# Directory Structure
```
├── .gitignore
├── .pre-commit-config.yaml
├── attachments
│ ├── architecture-diagram.svg
│ ├── Claude-Config.png
│ ├── Cursor-Config.png
│ ├── project-presentation.pdf
│ ├── Vol-MCP.drawio
│ └── Vol-MCP.drawio.png
├── available-plugins.json
├── bandit-config.yml
├── bridge_mcp_volatility.py
├── get_malware_yara_rules.py
├── malware_rules_index.json
├── malware_rules.yar
├── README.md
├── requirements.txt
├── rules
│ ├── .github
│ │ ├── FUNDING.yml
│ │ ├── ISSUE_TEMPLATE
│ │ │ ├── bug_report.md
│ │ │ └── new-rule-request.md
│ │ └── workflows
│ │ └── main.yml
│ ├── .gitmodules
│ ├── .travis.yml
│ ├── antidebug_antivm
│ │ └── antidebug_antivm.yar
│ ├── antidebug_antivm_index.yar
│ ├── capabilities
│ │ └── capabilities.yar
│ ├── capabilities_index.yar
│ ├── crypto
│ │ └── crypto_signatures.yar
│ ├── crypto_index.yar
│ ├── cve_rules
│ │ ├── CVE-2010-0805.yar
│ │ ├── CVE-2010-0887.yar
│ │ ├── CVE-2010-1297.yar
│ │ ├── CVE-2012-0158.yar
│ │ ├── CVE-2013-0074.yar
│ │ ├── CVE-2013-0422.yar
│ │ ├── CVE-2015-1701.yar
│ │ ├── CVE-2015-2426.yar
│ │ ├── CVE-2015-2545.yar
│ │ ├── CVE-2015-5119.yar
│ │ ├── CVE-2016-5195.yar
│ │ ├── CVE-2017-11882.yar
│ │ ├── CVE-2018-20250.yar
│ │ └── CVE-2018-4878.yar
│ ├── cve_rules_index.yar
│ ├── deprecated
│ │ ├── Android
│ │ │ ├── Android_adware.yar
│ │ │ ├── Android_AliPay_smsStealer.yar
│ │ │ ├── Android_Amtrckr_20160519.yar
│ │ │ ├── Android_ASSDdeveloper.yar
│ │ │ ├── Android_AVITOMMS.yar
│ │ │ ├── Android_Backdoor_script.yar
│ │ │ ├── Android_Backdoor.yar
│ │ │ ├── Android_BadMirror.yar
│ │ │ ├── Android_Banker_Acecard.yar
│ │ │ ├── Android_BatteryBot_ClickFraud.yar
│ │ │ ├── Android_Clicker_G.yar
│ │ │ ├── Android_Copy9.yar
│ │ │ ├── Android_DeathRing.yar
│ │ │ ├── Android_Dectus_rswm.yar
│ │ │ ├── Android_Dendroid_RAT.yar
│ │ │ ├── Android_Dogspectus.yar
│ │ │ ├── Android_fake_mario_app
│ │ │ ├── Android_FakeApps.yar
│ │ │ ├── Android_FakeBank_Fanta.yar
│ │ │ ├── Android_Finspy.yar
│ │ │ ├── Android_generic_adware.yar
│ │ │ ├── Android_generic_smsfraud.yar
│ │ │ ├── Android_Godless.yar
│ │ │ ├── Android_HackintTeam_Implant.yar
│ │ │ ├── Android_Libyan_Scorpions.yar
│ │ │ ├── Android_malware_Advertising.yar
│ │ │ ├── Android_malware_banker.yar
│ │ │ ├── Android_malware_ChinesePorn.yar
│ │ │ ├── Android_malware_Dropper.yar
│ │ │ ├── Android_malware_Fake_MosKow.yar
│ │ │ ├── Android_malware_HackingTeam.yar
│ │ │ ├── Android_Malware_Ramsonware.yar
│ │ │ ├── Android_malware_SMSsender.yar
│ │ │ ├── Android_Malware_Tinhvan.yar
│ │ │ ├── Android_Malware_Towelroot.yar
│ │ │ ├── Android_malware_xbot007.yar
│ │ │ ├── Android_MalwareCertificates.yar
│ │ │ ├── Android_mapin.yar
│ │ │ ├── Android_Marcher_2.yar
│ │ │ ├── Android_MazarBot_z.yar
│ │ │ ├── Android_Metasploit_Payload.yar
│ │ │ ├── Android_Metasploit.yar
│ │ │ ├── Android_OmniRat.yar
│ │ │ ├── Android_Overlayer.yar
│ │ │ ├── Android_Pink_Locker.yar
│ │ │ ├── Android_Polish_Bankbot.yar
│ │ │ ├── Android_pornClicker.yar
│ │ │ ├── Android_RuMMS.yar
│ │ │ ├── Android_SandroRat.yar
│ │ │ ├── Android_sk_bankTr.yar
│ │ │ ├── Android_SlemBunk.yar
│ │ │ ├── Android_SMSFraud.yar
│ │ │ ├── Android_SpyAgent.yar
│ │ │ ├── Android_Spynet.yar
│ │ │ ├── Android_SpyNote.yar
│ │ │ ├── Android_Spywaller.yar
│ │ │ ├── Android_Switcher.yar
│ │ │ ├── Android_Tachi.yar
│ │ │ ├── Android_Tempting_Cedar_Spyware.yar
│ │ │ ├── Android_Tordow.yar
│ │ │ ├── Android_Triada_Banking.yar
│ │ │ ├── Android_Trojan_Dendroid.yar
│ │ │ ├── Android_Trojan_Droidjack.yar
│ │ │ ├── Android_VikingOrder.yar
│ │ │ └── Android_VirusPolicia.yar
│ │ ├── bank_rule.yar
│ │ └── Malware
│ │ └── MALW_Retefe.yar
│ ├── email
│ │ ├── attachment.yar
│ │ ├── EMAIL_Cryptowall.yar
│ │ ├── Email_fake_it_maintenance_bulletin.yar
│ │ ├── Email_generic_phishing.yar
│ │ ├── Email_PHP_Mailer.yar
│ │ ├── Email_quota_limit_warning.yar
│ │ ├── email_Ukraine_BE_powerattack.yar
│ │ ├── eml
│ │ │ ├── davivienda.eml
│ │ │ ├── transferencia1.eml
│ │ │ └── transferencia2.eml
│ │ ├── extortion_email.yar
│ │ ├── image.yar
│ │ ├── scam.yar
│ │ └── urls.yar
│ ├── email_index.yar
│ ├── exploit_kits
│ │ ├── EK_Angler.yar
│ │ ├── EK_Blackhole.yar
│ │ ├── EK_BleedingLife.yar
│ │ ├── EK_Crimepack.yar
│ │ ├── EK_Eleonore.yar
│ │ ├── EK_Fragus.yar
│ │ ├── EK_Phoenix.yar
│ │ ├── EK_Sakura.yar
│ │ ├── EK_ZeroAcces.yar
│ │ ├── EK_Zerox88.yar
│ │ └── EK_Zeus.yar
│ ├── exploit_kits_index.yar
│ ├── index_gen.sh
│ ├── index_w_mobile.yar
│ ├── index.yar
│ ├── LICENSE
│ ├── maldocs
│ │ ├── Maldoc_APT_OLE_JSRat.yar
│ │ ├── Maldoc_APT10_MenuPass.yar
│ │ ├── Maldoc_APT19_CVE-2017-0199.yar
│ │ ├── Maldoc_Contains_VBE_File.yar
│ │ ├── Maldoc_CVE_2017_11882.yar
│ │ ├── Maldoc_CVE_2017_8759.yar
│ │ ├── Maldoc_CVE-2017-0199.yar
│ │ ├── Maldoc_DDE.yar
│ │ ├── Maldoc_Dridex.yar
│ │ ├── Maldoc_hancitor_dropper.yar
│ │ ├── Maldoc_Hidden_PE_file.yar
│ │ ├── Maldoc_malrtf_ole2link.yar
│ │ ├── Maldoc_MIME_ActiveMime_b64.yar
│ │ ├── Maldoc_PDF.yar
│ │ ├── Maldoc_PowerPointMouse.yar
│ │ ├── maldoc_somerules.yar
│ │ ├── Maldoc_Suspicious_OLE_target.yar
│ │ ├── Maldoc_UserForm.yar
│ │ ├── Maldoc_VBA_macro_code.yar
│ │ └── Maldoc_Word_2007_XML_Flat_OPC.yar
│ ├── maldocs_index.yar
│ ├── malware
│ │ ├── 000_common_rules.yar
│ │ ├── APT_APT1.yar
│ │ ├── APT_APT10.yar
│ │ ├── APT_APT15.yar
│ │ ├── APT_APT17.yar
│ │ ├── APT_APT29_Grizzly_Steppe.yar
│ │ ├── APT_APT3102.yar
│ │ ├── APT_APT9002.yar
│ │ ├── APT_Backspace.yar
│ │ ├── APT_Bestia.yar
│ │ ├── APT_Blackenergy.yar
│ │ ├── APT_Bluetermite_Emdivi.yar
│ │ ├── APT_C16.yar
│ │ ├── APT_Carbanak.yar
│ │ ├── APT_Careto.yar
│ │ ├── APT_Casper.yar
│ │ ├── APT_CheshireCat.yar
│ │ ├── APT_Cloudduke.yar
│ │ ├── APT_Cobalt.yar
│ │ ├── APT_Codoso.yar
│ │ ├── APT_CrashOverride.yar
│ │ ├── APT_DeepPanda_Anthem.yar
│ │ ├── APT_DeputyDog.yar
│ │ ├── APT_Derusbi.yar
│ │ ├── APT_DPRK_ROKRAT.yar
│ │ ├── APT_Dubnium.yar
│ │ ├── APT_Duqu2.yar
│ │ ├── APT_Emissary.yar
│ │ ├── APT_EnergeticBear_backdoored_ssh.yar
│ │ ├── APT_eqgrp_apr17.yar
│ │ ├── APT_Equation.yar
│ │ ├── APT_EQUATIONGRP.yar
│ │ ├── APT_fancybear_dnc.yar
│ │ ├── APT_fancybear_downdelph.yar
│ │ ├── APT_FiveEyes.yar
│ │ ├── APT_furtim.yar
│ │ ├── APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar
│ │ ├── APT_Grasshopper.yar
│ │ ├── APT_Greenbug.yar
│ │ ├── APT_Grizzlybear_uscert.yar
│ │ ├── APT_HackingTeam.yar
│ │ ├── APT_Hellsing.yar
│ │ ├── APT_HiddenCobra.yar
│ │ ├── APT_Hikit.yar
│ │ ├── APT_Industroyer.yar
│ │ ├── APT_Irontiger.yar
│ │ ├── APT_Kaba.yar
│ │ ├── APT_Ke3Chang_TidePool.yar
│ │ ├── APT_KeyBoy.yar
│ │ ├── APT_LotusBlossom.yar
│ │ ├── APT_Minidionis.yar
│ │ ├── APT_Mirage.yar
│ │ ├── APT_Molerats.yar
│ │ ├── APT_Mongall.yar
│ │ ├── APT_MoonlightMaze.yar
│ │ ├── APT_NGO.yar
│ │ ├── APT_Oilrig.yar
│ │ ├── APT_OpClandestineWolf.yar
│ │ ├── APT_OPCleaver.yar
│ │ ├── APT_OpDustStorm.yar
│ │ ├── APT_OpPotao.yar
│ │ ├── APT_Passcv.yar
│ │ ├── APT_PCclient.yar
