examining file handles
- You want to understand inter-process communication by examining shared handles
- You're investigating malware behavior by examining its interaction with system resources
- You need to determine if a process has access to sensitive system objects
This tool works differently depending on the operating system:
- On Windows: Lists file handles, registry keys, mutexes, events, and other Windows-specific objects
- On Linux: Lists open files, sockets, pipes, and other file descriptors
The output provides detailed information about each handle, including its type, permissions, and the
object it references. This can be crucial for understanding process behavior and identifying suspicious activity."""
)
def list_process_open_handles(pid: int) -> dict[str, Any]:
"""
List all open handles for a specific process.
Args:
pid: Process ID to list handles for
Returns:
Dictionary containing handle information for the specified process
"""
if vol_wrapper is None:
return {
"error": "Volatility3 not initialized. Call initialize_memory_file first."
}
try:
pid_int = int(pid)
except ValueError:
return {"error": "Invalid PID format. PID must be an integer."}
return vol_wrapper.list_process_open_handles(pid_int)
@mcp.tool(
description="""Scan memory with YARA rules to detect malware signatures. This tool should be used when:
- You need to identify known malware patterns in memory
- You want to check for specific threat indicators
- You're investigating potential compromise using signature-based detection
- You have custom YARA rules for specific threats you're hunting
Results include detailed match information with process context and rule metadata.
This scanning usually takes a lot of time because we are scanning with extensive Yara rules list"""
)
def scan_with_yara() -> list[dict[str, Any]]:
"""
Scan memory with YARA rules to detect malware signatures.
Returns:
List of matches with process and rule information
"""
if vol_wrapper is None:
return [
{"error": "Volatility3 not initialized. Call initialize_memory_file first."}
]
results = vol_wrapper.scan_with_yara()
if not results:
return {"message": "No malware detected", "matches": []}
return results
if __name__ == "__main__":
mcp.run()
```
--------------------------------------------------------------------------------
/available-plugins.json:
--------------------------------------------------------------------------------
```json
{
"banners.Banners": "Attempts to identify potential linux banners in an image",
"configwriter.ConfigWriter": "Runs the automagics and both prints and outputs configuration in the output directory.",
"frameworkinfo.FrameworkInfo": "Plugin to list the various modular components of Volatility",
"isfinfo.IsfInfo": "Determines information about the currently available ISF files, or a specific one",
"layerwriter.LayerWriter": "Runs the automagics and writes out the primary layer produced by the stacker.",
"linux.bash.Bash": "Recovers bash command history from memory.",
"linux.boottime.Boottime": "Shows the time the system was started",
"linux.capabilities.Capabilities": "Lists process capabilities",
"linux.check_afinfo.Check_afinfo": "Verifies the operation function pointers of network protocols.",
"linux.check_creds.Check_creds": "Checks if any processes are sharing credential structures",
"linux.check_idt.Check_idt": "Checks if the IDT has been altered",
"linux.check_modules.Check_modules": "Compares module list to sysfs info, if available",
"linux.check_syscall.Check_syscall": "Check system call table for hooks.",
"linux.ebpf.EBPF": "Enumerate eBPF programs",
"linux.elfs.Elfs": "Lists all memory mapped ELF files for all processes.",
"linux.envars.Envars": "Lists processes with their environment variables",
"linux.hidden_modules.Hidden_modules": "Carves memory to find hidden kernel modules",
"linux.iomem.IOMem": "Generates an output similar to /proc/iomem on a running system.",
"linux.keyboard_notifiers.Keyboard_notifiers": "Parses the keyboard notifier call chain",
"linux.kmsg.Kmsg": "Kernel log buffer reader",
"linux.kthreads.Kthreads": "Enumerates kthread functions",
"linux.library_list.LibraryList": "Enumerate libraries loaded into processes",
"linux.lsmod.Lsmod": "Lists loaded kernel modules.",
"linux.lsof.Lsof": "Lists open files for each processes.",
"linux.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
"linux.mountinfo.MountInfo": "Lists mount points on processes mount namespaces",
"linux.netfilter.Netfilter": "Lists Netfilter hooks.",
"linux.pagecache.Files": "Lists files from memory",
"linux.pagecache.InodePages": "Lists and recovers cached inode pages",
"linux.pidhashtable.PIDHashTable": "Enumerates processes through the PID hash table",