│ │ ├── APT_Pipcreat.yar
│ │ ├── APT_Platinum.yar
│ │ ├── APT_Poseidon_Group.yar
│ │ ├── APT_Prikormka.yar
│ │ ├── APT_PutterPanda.yar
│ │ ├── APT_RedLeaves.yar
│ │ ├── APT_Regin.yar
│ │ ├── APT_RemSec.yar
│ │ ├── APT_Sauron_extras.yar
│ │ ├── APT_Sauron.yar
│ │ ├── APT_Scarab_Scieron.yar
│ │ ├── APT_Seaduke.yar
│ │ ├── APT_Shamoon_StoneDrill.yar
│ │ ├── APT_Snowglobe_Babar.yar
│ │ ├── APT_Sofacy_Bundestag.yar
│ │ ├── APT_Sofacy_Fysbis.yar
│ │ ├── APT_Sofacy_Jun16.yar
│ │ ├── APT_Sphinx_Moth.yar
│ │ ├── APT_Stuxnet.yar
│ │ ├── APT_Terracota.yar
│ │ ├── APT_ThreatGroup3390.yar
│ │ ├── APT_TradeSecret.yar
│ │ ├── APT_Turla_Neuron.yar
│ │ ├── APT_Turla_RUAG.yar
│ │ ├── APT_Unit78020.yar
│ │ ├── APT_UP007_SLServer.yar
│ │ ├── APT_Uppercut.yar
│ │ ├── APT_Waterbug.yar
│ │ ├── APT_WildNeutron.yar
│ │ ├── APT_Windigo_Onimiki.yar
│ │ ├── APT_Winnti.yar
│ │ ├── APT_WoolenGoldfish.yar
│ │ ├── EXPERIMENTAL_Beef.yar
│ │ ├── GEN_PowerShell.yar
│ │ ├── MalConfScan.yar
│ │ ├── MALW_adwind_RAT.yar
│ │ ├── MALW_AgentTesla_SMTP.yar
│ │ ├── MALW_AgentTesla.yar
│ │ ├── MALW_Alina.yar
│ │ ├── MALW_AlMashreq.yar
│ │ ├── MALW_Andromeda.yar
│ │ ├── MALW_Arkei.yar
│ │ ├── MALW_Athena.yar
│ │ ├── MALW_ATM_HelloWorld.yar
│ │ ├── MALW_Atmos.yar
│ │ ├── MALW_ATMPot.yar
│ │ ├── MALW_AZORULT.yar
│ │ ├── MALW_BackdoorSSH.yar
│ │ ├── MALW_Backoff.yar
│ │ ├── MALW_Bangat.yar
│ │ ├── MALW_Batel.yar
│ │ ├── MALW_BlackRev.yar
│ │ ├── MALW_BlackWorm.yar
│ │ ├── MALW_Boouset.yar
│ │ ├── MALW_Bublik.yar
│ │ ├── MALW_Buzus_Softpulse.yar
│ │ ├── MALW_CAP_HookExKeylogger.yar
│ │ ├── MALW_Chicken.yar
│ │ ├── MALW_Citadel.yar
│ │ ├── MALW_Cloaking.yar
│ │ ├── MALW_Cookies.yar
│ │ ├── MALW_Corkow.yar
│ │ ├── MALW_Cxpid.yar
│ │ ├── MALW_Cythosia.yar
│ │ ├── MALW_DDoSTf.yar
│ │ ├── MALW_Derkziel.yar
│ │ ├── MALW_Dexter.yar
│ │ ├── MALW_DiamondFox.yar
│ │ ├── MALW_DirtJumper.yar
│ │ ├── MALW_Eicar.yar
│ │ ├── MALW_Elex.yar
│ │ ├── MALW_Elknot.yar
│ │ ├── MALW_Emotet.yar
│ │ ├── MALW_Empire.yar
│ │ ├── MALW_Enfal.yar
│ │ ├── MALW_Exploit_UAC_Elevators.yar
│ │ ├── MALW_Ezcob.yar
│ │ ├── MALW_F0xy.yar
│ │ ├── MALW_FakeM.yar
│ │ ├── MALW_FALLCHILL.yar
│ │ ├── MALW_Fareit.yar
│ │ ├── MALW_Favorite.yar
│ │ ├── MALW_FUDCrypt.yar
│ │ ├── MALW_Furtim.yar
│ │ ├── MALW_Gafgyt.yar
│ │ ├── MALW_Genome.yar
│ │ ├── MALW_Glasses.yar
│ │ ├── MALW_Gozi.yar
│ │ ├── MALW_Grozlex.yar
│ │ ├── MALW_Hajime.yar
│ │ ├── MALW_hancitor.yar
│ │ ├── MALW_Hsdfihdf_banking.yar
│ │ ├── MALW_Httpsd_ELF.yar
│ │ ├── MALW_IcedID.yar
│ │ ├── MALW_Iexpl0ree.yar
│ │ ├── MALW_IMuler.yar
│ │ ├── MALW_Install11.yar
│ │ ├── MALW_Intel_Virtualization.yar
│ │ ├── MALW_IotReaper.yar
│ │ ├── MALW_Jolob_Backdoor.yar
│ │ ├── MALW_Kelihos.yar
│ │ ├── MALW_KeyBase.yar
│ │ ├── MALW_KINS.yar
│ │ ├── MALW_kirbi_mimikatz.yar
│ │ ├── MALW_Korlia.yar
│ │ ├── MALW_Korplug.yar
│ │ ├── MALW_Kovter.yar
│ │ ├── MALW_kpot.yar
│ │ ├── MALW_Kraken.yar
│ │ ├── MALW_Kwampirs.yar
│ │ ├── MALW_Lateral_Movement.yar
│ │ ├── MALW_Lenovo_Superfish.yar
│ │ ├── MALW_LinuxBew.yar
│ │ ├── MALW_LinuxHelios.yar
│ │ ├── MALW_LinuxMoose.yar
│ │ ├── MALW_LostDoor.yar
│ │ ├── MALW_LuaBot.yar
│ │ ├── MALW_LuckyCat.yar
│ │ ├── MALW_LURK0.yar
│ │ ├── MALW_MacControl.yar
│ │ ├── MALW_MacGyver.yar
│ │ ├── MALW_Madness.yar
│ │ ├── MALW_Magento_backend.yar
│ │ ├── MALW_Magento_frontend.yar
│ │ ├── MALW_Magento_suspicious.yar
│ │ ├── MALW_Mailers.yar
│ │ ├── MALW_marap.yar
│ │ ├── MALW_MedusaHTTP_2019.yar
│ │ ├── MALW_Miancha.yar
│ │ ├── MALW_MiniAsp3_mem.yar
│ │ ├── MALW_Mirai_Okiru_ELF.yar
│ │ ├── MALW_Mirai_Satori_ELF.yar
│ │ ├── MALW_Mirai.yar
│ │ ├── MALW_Miscelanea_Linux.yar
│ │ ├── MALW_Miscelanea.yar
│ │ ├── MALW_Monero_Miner_installer.yar
│ │ ├── MALW_MSILStealer.yar
│ │ ├── MALW_Naikon.yar
│ │ ├── MALW_Naspyupdate.yar
│ │ ├── MALW_NetTraveler.yar
│ │ ├── MALW_NionSpy.yar
│ │ ├── MALW_Notepad.yar
│ │ ├── MALW_NSFree.yar
│ │ ├── MALW_Odinaff.yar
│ │ ├── MALW_Olyx.yar
│ │ ├── MALW_OSX_Leverage.yar
│ │ ├── MALW_PE_sections.yar
│ │ ├── MALW_PittyTiger.yar
│ │ ├── MALW_PolishBankRat.yar
│ │ ├── MALW_Ponmocup.yar
│ │ ├── MALW_Pony.yar
│ │ ├── MALW_Predator.yar
│ │ ├── MALW_PubSab.yar
│ │ ├── MALW_PurpleWave.yar
│ │ ├── MALW_Pyinstaller_OSX.yar
│ │ ├── MALW_Pyinstaller.yar
│ │ ├── MALW_PyPI.yar
│ │ ├── MALW_Quarian.yar
│ │ ├── MALW_Rebirth_Vulcan_ELF.yar
│ │ ├── MALW_Regsubdat.yar
│ │ ├── MALW_Rockloader.yar
│ │ ├── MALW_Rooter.yar
│ │ ├── MALW_Rovnix.yar
│ │ ├── MALW_Safenet.yar
│ │ ├── MALW_Sakurel.yar
│ │ ├── MALW_Sayad.yar
│ │ ├── MALW_Scarhikn.yar
│ │ ├── MALW_Sendsafe.yar
│ │ ├── MALW_Shamoon.yar
│ │ ├── MALW_shifu_shiz.yar
│ │ ├── MALW_Shifu.yar
│ │ ├── MALW_sitrof_fortis_scar.yar
│ │ ├── MALW_Skeleton.yar
│ │ ├── MALW_Spora.yar
│ │ ├── MALW_Sqlite.yar
│ │ ├── MALW_Stealer.yar
│ │ ├── MALW_Surtr.yar
│ │ ├── MALW_T5000.yar
│ │ ├── MALW_Tedroo.yar
│ │ ├── MALW_Tinba.yar
│ │ ├── MALW_TinyShell_Backdoor_gen.yar
│ │ ├── MALW_Torte_ELF.yar
│ │ ├── MALW_TreasureHunt.yar
│ │ ├── MALW_TrickBot.yar
│ │ ├── MALW_TRITON_HATMAN.yar
│ │ ├── MALW_TRITON_ICS_FRAMEWORK.yar
│ │ ├── MALW_Trumpbot.yar
│ │ ├── MALW_Upatre.yar
│ │ ├── MALW_Urausy.yar
│ │ ├── MALW_Vidgrab.yar
│ │ ├── MALW_viotto_keylogger.yar
│ │ ├── MALW_Virut_FileInfector_UNK_VERSION.yar
│ │ ├── MALW_Volgmer.yar
│ │ ├── MALW_Wabot.yar
│ │ ├── MALW_Warp.yar
│ │ ├── MALW_Wimmie.yar
│ │ ├── MALW_xDedic_marketplace.yar
│ │ ├── MALW_XHide.yar
│ │ ├── MALW_XMRIG_Miner.yar
│ │ ├── MALW_XOR_DDos.yar
│ │ ├── MALW_Yayih.yar
│ │ ├── MALW_Yordanyan_ActiveAgent.yar
│ │ ├── MALW_Zegost.yar
│ │ ├── MALW_Zeus.yar
│ │ ├── Operation_Blockbuster
│ │ │ ├── cert_wiper.yara
│ │ │ ├── DeltaCharlie.yara
│ │ │ ├── general.yara
│ │ │ ├── HotelAlfa.yara
│ │ │ ├── IndiaAlfa.yara
│ │ │ ├── IndiaBravo.yara
│ │ │ ├── IndiaCharlie.yara
│ │ │ ├── IndiaDelta.yara
│ │ │ ├── IndiaEcho.yara
│ │ │ ├── IndiaGolf.yara
│ │ │ ├── IndiaHotel.yara
│ │ │ ├── IndiaJuliett.yara
│ │ │ ├── IndiaWhiskey.yara
│ │ │ ├── KiloAlfa.yara
│ │ │ ├── LimaAlfa.yara
│ │ │ ├── LimaBravo.yara
│ │ │ ├── LimaCharlie.yara
│ │ │ ├── LimaDelta.yara
│ │ │ ├── mastersig
│ │ │ ├── PapaAlfa.yara
│ │ │ ├── RomeoAlfa.yara
│ │ │ ├── RomeoBravo.yara
│ │ │ ├── RomeoCharlie.yara
│ │ │ ├── RomeoDelta.yara
│ │ │ ├── RomeoEcho.yara
│ │ │ ├── RomeoFoxtrot_mod.yara
│ │ │ ├── RomeoGolf_mod.yara
│ │ │ ├── RomeoHotel.yara
│ │ │ ├── RomeoWhiskey.yara
│ │ │ ├── sharedcode.yara
│ │ │ ├── SierraAlfa.yara
│ │ │ ├── SierraBravo.yara
│ │ │ ├── SierraCharlie.yara
│ │ │ ├── SierraJuliettMikeOne.yara
│ │ │ ├── SierraJuliettMikeTwo.yara
│ │ │ ├── suicidescripts.yara
│ │ │ ├── TangoAlfa.yara
│ │ │ ├── TangoBravo.yara
│ │ │ ├── UniformAlfa.yara
│ │ │ ├── UniformJuliett.yara
│ │ │ ├── WhiskeyAlfa.yara
│ │ │ ├── WhiskeyBravo_mod.yara
│ │ │ ├── WhiskeyCharlie.yara
│ │ │ └── WhiskeyDelta.yara
│ │ ├── POS_Bernhard.yar
│ │ ├── POS_BruteforcingBot.yar
│ │ ├── POS_Easterjack.yar
│ │ ├── POS_FastPOS.yar
│ │ ├── POS_LogPOS.yar
│ │ ├── POS_MalumPOS.yar
│ │ ├── POS_Mozart.yar
│ │ ├── POS.yar
│ │ ├── RANSOM_.CRYPTXXX.yar
│ │ ├── RANSOM_777.yar
│ │ ├── RANSOM_acroware.yar
│ │ ├── RANSOM_Alpha.yar
│ │ ├── RANSOM_BadRabbit.yar
│ │ ├── RANSOM_Cerber.yar
│ │ ├── RANSOM_Comodosec.yar
│ │ ├── RANSOM_Crypren.yar
│ │ ├── RANSOM_Cryptolocker.yar
│ │ ├── RANSOM_CryptoNar.yar
│ │ ├── RANSOM_DMALocker.yar
│ │ ├── RANSOM_DoublePulsar_Petya.yar
│ │ ├── RANSOM_Erebus.yar
│ │ ├── RANSOM_GoldenEye.yar
│ │ ├── RANSOM_GPGQwerty.yar
│ │ ├── RANSOM_jeff_dev.yar
│ │ ├── RANSOM_locdoor.yar
│ │ ├── RANSOM_Locky.yar
│ │ ├── RANSOM_Maze.yar
│ │ ├── RANSOM_MS17-010_Wannacrypt.yar
│ │ ├── RANSOM_PetrWrap.yar
│ │ ├── RANSOM_Petya_MS17_010.yar
│ │ ├── RANSOM_Petya.yar
│ │ ├── RANSOM_Pico.yar
│ │ ├── RANSOM_Revix.yar
│ │ ├── RANSOM_SamSam.yar
│ │ ├── RANSOM_Satana.yar
│ │ ├── RANSOM_screenlocker_5h311_1nj3c706.yar
│ │ ├── RANSOM_Shiva.yar
│ │ ├── RANSOM_shrug2.yar
│ │ ├── RANSOM_Sigma.yar
│ │ ├── RANSOM_Snake.yar
│ │ ├── RANSOM_Stampado.yar
│ │ ├── RANSOM_termite.yar
│ │ ├── RANSOM_TeslaCrypt.yar
│ │ ├── RANSOM_Tox.yar
│ │ ├── RAT_Adwind.yar
│ │ ├── RAT_Adzok.yar
│ │ ├── RAT_Asyncrat.yar
│ │ ├── RAT_BlackShades.yar
│ │ ├── RAT_Bolonyokte.yar
│ │ ├── RAT_Bozok.yar
│ │ ├── RAT_Cerberus.yar
│ │ ├── RAT_Crimson.yar
│ │ ├── RAT_CrossRAT.yar
│ │ ├── RAT_CyberGate.yar
│ │ ├── RAT_DarkComet.yar
│ │ ├── RAT_FlyingKitten.yar
│ │ ├── RAT_Gh0st.yar
│ │ ├── RAT_Gholee.yar
│ │ ├── RAT_Glass.yar
│ │ ├── RAT_Havex.yar
│ │ ├── RAT_Hizor.yar
│ │ ├── RAT_Indetectables.yar
│ │ ├── RAT_Inocnation.yar
│ │ ├── RAT_jRAT.yar
│ │ ├── RAT_Meterpreter_Reverse_Tcp.yar
│ │ ├── RAT_Nanocore.yar
│ │ ├── RAT_NetwiredRC.yar
│ │ ├── RAT_Njrat.yar
│ │ ├── RAT_Orcus.yar
│ │ ├── RAT_PlugX.yar
│ │ ├── RAT_PoetRATDoc.yar
│ │ ├── RAT_PoetRATPython.yar
│ │ ├── RAT_PoisonIvy.yar
│ │ ├── RAT_Ratdecoders.yar
│ │ ├── RAT_Sakula.yar
│ │ ├── RAT_ShadowTech.yar
│ │ ├── RAT_Shim.yar
│ │ ├── RAT_Terminator.yar
│ │ ├── RAT_xRAT.yar
│ │ ├── RAT_xRAT20.yar
│ │ ├── RAT_Xtreme.yar
│ │ ├── RAT_ZoxPNG.yar
│ │ ├── TOOLKIT_Chinese_Hacktools.yar
│ │ ├── TOOLKIT_Dubrute.yar
│ │ ├── TOOLKIT_exe2hex_payload.yar
│ │ ├── TOOLKIT_FinFisher_.yar
│ │ ├── TOOLKIT_Gen_powerkatz.yar
│ │ ├── TOOLKIT_Mandibule.yar
│ │ ├── TOOLKIT_PassTheHash.yar
│ │ ├── TOOLKIT_Powerstager.yar
│ │ ├── TOOLKIT_Pwdump.yar
│ │ ├── TOOLKIT_Redteam_Tools_by_GUID.yar
│ │ ├── TOOLKIT_Redteam_Tools_by_Name.yar
│ │ ├── TOOLKIT_Solarwinds_credential_stealer.yar
│ │ ├── TOOLKIT_THOR_HackTools.yar
│ │ └── TOOLKIT_Wineggdrop.yar
│ ├── malware_index.yar
│ ├── mobile_malware
│ │ └── .gitKeep
│ ├── mobile_malware_index.yar
│ ├── packers
│ │ ├── Javascript_exploit_and_obfuscation.yar
│ │ ├── JJencode.yar
│ │ ├── packer_compiler_signatures.yar
│ │ ├── packer.yar
│ │ ├── peid.yar
│ │ └── tweetable-polyglot-png.yar
│ ├── packers_index.yar
│ ├── README.md
│ ├── utils
│ │ ├── base64.yar
│ │ ├── domain.yar
│ │ ├── ip.yar
│ │ ├── magic.yar
│ │ ├── README
│ │ ├── suspicious_strings.yar
│ │ ├── url.yar
│ │ └── virustotal.yar
│ ├── webshells
│ │ ├── WShell_APT_Laudanum.yar
│ │ ├── WShell_ASPXSpy.yar
│ │ ├── WShell_ChinaChopper.yar
│ │ ├── Wshell_ChineseSpam.yar
│ │ ├── WShell_Drupalgeddon2_icos.yar
│ │ ├── Wshell_fire2013.yar
│ │ ├── WShell_PHP_Anuna.yar
│ │ ├── WShell_PHP_in_images.yar
│ │ └── WShell_THOR_Webshells.yar
│ └── webshells_index.yar
├── setup.cfg
├── start_sse_server.py
└── vol_wrapper.py
```
# Files
--------------------------------------------------------------------------------
/rules/mobile_malware/.gitKeep:
--------------------------------------------------------------------------------
```
1 |
```
--------------------------------------------------------------------------------
/rules/.gitmodules:
--------------------------------------------------------------------------------
```
1 | [submodule "utils/yara-forensics"]
2 | path = utils/yara-forensics
3 | url = https://github.com/Xumeiquer/yara-forensics.git
4 |
```
--------------------------------------------------------------------------------
/rules/.travis.yml:
--------------------------------------------------------------------------------
```yaml
1 | language: c
2 | sudo: required
3 |
4 | before_install:
5 | - sudo apt-get -qq update
6 | - sudo apt-get install -y automake libtool make gcc pkg-config flex bison libjansson-dev libmagic-dev libssl-dev jq
7 | # Yara
8 | - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara-latest.tar.gz
9 | - mkdir yara
10 | - tar -xzvf yara-latest.tar.gz -C yara --strip-components 1
11 | # Compile Yara
12 | - cd yara
13 | # Update per issue 176
14 | - sed -i 's/#define RE_MAX_SPLIT_ID 128/#define RE_MAX_SPLIT_ID 255/g' libyara/include/yara/limits.h
15 | - ./bootstrap.sh
16 | - ./configure --enable-cuckoo --enable-magic --with-crypto
17 | - make
18 | - sudo make install
19 | - sudo ldconfig
20 | - cd ../
21 |
22 | script:
23 | - echo "test" > testfile
24 | - FALLO=0
25 | - for i in $(ls *_index.yar); do echo $i; yara -w $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
26 | - exit $FALLO
27 |
```
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
```yaml
1 | default_stages: [pre-commit]
2 |
3 | repos:
4 | - repo: https://github.com/pre-commit/pre-commit-hooks
5 | rev: v4.6.0
6 | hooks:
7 | - id: trailing-whitespace
8 | - id: end-of-file-fixer
9 | - id: check-yaml
10 | - id: check-merge-conflict
11 | - id: debug-statements
12 |
13 | - repo: https://github.com/asottile/pyupgrade
14 | rev: v3.17.0
15 | hooks:
16 | - id: pyupgrade
17 | args: [--py310-plus]
18 |
19 | - repo: https://github.com/psf/black
20 | rev: 24.8.0
21 | hooks:
22 | - id: black
23 |
24 | - repo: https://github.com/PyCQA/isort
25 | rev: 5.13.2
26 | hooks:
27 | - id: isort
28 |
29 | - repo: https://github.com/PyCQA/flake8
30 | rev: 7.1.1
31 | hooks:
32 | - id: flake8
33 | args: ["--config=setup.cfg"]
34 | additional_dependencies: [flake8-isort]
35 |
36 | - repo: https://github.com/PyCQA/bandit
37 | rev: "1.7.0"
38 | hooks:
39 | - id: bandit
40 | args: ["-r", "--configfile=bandit-config.yml"]
41 |
42 | - repo: https://github.com/zricethezav/gitleaks
43 | rev: "v8.0.4"
44 | hooks:
45 | - id: gitleaks
46 |
47 | ci:
48 | autoupdate_schedule: weekly
49 | skip: []
50 | submodules: false
51 |
```
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
```
1 | # Project specific
2 | memory_dump/*
3 | *.mov
4 |
5 | # Byte-compiled / optimized / DLL files
6 | __pycache__/
7 | *.py[cod]
8 | *$py.class
9 |
10 | # C extensions
11 | *.so
12 |
13 | # Distribution / packaging
14 | .Python
15 | build/
16 | develop-eggs/
17 | dist/
18 | downloads/
19 | eggs/
20 | .eggs/
21 | lib/
22 | lib64/
23 | parts/
24 | sdist/
25 | var/
26 | wheels/
27 | *.egg-info/
28 | .installed.cfg
29 | *.egg
30 |
31 | # PyInstaller
32 | # Usually these files are written by a python script from a template
33 | # before PyInstaller builds the exe, so as to inject date/other infos into it.