"linux.proc.Maps": "Lists all memory maps for all processes.",
"linux.psaux.PsAux": "Lists processes with their command line arguments",
"linux.pslist.PsList": "Lists the processes present in a particular linux memory image.",
"linux.psscan.PsScan": "Scans for processes present in a particular linux image.",
"linux.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
"linux.ptrace.Ptrace": "Enumerates ptrace's tracer and tracee tasks",
"linux.sockstat.Sockstat": "Lists all network connections for all processes.",
"linux.tty_check.tty_check": "Checks tty devices for hooks",
"linux.vmayarascan.VmaYaraScan": "Scans all virtual memory areas for tasks using yara.",
"mac.bash.Bash": "Recovers bash command history from memory.",
"mac.check_syscall.Check_syscall": "Check system call table for hooks.",
"mac.check_sysctl.Check_sysctl": "Check sysctl handlers for hooks.",
"mac.check_trap_table.Check_trap_table": "Check mach trap table for hooks.",
"mac.dmesg.Dmesg": "Prints the kernel log buffer.",
"mac.ifconfig.Ifconfig": "Lists network interface information for all devices",
"mac.kauth_listeners.Kauth_listeners": "Lists kauth listeners and their status",
"mac.kauth_scopes.Kauth_scopes": "Lists kauth scopes and their status",
"mac.kevents.Kevents": "Lists event handlers registered by processes",
"mac.list_files.List_Files": "Lists all open file descriptors for all processes.",
"mac.lsmod.Lsmod": "Lists loaded kernel modules.",
"mac.lsof.Lsof": "Lists all open file descriptors for all processes.",
"mac.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
"mac.mount.Mount": "A module containing a collection of plugins that produce data typically found in Mac's mount command",
"mac.netstat.Netstat": "Lists all network connections for all processes.",
"mac.proc_maps.Maps": "Lists process memory ranges that potentially contain injected code.",
"mac.psaux.Psaux": "Recovers program command line arguments.",
"mac.pslist.PsList": "Lists the processes present in a particular mac memory image.",
"mac.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
"mac.socket_filters.Socket_filters": "Enumerates kernel socket filters.",
"mac.timers.Timers": "Check for malicious kernel timers.",
"mac.trustedbsd.Trustedbsd": "Checks for malicious trustedbsd modules",
"mac.vfsevents.VFSevents": "Lists processes that are filtering file system events",
"timeliner.Timeliner": "Runs all relevant plugins that provide time related information and orders the results by time.",
"vmscan.Vmscan": "Scans for Intel VT-d structues and generates VM volatility configs for them",
"windows.amcache.Amcache": "Extract information on executed applications from the AmCache.",
"windows.bigpools.BigPools": "List big page pools.",
"windows.cachedump.Cachedump": "Dumps lsa secrets from memory",
"windows.callbacks.Callbacks": "Lists kernel callbacks and notification routines.",
"windows.cmdline.CmdLine": "Lists process command line arguments.",
"windows.cmdscan.CmdScan": "Looks for Windows Command History lists",
"windows.consoles.Consoles": "Looks for Windows console buffers",
"windows.crashinfo.Crashinfo": "Lists the information from a Windows crash dump.",
"windows.devicetree.DeviceTree": "Listing tree based on drivers and attached devices in a particular windows memory image.",
"windows.dlllist.DllList": "Lists the loaded modules in a particular windows memory image.",
"windows.driverirp.DriverIrp": "List IRPs for drivers in a particular windows memory image.",
"windows.drivermodule.DriverModule": "Determines if any loaded drivers were hidden by a rootkit",
"windows.driverscan.DriverScan": "Scans for drivers present in a particular windows memory image.",
"windows.dumpfiles.DumpFiles": "Dumps cached file contents from Windows memory samples.",
"windows.envars.Envars": "Display process environment variables",
"windows.filescan.FileScan": "Scans for file objects present in a particular windows memory image.",
"windows.getservicesids.GetServiceSIDs": "Lists process token sids.",
"windows.getsids.GetSIDs": "Print the SIDs owning each process",
"windows.handles.Handles": "Lists process open handles.",
"windows.hashdump.Hashdump": "Dumps user hashes from memory",
"windows.hollowprocesses.HollowProcesses": "Lists hollowed processes",
"windows.iat.IAT": "Extract Import Address Table to list API (functions) used by a program contained in external libraries",
"windows.info.Info": "Show OS & kernel details of the memory sample being analyzed.",
"windows.joblinks.JobLinks": "Print process job link information",
"windows.kpcrs.KPCRs": "Print KPCR structure for each processor",