34 | *.manifest
35 | *.spec
36 |
37 | # Installer logs
38 | pip-log.txt
39 | pip-delete-this-directory.txt
40 |
41 | # Unit test / coverage reports
42 | htmlcov/
43 | .tox/
44 | .coverage
45 | .coverage.*
46 | .cache
47 | nosetests.xml
48 | coverage.xml
49 | *.cover
50 | .hypothesis/
51 |
52 | # Translations
53 | *.mo
54 | *.pot
55 |
56 | # Django stuff:
57 | staticfiles/
58 |
59 | # Sphinx documentation
60 | docs/_build/
61 |
62 | # PyBuilder
63 | target/
64 |
65 | # pyenv
66 | .python-version
67 |
68 | # celery beat schedule file
69 | celerybeat-schedule
70 |
71 | # Environments
72 | .venv
73 | myenv/
74 | venv/
75 | ENV/
76 |
77 | # Rope project settings
78 | .ropeproject
79 |
80 | # mkdocs documentation
81 | /site
82 |
83 | # mypy
84 | .mypy_cache/
85 |
86 |
87 | ### Node template
88 | # Logs
89 | logs
90 | *.log
91 | npm-debug.log*
92 | yarn-debug.log*
93 | yarn-error.log*
94 |
95 | # Runtime data
96 | pids
97 | *.pid
98 | *.seed
99 | *.pid.lock
100 |
101 | # Directory for instrumented libs generated by jscoverage/JSCover
102 | lib-cov
103 |
104 | # Coverage directory used by tools like istanbul
105 | coverage
106 |
107 | # nyc test coverage
108 | .nyc_output
109 |
110 | # Bower dependency directory (https://bower.io/)
111 | bower_components
112 |
113 | # node-waf configuration
114 | .lock-wscript
115 |
116 | # Compiled binary addons (http://nodejs.org/api/addons.html)
117 | build/Release
118 |
119 | # Dependency directories
120 | node_modules/
121 | jspm_packages/
122 |
123 | # Typescript v1 declaration files
124 | typings/
125 |
126 | # Optional npm cache directory
127 | .npm
128 |
129 | # Optional eslint cache
130 | .eslintcache
131 |
132 | # Optional REPL history
133 | .node_repl_history
134 |
135 | # Output of 'npm pack'
136 | *.tgz
137 |
138 | # Yarn Integrity file
139 | .yarn-integrity
140 |
141 |
142 | ### Linux template
143 | *~
144 |
145 | # temporary files which can be created if a process still has a handle open of a deleted file
146 | .fuse_hidden*
147 |
148 | # KDE directory preferences
149 | .directory
150 |
151 | # Linux trash folder which might appear on any partition or disk
152 | .Trash-*
153 |
154 | # .nfs files are created when an open file is removed but is still being accessed
155 | .nfs*
156 |
157 |
158 | ### VisualStudioCode template
159 | .vscode/*
160 | !.vscode/settings.json
161 | !.vscode/tasks.json
162 | !.vscode/launch.json
163 | !.vscode/extensions.json
164 | *.code-workspace
165 |
166 | # Local History for Visual Studio Code
167 | .history/
168 |
169 |
170 |
171 |
172 |
173 | ### Windows template
174 | # Windows thumbnail cache files
175 | Thumbs.db
176 | ehthumbs.db
177 | ehthumbs_vista.db
178 |
179 | # Dump file
180 | *.stackdump
181 |
182 | # Folder config file
183 | Desktop.ini
184 |
185 | # Recycle Bin used on file shares
186 | $RECYCLE.BIN/
187 |
188 | # Windows Installer files
189 | *.cab
190 | *.msi
191 | *.msm
192 | *.msp
193 |
194 | # Windows shortcuts
195 | *.lnk
196 |
197 |
198 | ### macOS template
199 | # General
200 | *.DS_Store
201 | .AppleDouble
202 | .LSOverride
203 |
204 | # Icon must end with two \r
205 | Icon
206 |
207 | # Thumbnails
208 | ._*
209 |
210 | # Files that might appear in the root of a volume
211 | .DocumentRevisions-V100
212 | .fseventsd
213 | .Spotlight-V100
214 | .TemporaryItems
215 | .Trashes
216 | .VolumeIcon.icns
217 | .com.apple.timemachine.donotpresent
218 |
219 | # Directories potentially created on remote AFP share
220 | .AppleDB
221 | .AppleDesktop
222 | Network Trash Folder
223 | Temporary Items
224 | .apdisk
225 |
226 |
227 | ### SublimeText template
228 | # Cache files for Sublime Text
229 | *.tmlanguage.cache
230 | *.tmPreferences.cache
231 | *.stTheme.cache
232 |
233 | # Workspace files are user-specific
234 | *.sublime-workspace
235 |
236 | # Project files should be checked into the repository, unless a significant
237 | # proportion of contributors will probably not be using Sublime Text
238 | # *.sublime-project
239 |
240 | # SFTP configuration file
241 | sftp-config.json
242 |
243 | # Package control specific files
244 | Package Control.last-run
245 | Package Control.ca-list
246 | Package Control.ca-bundle
247 | Package Control.system-ca-bundle
248 | Package Control.cache/
249 | Package Control.ca-certs/
250 | Package Control.merged-ca-bundle
251 | Package Control.user-ca-bundle
252 | oscrypto-ca-bundle.crt
253 | bh_unicode_properties.cache
254 |
255 | # Sublime-github package stores a github token in this file
256 | # https://packagecontrol.io/packages/sublime-github
257 | GitHub.sublime-settings
258 |
259 |
260 | ### Vim template
261 | # Swap
262 | [._]*.s[a-v][a-z]
263 | [._]*.sw[a-p]
264 | [._]s[a-v][a-z]
265 | [._]sw[a-p]
266 |
267 | # Session
268 | Session.vim
269 |
270 | # Temporary
271 | .netrwhist
272 |
273 | # Auto-generated tag files
274 | tags
275 |
276 | # Redis dump file
277 | dump.rdb
278 |
279 | .pytest_cache/
280 | .ipython/
281 | .env
282 | .envs/*
283 | !.envs/.local/
284 |
285 | **/.ipynb_checkpoints/
286 | **/*.xlsx
287 |
288 | # Config details for the api access
289 | config_generation/config.py
290 |
291 | # Model's inference files
292 | Document_Classifier_inference/model.pt
293 |
294 | # Ignore Database Backup files
295 | /backups
296 | *.sql
297 | *.gz
298 |
```
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
```markdown
1 | # Volatility3 MCP Server
2 |
3 | ## Introduction
4 | Volatility3 MCP Server is a powerful tool that connects MCP clients like Claude Desktop with Volatility3, the advanced memory forensics framework. This integration allows LLMs to analyze memory dumps, detect malware, and perform sophisticated memory forensics tasks through a simple, conversational interface.
5 | 
6 |
7 | ## Demo
8 | [Demo Video](https://1drv.ms/v/c/b3eb1096e4f4a3a8/EfKIAsM9zUpGtXjJMDn0zywB-R3UnwvYD4yX71q1CinfRw?e=lke0Ox)
9 |
10 | You can also find a [detailed presentation](./attachments/project-presentation.pdf) on this tool here.
11 |
12 | ## What This Solves
13 | Memory forensics is a complex field that typically requires specialized knowledge and command-line expertise. This project bridges that gap by:
14 | - Allowing non-experts to perform memory forensics through natural language
15 | - Enabling LLMs to directly analyze memory dumps and provide insights
16 | - Automating common forensic workflows that would normally require multiple manual steps
17 | - Making memory forensics more accessible and user-friendly
18 |
19 | ## Features
20 | - **Memory Dump Analysis**: Analyze Windows and Linux memory dumps using various plugins
21 | - **Process Inspection**: List running processes, examine their details, and identify suspicious activity
22 | - **Network Analysis**: Examine network connections to detect command and control servers
23 | - **Cross-Platform Support**: Works with both Windows and Linux memory dumps (macOS support coming soon)
24 | - **Malware Detection**: Scan memory with **YARA rules** to identify known malware signatures
25 |
26 | ## Configuration
27 |
28 | 1. Clone this repository:
29 | 2. Create a virtual environment:
30 | ```bash
31 | python -m venv environ
32 | source environ/bin/activate
33 | ```
34 | 3. Install the required dependencies:
35 | ```bash
36 | pip install -r requirements.txt
37 | ```
38 |
39 | You can use this project in two ways:
40 |
41 | ### Option 1: With Claude Desktop
42 | 4. Configure Claude Desktop:
43 | - Go to `Claude` -> `Settings` -> `Developer` -> `Edit Config` -> `claude_desktop_config.json` and add the following
44 | ```json
45 | {
46 | "mcpServers": {
47 | "volatility3": {
48 | "command": "absolute/path/to/virtual/environment/bin/python3",
49 | "args": [
50 | "absolute/path/to/bridge_mcp_volatility.py"
51 | ]
52 | }
53 | }
54 | }
55 | ```
56 | 
57 | 5. Restart Claude Desktop and begin analyzing the memory dumps.
58 |
59 | ### Option 2: With Cursor (SSE Server)
60 | 4. Start the SSE server:
61 | ```bash
62 | python3 start_sse_server.py
63 | ```
64 | 4. Configure Cursor to use the SSE server:
65 | - Open Cursor settings
66 | - Navigate to `Features` -> `MCP Servers`
67 | - Add a new MCP server with the URL `http://127.0.0.1:8080/sse`
68 | 
69 | 6. Use the Cursor Composer in agent mode and begin analyzing memory dumps.
70 |
71 | ## Available Tools
72 |
73 | - **initialize_memory_file**: Set up a memory dump file for analysis
74 | - **detect_os**: Identify the operating system of the memory dump
75 | - **list_plugins**: Display all available Volatility3 plugins
76 | - **get_plugin_info**: Get detailed information about a specific plugin
77 | - **run_plugin**: Execute any Volatility3 plugin with custom arguments
78 | - **get_processes**: List all running processes in the memory dump
79 | - **get_network_connections**: View all network connections from the system
80 | - **list_process_open_handles**: Examine files and resources accessed by a process
81 | - **scan_with_yara**: Scan memory for malicious patterns using YARA rules
82 |
83 | ## Contributing
84 | Contributions are welcome! Please feel free to submit a Pull Request.
85 |
```
--------------------------------------------------------------------------------
/rules/README.md:
--------------------------------------------------------------------------------
```markdown
1 | [](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
2 |
3 |
4 | # Project
5 |
6 | This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
7 |
8 | Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.
9 |
10 | We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.
11 |
12 | # Contribute
13 |
14 | If you’re interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.
15 |
16 | Twitter account: https://twitter.com/yararules
17 |
18 | # Requirements
19 |
20 | Yara **version 3.0** or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
21 |
22 | You can check your installed version with `yara -v`
23 |
24 | Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
25 |
26 | ~~Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.~~
27 |
28 | We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.
29 |
30 | # Categories
31 |
32 | ## Anti-debug/Anti-VM
33 |
34 | In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
35 |
36 | ## Capabilities
37 |
38 | In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but may not be malicious indicators on their own.
39 |
40 | ## CVE Rules
41 |
42 | In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
43 |
44 | ## Crypto
45 |
46 | In this section you will find Yara rules aimed toward the detection and existence of cryptographic algorithms.
47 |
48 | ## Exploit Kits
49 |
50 | In this section you will find Yara rules aimed toward the detection and existence of Exploit Kits.
51 |
52 | ## Malicious Documents
53 |
54 | In this section you will find Yara Rules to be used with documents to find if they have been crafted to leverage malicious code.
55 |
56 | ## Malware
57 |
58 | In this section you will find Yara rules specialised toward the identification of well-known malware.
59 |
60 | ## Packers
61 |
62 | In this section you will find Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.
63 |
64 | ## WebShells
65 |
66 | In this section you will find Yara rules specialised toward the identification of well-known webshells.
67 |
68 | ## Email
69 |
70 | In this section you will find Yara rules specialised toward the identification of malicious e-mails.
71 |
72 | ## Malware Mobile
73 |
74 | In this section you will find Yara rules specialised toward the identification of well-known mobile malware.
75 |
76 | ## Deprecated
77 |
78 | In this section you will find Yara rules deprecated.
79 |
80 | # Contact
81 |
82 | Webpage: https://yara-rules.github.io/blog/
83 |
84 | Twitter account: https://twitter.com/yararules
85 |
```
--------------------------------------------------------------------------------
/rules/.github/FUNDING.yml:
--------------------------------------------------------------------------------
```yaml
1 | liberapay: yararules
2 |
```
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
```
1 | mcp>=1.6.0
2 | volatility3>=2.11.0
3 | yara-python>=4.5.1
4 |
```
--------------------------------------------------------------------------------
/rules/.github/ISSUE_TEMPLATE/new-rule-request.md:
--------------------------------------------------------------------------------
```markdown
1 | ---
2 | name: New rule request
3 | about: Suggest a new rule for this project
4 | title: "[New Rule]"
5 | labels: new rule
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Is your feature request related to an article or investigation? Please describe.**
11 | A clear and concise description of what the article or investigation is.
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
```
--------------------------------------------------------------------------------
/rules/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
```markdown
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: "[BUG]"
5 | labels: bug
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Go to '...'
16 | 2. Click on '....'
17 | 3. Scroll down to '....'
18 | 4. See error
19 |
20 | **Expected behavior**
21 | A clear and concise description of what you expected to happen.
22 |
23 | **Screenshots**
24 | If applicable, add screenshots to help explain your problem.
25 |
26 | **Desktop (please complete the following information):**
27 | - OS: [e.g. iOS]
28 | - Yara version [e.g. 3.11.0]
29 |
30 | - Version [e.g. 22]
31 | **Additional context**
32 | Add any other context about the problem here.
33 |
```
--------------------------------------------------------------------------------
/bandit-config.yml:
--------------------------------------------------------------------------------
```yaml
1 | # bandit-config.yml
2 | skips:
3 | - B101 # Skip assert used (often used in tests)
4 |
5 | exclude:
6 | - ./tests/ # Exclude test directories
7 | - ./migrations/ # Exclude migration directories
8 | - ./venv/ # Exclude virtual environment
9 | - ./environ/ # Exclude virtual environment
10 |
11 | tests:
12 | - B105 # Include test for hardcoded password strings
13 | - B602 # Include test for subprocess call with shell equals true
14 |
15 | profiles:
16 | default:
17 | include:
18 | - all
19 | exclude:
20 | - B101 # Exclude assert used
21 | - B401 # Exclude test for import telnetlib
22 | - B403 # Exclude import from the pickle module
23 |
24 | severity: 'MEDIUM'
25 | confidence: 'MEDIUM'
26 |
```
--------------------------------------------------------------------------------
/rules/.github/workflows/main.yml:
--------------------------------------------------------------------------------
```yaml
1 | name: CI
2 |
3 | on:
4 | # Trigger the workflow on push or pull request,
5 | # but only for the master branch
6 | push:
7 | branches:
8 | - master
9 | pull_request:
10 | branches:
11 | - master
12 |
13 | jobs:
14 | build:
15 |
16 | runs-on: ubuntu-latest
17 |
18 | steps:
19 | - uses: actions/checkout@v2
20 | with:
21 | ref: ${{ github.head_ref }}
22 |
23 | - name: Run gen index
24 | run: "./index_gen.sh"
25 | shell: bash
26 |
27 | - name: Add & Commit
28 | uses: github-actions-x/[email protected]
29 | with:
30 | commit-message: 'Index updated'
31 | name: '${{ secrets.GH_USER }}'
32 | email: '${{ secrets.GH_EMAIL }}'
33 | push-branch: ${{ github.head_ref }}
34 | github-token: ${{ secrets.GITHUB_TOKEN }}
35 |
36 | - name: Push
37 | uses: ad-m/[email protected]
38 | with:
39 | github_token: ${{ secrets.GH_TOKEN }}
40 | branch: ${{ github.head_ref }}
41 |
```
--------------------------------------------------------------------------------
/rules/index_gen.sh:
--------------------------------------------------------------------------------
```bash
1 | #!/bin/bash
2 |
3 | function get_folders {
4 | local INDECES=()
5 | AVOID="utils|deprecated"
6 | for folder in $(ls -d */ | grep -vE $AVOID); do
7 | INDECES+="$folder "
8 | done
9 | INDECES+=". "
10 | echo "$INDECES"
11 | }
12 |
13 | function gen_index {
14 | IDX_NAME=$1
15 | BASE=$2
16 | INC_MOBILE=$3
17 | > $IDX_NAME
18 | if [ x"$4" != x ]; then
19 | echo -e "/*$4*/" > $IDX_NAME
20 | fi
21 | OS=$(uname)
22 | AVOID="_?index.yara?|index_|utils|deprecated"
23 | if [ x"$BASE" == x"." ]; then
24 | if [ $INC_MOBILE == false ]; then
25 | AVOID+="|Mobile"
26 | fi
27 | if [ $OS == "Darwin" ]; then
28 | find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
29 | else
30 | # Linux version and potentialy Cygwin
31 | find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
32 | fi
33 | else
34 | if [ $OS == "Darwin" ]; then
35 | find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
36 | else
37 | # Linux version and potentialy Cygwin
38 | find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | sort | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
39 | fi
40 | fi
41 | }
42 |
43 | ## Main
44 |
45 | echo " **************************"
46 | echo " Yara-Rules"
47 | echo " Index generator"
48 | echo " **************************"
49 |
50 | INC_MOBILE=true
51 |
52 | for folder in $(get_folders)
53 | do
54 | if [ x"$folder" == x"." ]; then
55 | BASE="."
56 | IDX_NAME="index_w_mobile.yar"
57 | echo "[+] Generating index_w_mobile..."
58 | else
59 | BASE=$(echo $folder | rev | cut -c 2- | rev)
60 | IDX_NAME="$BASE"_index.yar
61 | echo "[+] Generating $BASE index..."
62 | fi
63 |
64 | gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
65 |
66 | if [ x"$folder" == x"." ]; then
67 | INC_MOBILE=false
68 | IDX_NAME="index.yar"
69 | gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
70 | echo "[+] Generating index..."
71 | fi
72 | done
73 |
```
--------------------------------------------------------------------------------
/start_sse_server.py:
--------------------------------------------------------------------------------
```python
1 | from mcp.server.fastmcp import FastMCP
2 | from starlette.applications import Starlette
3 | from mcp.server.sse import SseServerTransport
4 | from starlette.requests import Request
5 | from starlette.routing import Mount, Route
6 | from mcp.server import Server
7 | import uvicorn
8 | import argparse
9 | import os
10 | from bridge_mcp_volatility import mcp
11 |
12 | def create_starlette_app(mcp_server: Server, *, debug: bool = False) -> Starlette:
13 | """Create a Starlette application that can serve the provided mcp server with SSE."""
14 | sse = SseServerTransport("/messages/")
15 |
16 | async def handle_sse(request: Request) -> None:
17 | async with sse.connect_sse(
18 | request.scope,
19 | request.receive,
20 | request._send,
21 | ) as (read_stream, write_stream):
22 | await mcp_server.run(
23 | read_stream,
24 | write_stream,
25 | mcp_server.create_initialization_options(),
26 | )
27 |
28 | return Starlette(
29 | debug=debug,
30 | routes=[
31 | Route("/sse", endpoint=handle_sse),
32 | Mount("/messages/", app=sse.handle_post_message),
33 | ],
34 | )
35 |
36 | if __name__ == "__main__":
37 | parser = argparse.ArgumentParser(description='Run Volatility3 MCP SSE-based server')
38 | parser.add_argument('--host', default='127.0.0.1', help='Host to bind to')
39 | parser.add_argument('--port', type=int, default=8080, help='Port to listen on')
40 | parser.add_argument('--debug', action='store_true', help='Enable debug mode')
41 | args = parser.parse_args()
42 |
43 | mcp_server = mcp._mcp_server
44 |
45 | # Create the Starlette app with SSE support
46 | starlette_app = create_starlette_app(mcp_server, debug=args.debug)
47 |
48 | # Print the SSE URL for Cursor to connect to
49 | sse_url = f"http://{args.host}:{args.port}/sse"
50 | print(f"\n=== Volatility3 MCP Server ===")
51 | print(f"Server running at: http://{args.host}:{args.port}")
52 | print(f"SSE URL for Cursor: {sse_url}")
53 | print(f"Copy this URL into Cursor's MCP configuration")
54 | print(f"==============================\n")
55 |
56 | # Run the server
57 | uvicorn.run(starlette_app, host=args.host, port=args.port)
```
--------------------------------------------------------------------------------
/get_malware_yara_rules.py:
--------------------------------------------------------------------------------
```python
1 | """
2 | This script downloads and processes YARA rules from the Yara-Rules GitHub repository.
3 | It filters out incompatible rules, handles duplicates, and merges them into a single file.
4 | It also creates an index file for quick rule lookup.
5 | Since it is already included in the repo, you won't need to run it.
6 | However, you might want to refresh the rules periodically.
7 | """
8 |
9 | import json
10 | import os
11 | import re
12 | import shutil
13 |
14 |
15 | def get_rules_from_git():
16 | shutil.rmtree("./rules", ignore_errors=True)
17 | os.system("git clone https://github.com/Yara-Rules/rules.git")
18 |
19 | # Remove .git directory
20 | shutil.rmtree("./rules/.git", ignore_errors=True)
21 |
22 |
23 | def list_yara_files():
24 | all_yara_files = []
25 | for root, directories, filenames in os.walk("./rules/malware"):
26 | print("Processing " + root)
27 | filenames.sort()
28 | for file_name in filenames:
29 | rule_filename, rule_file_extension = os.path.splitext(file_name)
30 | if rule_file_extension == ".yar" or rule_file_extension == ".yara":
31 | all_yara_files.append(os.path.join(root, file_name))
32 | return all_yara_files
33 |
34 |
35 | def remove_incompatible_imports(files):
36 | filtered_files = []
37 | for yara_file in files:
38 | with open(yara_file, errors="ignore") as fd:
39 | yara_in_file = fd.read()
40 | if not (
41 | ('import "math"' in yara_in_file)
42 | or ('import "cuckoo"' in yara_in_file)
43 | or ('import "hash"' in yara_in_file)
44 | or ("imphash" in yara_in_file)
45 | ):
46 | filtered_files.append(yara_file)
47 | return filtered_files
48 |
49 |
50 | def fix_duplicated_rules(files):
51 | filtered_files = []
52 | first_elf = True
53 | to_delete = False
54 | for yara_file in files:
55 | print("Processing " + yara_file)
56 | with open(yara_file, errors="ignore") as fd:
57 | yara_in_file = fd.readlines()
58 | for line in yara_in_file:
59 | if line.strip() == "private rule is__elf {":
60 | if first_elf:
61 | first_elf = False
62 | else:
63 | to_delete = True
64 | if not to_delete:
65 | filtered_files.append(line)
66 | if (not first_elf) and line.strip() == "}":
67 | to_delete = False
68 | filtered_files.append("\n")
69 | return filtered_files
70 |
71 |
72 | def merge_rules(all_rules):
73 | with open("malware_rules.yar", "w") as fd:
74 | fd.write("".join(all_rules))
75 |
76 |
77 | def create_rule_index(yara_file):
78 | """Create an index of rule names and their definitions."""