"windows.ldrmodules.LdrModules": "Lists the loaded modules in a particular windows memory image.",
"windows.lsadump.Lsadump": "Dumps lsa secrets from memory",
"windows.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
"windows.mbrscan.MBRScan": "Scans for and parses potential Master Boot Records (MBRs)",
"windows.memmap.Memmap": "Prints the memory map",
"windows.mftscan.ADS": "Scans for Alternate Data Stream",
"windows.mftscan.MFTScan": "Scans for MFT FILE objects present in a particular windows memory image.",
"windows.modscan.ModScan": "Scans for modules present in a particular windows memory image.",
"windows.modules.Modules": "Lists the loaded kernel modules.",
"windows.mutantscan.MutantScan": "Scans for mutexes present in a particular windows memory image.",
"windows.netscan.NetScan": "Scans for network objects present in a particular windows memory image.",
"windows.netstat.NetStat": "Traverses network tracking structures present in a particular windows memory image.",
"windows.orphan_kernel_threads.Threads": "Lists process threads",
"windows.pe_symbols.PESymbols": "Prints symbols in PE files in process and kernel memory",
"windows.pedump.PEDump": "Allows extracting PE Files from a specific address in a specific address space",
"windows.poolscanner.PoolScanner": "A generic pool scanner plugin.",
"windows.privileges.Privs": "Lists process token privileges",
"windows.processghosting.ProcessGhosting": "Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0",
"windows.pslist.PsList": "Lists the processes present in a particular windows memory image.",
"windows.psscan.PsScan": "Scans for processes present in a particular windows memory image.",
"windows.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
"windows.psxview.PsXView": "Lists all processes found via four of the methods described in \"The Art of Memory Forensics\" which may help identify processes that are trying to hide themselves. I recommend using -r pretty if you are looking at this plugin's output in a terminal.",
"windows.registry.certificates.Certificates": "Lists the certificates in the registry's Certificate Store.",
"windows.registry.getcellroutine.GetCellRoutine": "Reports registry hives with a hooked GetCellRoutine handler",
"windows.registry.hivelist.HiveList": "Lists the registry hives present in a particular memory image.",
"windows.registry.hivescan.HiveScan": "Scans for registry hives present in a particular windows memory image.",
"windows.registry.printkey.PrintKey": "Lists the registry keys under a hive or specific key value.",
"windows.registry.userassist.UserAssist": "Print userassist registry keys and information.",
"windows.scheduled_tasks.ScheduledTasks": "Decodes scheduled task information from the Windows registry, including information about triggers, actions, run times, and creation times.",
"windows.sessions.Sessions": "lists Processes with Session information extracted from Environmental Variables",
"windows.shimcachemem.ShimcacheMem": "Reads Shimcache entries from the ahcache.sys AVL tree",
"windows.skeleton_key_check.Skeleton_Key_Check": "Looks for signs of Skeleton Key malware",
"windows.ssdt.SSDT": "Lists the system call table.",
"windows.statistics.Statistics": "Lists statistics about the memory space.",
"windows.strings.Strings": "Reads output from the strings command and indicates which process(es) each string belongs to.",
"windows.suspicious_threads.SuspiciousThreads": "Lists suspicious userland process threads",
"windows.svcdiff.SvcDiff": "Compares services found through list walking versus scanning to find rootkits",
"windows.svclist.SvcList": "Lists services contained with the services.exe doubly linked list of services",
"windows.svcscan.SvcScan": "Scans for windows services.",
"windows.symlinkscan.SymlinkScan": "Scans for links present in a particular windows memory image.",
"windows.thrdscan.ThrdScan": "Scans for windows threads.",
"windows.threads.Threads": "Lists process threads",
"windows.timers.Timers": "Print kernel timers and associated module DPCs",
"windows.truecrypt.Passphrase": "TrueCrypt Cached Passphrase Finder",
"windows.unhooked_system_calls.unhooked_system_calls": "Looks for signs of Skeleton Key malware",
"windows.unloadedmodules.UnloadedModules": "Lists the unloaded kernel modules.",
"windows.vadinfo.VadInfo": "Lists process memory ranges.",
"windows.vadwalk.VadWalk": "Walk the VAD tree.",
"windows.vadyarascan.VadYaraScan": "Scans all the Virtual Address Descriptor memory maps using yara.",
"windows.verinfo.VerInfo": "Lists version information from PE files.",
"windows.virtmap.VirtMap": "Lists virtual mapped sections.",
"yarascan.YaraScan": "Scans kernel memory using yara rules (string or file).",
}
```