79 | rule_index = {}
80 |
81 | with open(yara_file, errors="ignore") as f:
82 | content = f.read()
83 |
84 | # Find all rule definitions, including those with tags
85 | # This pattern captures both the rule name and any tags that follow
86 | rule_pattern = re.compile(r"rule\s+(\w+)(?:\s*:\s*([\w\s]+))?\s*{", re.MULTILINE)
87 | for match in rule_pattern.finditer(content):
88 | rule_name = match.group(1)
89 | tags = match.group(2).strip() if match.group(2) else None
90 | start_pos = match.start()
91 |
92 | # Find the end of the rule (closing brace)
93 | brace_count = 0
94 | end_pos = start_pos
95 | for i in range(start_pos, len(content)):
96 | if content[i] == "{":
97 | brace_count += 1
98 | elif content[i] == "}":
99 | brace_count -= 1
100 | if brace_count == 0:
101 | end_pos = i + 1
102 | break
103 |
104 | rule_definition = content[start_pos:end_pos].strip()
105 |
106 | # Store the rule by its base name
107 | rule_index[rule_name] = rule_definition
108 |
109 | # If the rule has tags, also store it with the full name including tags
110 | if tags:
111 | full_rule_name = f"{rule_name} : {tags}"
112 | rule_index[full_rule_name] = rule_definition
113 |
114 | # Save the index to a JSON file
115 | with open("malware_rules_index.json", "w") as f:
116 | json.dump(rule_index, f, indent=2)
117 |
118 | print(f"Created rule index with {len(rule_index)} entries")
119 |
120 |
121 | def main():
122 | get_rules_from_git()
123 | all_yara_files = list_yara_files()
124 | all_yara_filtered_1 = remove_incompatible_imports(all_yara_files)
125 | all_yara_filtered_2 = fix_duplicated_rules(all_yara_filtered_1)
126 | merge_rules(all_yara_filtered_2)
127 | create_rule_index("malware_rules.yar")
128 |
129 |
130 | if __name__ == "__main__":
131 | main()
132 |
```
--------------------------------------------------------------------------------
/attachments/architecture-diagram.svg:
--------------------------------------------------------------------------------
```
1 | <svg viewBox="0 0 800 500" xmlns="http://www.w3.org/2000/svg">
2 | <!-- Background -->
3 | <rect width="800" height="500" fill="#f8f9fa" rx="10" ry="10" />
4 |
5 | <!-- MCP Clients -->
6 | <rect x="50" y="80" width="150" height="100" rx="5" ry="5" fill="#d1e7dd" stroke="#0f5132" stroke-width="2" />
7 | <text x="125" y="110" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">MCP Clients</text>
8 | <text x="125" y="135" font-family="Arial" font-size="12" text-anchor="middle">Claude Desktop</text>
9 | <text x="125" y="155" font-family="Arial" font-size="12" text-anchor="middle">Cursor</text>
10 | <text x="125" y="175" font-family="Arial" font-size="12" text-anchor="middle">Other MCP Clients</text>
11 |
12 | <!-- MCP Bridge Server -->
13 | <rect x="300" y="50" width="200" height="300" rx="5" ry="5" fill="#cfe2ff" stroke="#084298" stroke-width="2" />
14 | <text x="400" y="80" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Volatility3 MCP Server</text>
15 | <text x="400" y="100" font-family="Arial" font-size="12" text-anchor="middle" font-style="italic">(Python Middleware)</text>
16 |
17 | <!-- MCP Tools -->
18 | <rect x="325" y="120" width="150" height="150" rx="5" ry="5" fill="#e2e3e5" stroke="#41464b" stroke-width="1" />
19 | <text x="400" y="140" font-family="Arial" font-size="14" text-anchor="middle" font-weight="bold">MCP Tools</text>
20 | <text x="400" y="165" font-family="Arial" font-size="11" text-anchor="middle">initialize_memory_file</text>
21 | <text x="400" y="185" font-family="Arial" font-size="11" text-anchor="middle">get_processes</text>
22 | <text x="400" y="205" font-family="Arial" font-size="11" text-anchor="middle">get_network_connections</text>
23 | <text x="400" y="225" font-family="Arial" font-size="11" text-anchor="middle">scan_with_yara</text>
24 | <text x="400" y="245" font-family="Arial" font-size="11" text-anchor="middle">run_plugin</text>
25 | <text x="400" y="265" font-family="Arial" font-size="11" text-anchor="middle">...</text>
26 |
27 | <!-- Volatility3 Framework -->
28 | <rect x="600" y="150" width="150" height="100" rx="5" ry="5" fill="#f8d7da" stroke="#842029" stroke-width="2" />
29 | <text x="675" y="180" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Volatility3</text>
30 | <text x="675" y="200" font-family="Arial" font-size="12" text-anchor="middle">Memory Forensics</text>
31 | <text x="675" y="220" font-family="Arial" font-size="12" text-anchor="middle">Framework</text>
32 |
33 | <!-- Memory Dump -->
34 | <rect x="600" y="300" width="150" height="80" rx="5" ry="5" fill="#fff3cd" stroke="#664d03" stroke-width="2" />
35 | <text x="675" y="340" font-family="Arial" font-size="16" text-anchor="middle" font-weight="bold">Memory Dump</text>
36 | <text x="675" y="360" font-family="Arial" font-size="12" text-anchor="middle">(.raw, .dmp files)</text>
37 |
38 | <!-- Input/Output Validator -->
39 | <rect x="350" y="300" width="100" height="40" rx="5" ry="5" fill="#e2e3e5" stroke="#41464b" stroke-width="1" />
40 | <text x="400" y="325" font-family="Arial" font-size="12" text-anchor="middle">Input Validator</text>
41 |
42 | <!-- Connections -->
43 | <!-- MCP Clients to MCP Server -->
44 | <line x1="200" y1="130" x2="300" y2="130" stroke="#084298" stroke-width="2" />
45 | <polygon points="295,125 300,130 295,135" fill="#084298" />
46 | <text x="250" y="120" font-family="Arial" font-size="10" text-anchor="middle">MCP Requests</text>
47 |
48 | <line x1="300" y1="150" x2="200" y2="150" stroke="#084298" stroke-width="2" />
49 | <polygon points="205,145 200,150 205,155" fill="#084298" />
50 | <text x="250" y="165" font-family="Arial" font-size="10" text-anchor="middle">JSON Responses</text>
51 |
52 | <!-- MCP Server to Volatility3 -->
53 | <line x1="500" y1="180" x2="600" y2="180" stroke="#842029" stroke-width="2" />
54 | <polygon points="595,175 600,180 595,185" fill="#842029" />
55 | <text x="550" y="170" font-family="Arial" font-size="10" text-anchor="middle">Plugin Commands</text>
56 |
57 | <line x1="600" y1="200" x2="500" y2="200" stroke="#842029" stroke-width="2" />
58 | <polygon points="505,195 500,200 505,205" fill="#842029" />
59 | <text x="550" y="215" font-family="Arial" font-size="10" text-anchor="middle">Analysis Results</text>
60 |
61 | <!-- Volatility3 to Memory Dump -->
62 | <line x1="675" y1="250" x2="675" y2="300" stroke="#664d03" stroke-width="2" />
63 | <polygon points="670,295 675,300 680,295" fill="#664d03" />
64 | <text x="700" y="275" font-family="Arial" font-size="10" text-anchor="middle">Analyze</text>
65 |
66 | <!-- MCP Server to Input Validator -->
67 | <line x1="400" y1="270" x2="400" y2="300" stroke="#41464b" stroke-width="1.5" />
68 | <polygon points="395,295 400,300 405,295" fill="#41464b" />
69 |
70 | <!-- Data Flow Arrows -->
71 | <path d="M 125,200 C 125,240 250,380 400,380 C 550,380 675,380 675,380" stroke="#084298" stroke-width="1.5" stroke-dasharray="5,5" fill="none" />
72 | <polygon points="670,375 675,380 670,385" fill="#084298" />
73 | <text x="400" y="400" font-family="Arial" font-size="14" text-anchor="middle" font-weight="bold">Data Flow</text>
74 |
75 | <!-- Title -->
76 | <text x="400" y="30" font-family="Arial" font-size="20" text-anchor="middle" font-weight="bold">Volatility3 MCP Bridge Architecture</text>
77 | </svg>
78 |
```
--------------------------------------------------------------------------------
/vol_wrapper.py:
--------------------------------------------------------------------------------
```python
1 | import json
2 | import os
3 | import shutil
4 | import subprocess
5 | import sys
6 | from pathlib import Path
7 | from typing import Any
8 |
9 | from volatility3 import framework, plugins
10 | from volatility3.framework import contexts
11 |
12 |
13 | class VolatilityWrapper:
14 | def __init__(self, memory_file: str):
15 | """Initialize the Volatility3 wrapper with a memory dump file."""
16 | self.memory_file = Path(memory_file)
17 | if not self.memory_file.exists():
18 | raise FileNotFoundError(f"Memory file not found: {memory_file}")
19 |
20 | # Initialize the volatility context
21 | self.context = contexts.Context()
22 | # Import all plugins to ensure they're registered
23 | framework.import_files(plugins, True)
24 | self.available_plugins_with_descriptions = (
25 | self._list_plugins_with_descriptions()
26 | )
27 | self.available_plugins = list(framework.list_plugins().keys())
28 | self.os_type = None
29 |
30 | def _sanitize_description(self, description):
31 | """Sanitize the description by removing newlines and escaping quotes."""
32 | if not description:
33 | return "No description available"
34 |
35 | sanitized = description.replace("\n", " ")
36 | sanitized = " ".join(sanitized.split())
37 | return sanitized
38 |
39 | def _list_plugins_with_descriptions(self):
40 | """Get a dictionary of available plugins and their descriptions."""
41 | plugins_with_descriptions = {}
42 | plugin_list = framework.list_plugins()
43 | for plugin_name in sorted(plugin_list.keys()):
44 | plugin_class = plugin_list[plugin_name]
45 |
46 | description = "No description available"
47 | if plugin_class.__doc__:
48 | description = plugin_class.__doc__
49 | plugins_with_descriptions[plugin_name] = self._sanitize_description(
50 | description
51 | )
52 |
53 | return plugins_with_descriptions
54 |
55 | def get_plugin_info(self, plugin_name: str) -> dict[str, Any]:
56 | """Get detailed information about a specific plugin."""
57 | if plugin_name not in self.available_plugins:
58 | return {"error": f"Plugin {plugin_name} not found"}
59 |
60 | return self.available_plugins_with_descriptions[plugin_name]
61 |
62 | def detect_os(self) -> str:
63 | """Detect OS type from which the memory dump was taken"""
64 | os_checks = {"windows": "windows.info.Info", "linux": "banners.Banners"}
65 |
66 | for os_type, plugin in os_checks.items():
67 | try:
68 | result = self.run_plugin(plugin_name=plugin)
69 | if os_type in json.dumps(result).lower():
70 | self.os_type = os_type
71 | return os_type
72 | except Exception as e:
73 | print(f"Error checking for {os_type}: {str(e)}")
74 | continue
75 |
76 | self.os_type = "unknown"
77 | return "unknown"
78 |
79 | def run_plugin(
80 | self, plugin_name: str, args: dict[str, Any] | None = None
81 | ) -> list[dict[str, Any]]:
82 | """Run a Volatility3 plugin and return the results as structured data.
83 |
84 | Args:
85 | plugin_name: Name of the plugin to run (e.g., 'windows.pslist.PsList')
86 |
87 | Returns:
88 | List of dictionaries containing the plugin results
89 | """
90 | if args is None:
91 | args = {}
92 |
93 | if plugin_name not in self.available_plugins:
94 | return [{"error": f"Plugin {plugin_name} not found"}]
95 |
96 | try:
97 | # Find path to vol dynamically
98 | os.environ["PATH"] = (
99 | sys.executable.split("/python3")[0] + ":" + os.environ["PATH"]
100 | )
101 | vol_path = shutil.which("vol")
102 | if not vol_path:
103 | return [{"error": "Could not find 'vol' executable in PATH"}]
104 |
105 | cmd = [vol_path, "-r", "json", "-f", str(self.memory_file), plugin_name]
106 |
107 | # Add any additional arguments
108 | for arg_name, arg_value in args.items():
109 | if arg_value is True:
110 | cmd.append(f"--{arg_name}")
111 | elif arg_value is not False and arg_value is not None:
112 | cmd.append(f"--{arg_name}")
113 | cmd.append(str(arg_value))
114 |
115 | result = subprocess.run(cmd, capture_output=True, text=True, check=False)
116 |
117 | # Check for errors
118 | if result.returncode != 0:
119 | return [{"error": f"Plugin execution failed: {result.stderr}"}]
120 |
121 | try:
122 | return json.loads(result.stdout)
123 | except json.JSONDecodeError:
124 | # If JSON parsing fails, return the raw output
125 | return [
126 | {
127 | "error": "Failed to parse JSON output",
128 | "raw_output": result.stdout,
129 | }
130 | ]
131 |
132 | except Exception as e:
133 | return [{"error": f"Error running plugin {plugin_name}: {str(e)}"}]
134 |
135 | def get_processes(self) -> list[dict[str, Any]]:
136 | """Get a list of processes from the memory dump."""
137 | if not hasattr(self, "os_type") or self.os_type is None:
138 | self.detect_os()
139 |
140 | if self.os_type == "windows":
141 | return self.run_plugin("windows.pslist.PsList")
142 | elif self.os_type == "linux":
143 | return self.run_plugin("linux.pslist.PsList")
144 | else:
145 | return [
146 | {"error": f"Process listing not supported for OS type: {self.os_type}"}
147 | ]
148 |
149 | def get_network_connections(self) -> list[dict[str, Any]]:
150 | """Get network connections from the memory dump."""
151 | if not hasattr(self, "os_type") or self.os_type is None:
152 | self.detect_os()
153 |
154 | if self.os_type == "windows":
155 | return self.run_plugin("windows.netscan.NetScan")
156 | elif self.os_type == "linux":
157 | return self.run_plugin("linux.sockstat.Sockstat")
158 | else:
159 | return [
160 | {
161 | "error": f"Network connection listing not supported for OS type: {self.os_type}"
162 | }
163 | ]
164 |
165 | def list_process_open_handles(self, pid: int) -> dict[str, Any]:
166 | "Lists open handles for a process"
167 | if not hasattr(self, "os_type") or self.os_type is None:
168 | self.detect_os()
169 |
170 | args = {"pid": pid}
171 |
172 | if self.os_type == "windows":
173 | return self.run_plugin("windows.handles.Handles", args)
174 | elif self.os_type == "linux":
175 | return self.run_plugin("linux.lsof.Lsof", args)
176 | else:
177 | return [
178 | {
179 | "error": f"Listing process open handles not supported for OS type: {self.os_type}"
180 | }
181 | ]
182 |
183 | def scan_with_yara(self) -> list[dict[str, Any]]:
184 | """Scan memory with YARA rules.
185 |
186 | Returns:
187 | List of matches with process, rule information, and full rule definition
188 | """
189 | current_dir = os.path.dirname(os.path.abspath(__file__))
190 | yara_file = os.path.join(current_dir, "malware_rules.yar")
191 | if not os.path.exists(yara_file):
192 | return [{"error": f"YARA rules file not found: {yara_file}"}]
193 |
194 | if not hasattr(self, "os_type") or self.os_type is None:
195 | self.detect_os()
196 |
197 | # Use yarascan.YaraScan for both Windows and Linux
198 | plugin_name = "yarascan.YaraScan"
199 | args = {"yara-file": yara_file}
200 |
201 | results = self.run_plugin(plugin_name, args)
202 | # Return top 10 scan results only because this might overwhelm the MCP Client
203 | results = results[:10]
204 |
205 | # If we have results, enhance them with the full rule definitions
206 | if results and not (
207 | isinstance(results, list) and len(results) > 0 and "error" in results[0]
208 | ):
209 | # Look for the index file
210 | index_file = os.path.join(
211 | os.path.dirname(yara_file), "malware_rules_index.json"
212 | )
213 |
214 | if os.path.exists(index_file):
215 | try:
216 | with open(index_file) as f:
217 | rule_index = json.load(f)
218 |
219 | # Add rule definitions to the results
220 | for match in results:
221 | if "Rule" in match and match["Rule"] in rule_index:
222 | match["rule_definition"] = rule_index[match["Rule"]]
223 | except Exception as e:
224 | print(f"Error loading rule index: {str(e)}")
225 |
226 | return results
227 |
228 |
229 | def main():
230 | memory_file = (
231 | "/Users/dkiran/Documents/MCP/volatility3-mcp/memory_dump/linux-sample.mem"
232 | )
233 | vol_wrapper = VolatilityWrapper(memory_file)
234 | print(vol_wrapper.detect_os())
235 | print(vol_wrapper.os_type)
236 | print(vol_wrapper.scan_with_yara())
237 |
238 |
239 | if __name__ == "__main__":
240 | main()
241 |
```
--------------------------------------------------------------------------------
/bridge_mcp_volatility.py:
--------------------------------------------------------------------------------
```python
1 | from typing import Any
2 |
3 | from mcp.server.fastmcp import FastMCP
4 | from vol_wrapper import VolatilityWrapper
5 |
6 | mcp = FastMCP("volatility3-mcp")
7 |
8 | # Global volatility wrapper instance
9 | vol_wrapper = None
10 |
11 |
12 | @mcp.tool(
13 | description="""Initialize Volatility3 with a memory dump file. This tool MUST be called first before any other
14 | memory analysis tools. Use this tool when:
15 | - You're starting a new memory forensics investigation
16 | - You want to switch to analyzing a different memory dump
17 | - You need to reset the analysis environment
18 | The tool accepts a file path to the memory dump and validates that the file exists and is accessible.
19 | Successful initialization is required for all other tools to function properly."""
20 | )
21 | def initialize_memory_file(file_path: str) -> str:
22 | """
23 | Initialize the Volatility3 wrapper with a memory dump file.
24 |
25 | Args:
26 | file_path: Path to the memory dump file
27 |
28 | Returns:
29 | Success or error message
30 | """
31 | global vol_wrapper
32 | try:
33 | vol_wrapper = VolatilityWrapper(file_path)
34 | return f"Successfully initialized Volatility3 with memory file: {file_path}"
35 | except Exception as e:
36 | return f"Error initializing Volatility3: {str(e)}"
37 |
38 |
39 | @mcp.tool(
40 | description="""Detect the operating system type from the memory dump. Use this tool when:
41 | - You need to identify the OS of the memory dump before further analysis
42 | - You want to determine which OS-specific plugins are applicable
43 | - You're starting an investigation and need to establish the basic system information
44 | - You need to verify the OS type to select appropriate analysis techniques
45 | The tool attempts to identify if the memory dump is from Windows or Linux by
46 | running OS-specific plugins and analyzing their output. This information is crucial for
47 | selecting the appropriate analysis plugins and interpreting the results correctly."""
48 | )
49 | def detect_os() -> str:
50 | """
51 | Detect the operating system type from the memory dump.
52 |
53 | Returns:
54 | String indicating the OS type: 'windows', 'linux', or 'unknown'
55 | """
56 | if vol_wrapper is None:
57 | return "Error: Volatility3 not initialized. Call initialize_memory_file first."
58 |
59 | os_type = vol_wrapper.detect_os()
60 |
61 | if os_type == "unknown":
62 | return "Could not determine the operating system. The memory dump may be corrupted or from an unsupported OS."
63 | else:
64 | return f"Detected operating system: {os_type.capitalize()}"
65 |
66 |
67 | @mcp.tool(
68 | description="""List all available Volatility3 plugins that can be used for memory analysis. Use this tool when:
69 | - You want to explore what analysis capabilities are available
70 | - You need to find a specific plugin for a particular analysis task
71 | - You're unsure which plugin to use for a specific investigation goal
72 | The tool returns a comprehensive list of plugin names that can be used with the run_plugin tool.
73 | This is useful for discovering available analysis options before diving into specific analyses."""
74 | )
75 | def list_plugins() -> list[str]:
76 | """
77 | List all available Volatility3 plugins.
78 |
79 | Returns:
80 | List of plugin names
81 | """
82 | if vol_wrapper is None:
83 | return [
84 | "Error: Volatility3 not initialized. Call initialize_memory_file first."
85 | ]
86 |
87 | return vol_wrapper.available_plugins
88 |
89 |
90 | @mcp.tool(
91 | description="""Get detailed information about a specific Volatility3 plugin. Use this tool when:
92 | - You need to understand what a plugin does before using it
93 | - You want to learn about the requirements and parameters for a plugin
94 | - You're deciding which plugin is most appropriate for your analysis needs
95 | The tool provides the plugin's description and required parameters, helping you understand
96 | its purpose and how to use it effectively in your investigation."""
97 | )
98 | def get_plugin_info(plugin_name: str) -> str:
99 | """
100 | Get detailed information about a specific plugin.
101 |
102 | Args:
103 | plugin_name: Name of the plugin
104 |
105 | Returns:
106 | Plugin information including description and requirements
107 | """
108 | if vol_wrapper is None:
109 | return {
110 | "error": "Volatility3 not initialized. Call initialize_memory_file first."
111 | }
112 |
113 | return vol_wrapper.get_plugin_info(plugin_name)
114 |
115 |
116 | @mcp.tool(
117 | description="""Run any Volatility3 plugin with custom arguments. This is the most flexible analysis tool that
118 | gives you access to the full range of Volatility3 capabilities. Use this tool when:
119 | - You need to run a specific plugin not covered by the specialized tools
120 | - You want to provide custom arguments to a plugin
121 | - You're performing advanced analysis that requires specific plugin configurations
122 | - You need access to plugins that don't have dedicated wrapper functions
123 | The tool accepts the plugin name and an optional dictionary of arguments specific to that plugin.
124 | Results are returned as structured data that can be further analyzed and interpreted."""
125 | )
126 | def run_plugin(
127 | plugin_name: str, args: dict[str, Any] | None = None
128 | ) -> list[dict[str, Any]]:
129 | """
130 | Run a Volatility3 plugin with optional arguments.
131 |
132 | Args:
133 | plugin_name: Name of the plugin to run
134 | args: Optional dictionary of plugin arguments
135 |
136 | Returns:
137 | Plugin results as structured data
138 | """
139 | if vol_wrapper is None:
140 | return [
141 | {"error": "Volatility3 not initialized. Call initialize_memory_file first."}
142 | ]
143 |
144 | return vol_wrapper.run_plugin(plugin_name, args)
145 |
146 |
147 | @mcp.tool(
148 | description="""Get a comprehensive list of all processes from the memory dump. This tool should be used when:
149 | - You need to identify running processes at the time of memory capture
150 | - You're looking for suspicious or unexpected processes
151 | - You need process IDs for further analysis of specific processes
152 | - You want to establish a baseline of system activity
153 | The tool returns detailed information about each process including name, PID, PPID, start time,
154 | and memory information. This is often one of the first analyses to perform when investigating
155 | a memory dump to understand what was running on the system."""
156 | )
157 | def get_processes() -> list[dict[str, Any]]:
158 | """
159 | Get a list of processes from the memory dump.
160 |
161 | Returns:
162 | List of processes with details
163 | """
164 | if vol_wrapper is None:
165 | return [
166 | {"error": "Volatility3 not initialized. Call initialize_memory_file first."}
167 | ]
168 |
169 | return vol_wrapper.get_processes()
170 |
171 |
172 | @mcp.tool(
173 | description="""Retrieve all network connections from the memory dump. Use this tool when:
174 | - You're investigating potential command and control (C2) communications
175 | - You need to identify data exfiltration or unauthorized connections
176 | - You want to map process-to-network activity
177 | - You're looking for suspicious IPs, ports, or connection states
178 | The tool returns comprehensive information about each connection including local/remote addresses,
179 | ports, connection state, and the associated process. This is crucial for identifying malicious
180 | network activity and understanding how processes were communicating externally."""
181 | )
182 | def get_network_connections() -> list[dict[str, Any]]:
183 | """
184 | Get network connections from the memory dump.
185 |
186 | Returns:
187 | List of network connections with details
188 | """
189 | if vol_wrapper is None:
190 | return [
191 | {"error": "Volatility3 not initialized. Call initialize_memory_file first."}
192 | ]
193 |
194 | return vol_wrapper.get_network_connections()
195 |
196 |
197 | @mcp.tool(
198 | description="""List open handles for a specific process. Use this tool when:
199 | - You need to investigate which files, registry keys, or other resources a process has open
200 | - You're analyzing potential data exfiltration by examining file handles
201 | - You want to understand inter-process communication by examining shared handles
202 | - You're investigating malware behavior by examining its interaction with system resources
203 | - You need to determine if a process has access to sensitive system objects
204 |
205 | This tool works differently depending on the operating system:
206 | - On Windows: Lists file handles, registry keys, mutexes, events, and other Windows-specific objects
207 | - On Linux: Lists open files, sockets, pipes, and other file descriptors
208 |
209 | The output provides detailed information about each handle, including its type, permissions, and the
210 | object it references. This can be crucial for understanding process behavior and identifying suspicious activity."""
211 | )
212 | def list_process_open_handles(pid: int) -> dict[str, Any]:
213 | """
214 | List all open handles for a specific process.
215 |
216 | Args:
217 | pid: Process ID to list handles for
218 |
219 | Returns:
220 | Dictionary containing handle information for the specified process
221 | """
222 | if vol_wrapper is None:
223 | return {
224 | "error": "Volatility3 not initialized. Call initialize_memory_file first."
225 | }
226 |
227 | try:
228 | pid_int = int(pid)
229 | except ValueError:
230 | return {"error": "Invalid PID format. PID must be an integer."}
231 |
232 | return vol_wrapper.list_process_open_handles(pid_int)
233 |
234 |
235 | @mcp.tool(
236 | description="""Scan memory with YARA rules to detect malware signatures. This tool should be used when:
237 | - You need to identify known malware patterns in memory
238 | - You want to check for specific threat indicators
239 | - You're investigating potential compromise using signature-based detection
240 | - You have custom YARA rules for specific threats you're hunting
241 | Results include detailed match information with process context and rule metadata.
242 | This scanning usually takes a lot of time because we are scanning with extensive Yara rules list"""
243 | )
244 | def scan_with_yara() -> list[dict[str, Any]]:
245 | """
246 | Scan memory with YARA rules to detect malware signatures.
247 |
248 | Returns:
249 | List of matches with process and rule information
250 | """
251 | if vol_wrapper is None:
252 | return [
253 | {"error": "Volatility3 not initialized. Call initialize_memory_file first."}
254 | ]
255 |
256 | results = vol_wrapper.scan_with_yara()
257 |
258 | if not results:
259 | return {"message": "No malware detected", "matches": []}
260 | return results
261 |
262 |
263 | if __name__ == "__main__":
264 | mcp.run()
265 |
```
--------------------------------------------------------------------------------
/available-plugins.json:
--------------------------------------------------------------------------------
```json
1 | {
2 | "banners.Banners": "Attempts to identify potential linux banners in an image",
3 | "configwriter.ConfigWriter": "Runs the automagics and both prints and outputs configuration in the output directory.",
4 | "frameworkinfo.FrameworkInfo": "Plugin to list the various modular components of Volatility",
5 | "isfinfo.IsfInfo": "Determines information about the currently available ISF files, or a specific one",
6 | "layerwriter.LayerWriter": "Runs the automagics and writes out the primary layer produced by the stacker.",
7 | "linux.bash.Bash": "Recovers bash command history from memory.",
8 | "linux.boottime.Boottime": "Shows the time the system was started",
9 | "linux.capabilities.Capabilities": "Lists process capabilities",
10 | "linux.check_afinfo.Check_afinfo": "Verifies the operation function pointers of network protocols.",
11 | "linux.check_creds.Check_creds": "Checks if any processes are sharing credential structures",
12 | "linux.check_idt.Check_idt": "Checks if the IDT has been altered",
13 | "linux.check_modules.Check_modules": "Compares module list to sysfs info, if available",
14 | "linux.check_syscall.Check_syscall": "Check system call table for hooks.",
15 | "linux.ebpf.EBPF": "Enumerate eBPF programs",
16 | "linux.elfs.Elfs": "Lists all memory mapped ELF files for all processes.",
17 | "linux.envars.Envars": "Lists processes with their environment variables",
18 | "linux.hidden_modules.Hidden_modules": "Carves memory to find hidden kernel modules",
19 | "linux.iomem.IOMem": "Generates an output similar to /proc/iomem on a running system.",
20 | "linux.keyboard_notifiers.Keyboard_notifiers": "Parses the keyboard notifier call chain",
21 | "linux.kmsg.Kmsg": "Kernel log buffer reader",
22 | "linux.kthreads.Kthreads": "Enumerates kthread functions",
23 | "linux.library_list.LibraryList": "Enumerate libraries loaded into processes",
24 | "linux.lsmod.Lsmod": "Lists loaded kernel modules.",
25 | "linux.lsof.Lsof": "Lists open files for each processes.",
26 | "linux.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
27 | "linux.mountinfo.MountInfo": "Lists mount points on processes mount namespaces",
28 | "linux.netfilter.Netfilter": "Lists Netfilter hooks.",
29 | "linux.pagecache.Files": "Lists files from memory",
30 | "linux.pagecache.InodePages": "Lists and recovers cached inode pages",
31 | "linux.pidhashtable.PIDHashTable": "Enumerates processes through the PID hash table",
32 | "linux.proc.Maps": "Lists all memory maps for all processes.",
33 | "linux.psaux.PsAux": "Lists processes with their command line arguments",
34 | "linux.pslist.PsList": "Lists the processes present in a particular linux memory image.",
35 | "linux.psscan.PsScan": "Scans for processes present in a particular linux image.",
36 | "linux.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
37 | "linux.ptrace.Ptrace": "Enumerates ptrace's tracer and tracee tasks",
38 | "linux.sockstat.Sockstat": "Lists all network connections for all processes.",
39 | "linux.tty_check.tty_check": "Checks tty devices for hooks",
40 | "linux.vmayarascan.VmaYaraScan": "Scans all virtual memory areas for tasks using yara.",
41 | "mac.bash.Bash": "Recovers bash command history from memory.",
42 | "mac.check_syscall.Check_syscall": "Check system call table for hooks.",
43 | "mac.check_sysctl.Check_sysctl": "Check sysctl handlers for hooks.",
44 | "mac.check_trap_table.Check_trap_table": "Check mach trap table for hooks.",
45 | "mac.dmesg.Dmesg": "Prints the kernel log buffer.",
46 | "mac.ifconfig.Ifconfig": "Lists network interface information for all devices",
47 | "mac.kauth_listeners.Kauth_listeners": "Lists kauth listeners and their status",
48 | "mac.kauth_scopes.Kauth_scopes": "Lists kauth scopes and their status",
49 | "mac.kevents.Kevents": "Lists event handlers registered by processes",
50 | "mac.list_files.List_Files": "Lists all open file descriptors for all processes.",
51 | "mac.lsmod.Lsmod": "Lists loaded kernel modules.",
52 | "mac.lsof.Lsof": "Lists all open file descriptors for all processes.",
53 | "mac.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
54 | "mac.mount.Mount": "A module containing a collection of plugins that produce data typically found in Mac's mount command",
55 | "mac.netstat.Netstat": "Lists all network connections for all processes.",
56 | "mac.proc_maps.Maps": "Lists process memory ranges that potentially contain injected code.",
57 | "mac.psaux.Psaux": "Recovers program command line arguments.",
58 | "mac.pslist.PsList": "Lists the processes present in a particular mac memory image.",
59 | "mac.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
60 | "mac.socket_filters.Socket_filters": "Enumerates kernel socket filters.",
61 | "mac.timers.Timers": "Check for malicious kernel timers.",
62 | "mac.trustedbsd.Trustedbsd": "Checks for malicious trustedbsd modules",
63 | "mac.vfsevents.VFSevents": "Lists processes that are filtering file system events",
64 | "timeliner.Timeliner": "Runs all relevant plugins that provide time related information and orders the results by time.",
65 | "vmscan.Vmscan": "Scans for Intel VT-d structues and generates VM volatility configs for them",
66 | "windows.amcache.Amcache": "Extract information on executed applications from the AmCache.",
67 | "windows.bigpools.BigPools": "List big page pools.",
68 | "windows.cachedump.Cachedump": "Dumps lsa secrets from memory",
69 | "windows.callbacks.Callbacks": "Lists kernel callbacks and notification routines.",
70 | "windows.cmdline.CmdLine": "Lists process command line arguments.",
71 | "windows.cmdscan.CmdScan": "Looks for Windows Command History lists",
72 | "windows.consoles.Consoles": "Looks for Windows console buffers",
73 | "windows.crashinfo.Crashinfo": "Lists the information from a Windows crash dump.",
74 | "windows.devicetree.DeviceTree": "Listing tree based on drivers and attached devices in a particular windows memory image.",
75 | "windows.dlllist.DllList": "Lists the loaded modules in a particular windows memory image.",
76 | "windows.driverirp.DriverIrp": "List IRPs for drivers in a particular windows memory image.",
77 | "windows.drivermodule.DriverModule": "Determines if any loaded drivers were hidden by a rootkit",
78 | "windows.driverscan.DriverScan": "Scans for drivers present in a particular windows memory image.",
79 | "windows.dumpfiles.DumpFiles": "Dumps cached file contents from Windows memory samples.",
80 | "windows.envars.Envars": "Display process environment variables",
81 | "windows.filescan.FileScan": "Scans for file objects present in a particular windows memory image.",
82 | "windows.getservicesids.GetServiceSIDs": "Lists process token sids.",
83 | "windows.getsids.GetSIDs": "Print the SIDs owning each process",
84 | "windows.handles.Handles": "Lists process open handles.",
85 | "windows.hashdump.Hashdump": "Dumps user hashes from memory",
86 | "windows.hollowprocesses.HollowProcesses": "Lists hollowed processes",
87 | "windows.iat.IAT": "Extract Import Address Table to list API (functions) used by a program contained in external libraries",
88 | "windows.info.Info": "Show OS & kernel details of the memory sample being analyzed.",
89 | "windows.joblinks.JobLinks": "Print process job link information",
90 | "windows.kpcrs.KPCRs": "Print KPCR structure for each processor",
91 | "windows.ldrmodules.LdrModules": "Lists the loaded modules in a particular windows memory image.",
92 | "windows.lsadump.Lsadump": "Dumps lsa secrets from memory",
93 | "windows.malfind.Malfind": "Lists process memory ranges that potentially contain injected code.",
94 | "windows.mbrscan.MBRScan": "Scans for and parses potential Master Boot Records (MBRs)",
95 | "windows.memmap.Memmap": "Prints the memory map",
96 | "windows.mftscan.ADS": "Scans for Alternate Data Stream",
97 | "windows.mftscan.MFTScan": "Scans for MFT FILE objects present in a particular windows memory image.",
98 | "windows.modscan.ModScan": "Scans for modules present in a particular windows memory image.",
99 | "windows.modules.Modules": "Lists the loaded kernel modules.",
100 | "windows.mutantscan.MutantScan": "Scans for mutexes present in a particular windows memory image.",
101 | "windows.netscan.NetScan": "Scans for network objects present in a particular windows memory image.",
102 | "windows.netstat.NetStat": "Traverses network tracking structures present in a particular windows memory image.",
103 | "windows.orphan_kernel_threads.Threads": "Lists process threads",
104 | "windows.pe_symbols.PESymbols": "Prints symbols in PE files in process and kernel memory",
105 | "windows.pedump.PEDump": "Allows extracting PE Files from a specific address in a specific address space",
106 | "windows.poolscanner.PoolScanner": "A generic pool scanner plugin.",
107 | "windows.privileges.Privs": "Lists process token privileges",
108 | "windows.processghosting.ProcessGhosting": "Lists processes whose DeletePending bit is set or whose FILE_OBJECT is set to 0",
109 | "windows.pslist.PsList": "Lists the processes present in a particular windows memory image.",
110 | "windows.psscan.PsScan": "Scans for processes present in a particular windows memory image.",
111 | "windows.pstree.PsTree": "Plugin for listing processes in a tree based on their parent process ID.",
112 | "windows.psxview.PsXView": "Lists all processes found via four of the methods described in \"The Art of Memory Forensics\" which may help identify processes that are trying to hide themselves. I recommend using -r pretty if you are looking at this plugin's output in a terminal.",
113 | "windows.registry.certificates.Certificates": "Lists the certificates in the registry's Certificate Store.",
114 | "windows.registry.getcellroutine.GetCellRoutine": "Reports registry hives with a hooked GetCellRoutine handler",
115 | "windows.registry.hivelist.HiveList": "Lists the registry hives present in a particular memory image.",
116 | "windows.registry.hivescan.HiveScan": "Scans for registry hives present in a particular windows memory image.",
117 | "windows.registry.printkey.PrintKey": "Lists the registry keys under a hive or specific key value.",
118 | "windows.registry.userassist.UserAssist": "Print userassist registry keys and information.",
119 | "windows.scheduled_tasks.ScheduledTasks": "Decodes scheduled task information from the Windows registry, including information about triggers, actions, run times, and creation times.",
120 | "windows.sessions.Sessions": "lists Processes with Session information extracted from Environmental Variables",
121 | "windows.shimcachemem.ShimcacheMem": "Reads Shimcache entries from the ahcache.sys AVL tree",
122 | "windows.skeleton_key_check.Skeleton_Key_Check": "Looks for signs of Skeleton Key malware",
123 | "windows.ssdt.SSDT": "Lists the system call table.",
124 | "windows.statistics.Statistics": "Lists statistics about the memory space.",
125 | "windows.strings.Strings": "Reads output from the strings command and indicates which process(es) each string belongs to.",
126 | "windows.suspicious_threads.SuspiciousThreads": "Lists suspicious userland process threads",
127 | "windows.svcdiff.SvcDiff": "Compares services found through list walking versus scanning to find rootkits",
128 | "windows.svclist.SvcList": "Lists services contained with the services.exe doubly linked list of services",
129 | "windows.svcscan.SvcScan": "Scans for windows services.",
130 | "windows.symlinkscan.SymlinkScan": "Scans for links present in a particular windows memory image.",
131 | "windows.thrdscan.ThrdScan": "Scans for windows threads.",
132 | "windows.threads.Threads": "Lists process threads",
133 | "windows.timers.Timers": "Print kernel timers and associated module DPCs",
134 | "windows.truecrypt.Passphrase": "TrueCrypt Cached Passphrase Finder",
135 | "windows.unhooked_system_calls.unhooked_system_calls": "Looks for signs of Skeleton Key malware",
136 | "windows.unloadedmodules.UnloadedModules": "Lists the unloaded kernel modules.",
137 | "windows.vadinfo.VadInfo": "Lists process memory ranges.",
138 | "windows.vadwalk.VadWalk": "Walk the VAD tree.",
139 | "windows.vadyarascan.VadYaraScan": "Scans all the Virtual Address Descriptor memory maps using yara.",
140 | "windows.verinfo.VerInfo": "Lists version information from PE files.",
141 | "windows.virtmap.VirtMap": "Lists virtual mapped sections.",
142 | "yarascan.YaraScan": "Scans kernel memory using yara rules (string or file).",
143 | }
144 |
```