Malhunt
Hunt malware in memory dumps with Volatility3
Malhunt is an automated malware hunting tool that analyzes memory dumps using Volatility3, applying YARA rules, code injection scanning, and network analysis to identify suspicious processes.
Features
- π Memory Profile Detection - Automatic identification of Windows/Linux memory dumps
- π YARA Rule Scanning - Apply multiple YARA rules for malware detection
- π Injection Detection - Identify injected code and suspiciously allocated memory
- π Network Analysis - Detect suspicious network connections
- π¦ Artifact Collection - Extract and preserve suspicious process memory
- π‘οΈ Antivirus Integration - Scan artifacts with ClamAV
- π Comprehensive Reporting - Detailed logs and findings
Quick Start
Installation
Requirements
- Python 3.9+
- Volatility3 (β₯2.0.0)
- Git (optional; previously used for downloading YARA rules)
- ClamAV (optional, for antivirus scanning)
- Poetry (for development; users can use pip)
Via pip (Recommended for Users)
pip install volatility3 yara-python ruff loguru pyclamd requests pydantic
pip install malhunt
From source with Poetry (For Development)
git clone https://github.com/andreafortuna/malhunt.git
cd malhunt
poetry install
poetry run malhunt --help
From source with pip
git clone https://github.com/andreafortuna/malhunt.git
cd malhunt
pip install -e .
malhunt --help
Usage
With Poetry (Development)
poetry run malhunt /path/to/memory.dump
poetry run malhunt /path/to/memory.dump --rules custom_rules.yar
poetry run malhunt /path/to/memory.dump --verbose
With pip (Direct Installation)
malhunt /path/to/memory.dump
malhunt /path/to/memory.dump --rules custom_rules.yar
malhunt /path/to/memory.dump --verbose
Help and Version
malhunt --help # Show all options
malhunt --version # Show version
How It Works
Malhunt applies a systematic approach for malware discovery in memory:
- Initialization - Validates memory dump and locates Volatility3 binary
- Cache Cleanup - Removes old YARA rules (> 1 day) and temporary files
- Rule Preparation - Downloads latest YARA rules from YaraβForge ZIP archive (or uses cached version)
- Fetches
yara-rules-full.yarfrom the YaraβForge release page - Filters incompatible YARA rules
- Writes the result to
malware_rules.yarin the user cache
- Fetches
- Profile Identification - Detects OS variant from memory dump
using Volatility3's
windows.infoplugin. Malhunt parses the plugin output and, if necessary, constructs and validates candidate profiles (falling back to suggested profiles or a small set of common names), mirroring the official Volatility3 recommendation for automatic detection. - Phase 1: YARA Scanning - π Applies comprehensive YARA rules (3310+ rules) to memory
- Phase 2: Malfind Scanning - π Detects injected code and suspicious memory allocations
- Phase 3: Network Scanning - π Analyzes network connections for malicious IPs
- Artifact Collection - Dumps suspicious process memory and extracts handle information
- Antivirus Scanning - π‘οΈ Scans artifacts with ClamAV (if available)
- Reporting - Generates structured logs and preserves artifacts for investigation
Architecture
src/malhunt/
βββ __init__.py # Package initialization
βββ __main__.py # CLI entry point
βββ core.py # Main orchestration logic
βββ volatility.py # Volatility3 wrapper
βββ scanner.py # YARA/Malfind/Network scanners
βββ artifacts.py # Artifact collection & antivirus
βββ models.py # Data models
βββ utils.py # Utility functions
Output
Malhunt creates an <dump_name>_artifacts/ directory containing:
- Process memory dumps (
.binfiles) - Process handles information (
.handlesfiles) - Scan results and logs
Migration from Volatility2
If you're using the older v0.1 version with Volatility2, see MIGRATION.md for upgrade instructions.
Development
Setting Up Dev Environment
cd /path/to/malhunt
# Install all dependencies including dev tools
poetry install
# Run tests
poetry run pytest tests/ -v
# Run with coverage
poetry run pytest tests/ --cov=src/malhunt --cov-report=html
# Code quality checks
poetry run black src/malhunt tests/
poetry run ruff check src/malhunt tests/
poetry run mypy src/malhunt
Building Documentation
# Install docs dependencies
poetry install --with docs
# Build Sphinx documentation
cd docs
make html
# Open _build/html/index.html
Running Malhunt in Development
# Via Poetry
poetry run malhunt /path/to/dump.vmem
# Via Python module
poetry run python3 -m malhunt /path/to/dump.vmem
Requirements
Core Dependencies
- Python 3.9+ (tested with 3.9, 3.10, 3.11)
- Volatility3 (β₯2.0.0) - Memory forensics framework
- YARA-Python (β₯4.3.0) - Malware identification engine
- Pydantic (β₯2.0.0) - Data validation
- Loguru (β₯0.7.0) - Structured logging
- Requests (β₯2.32.0) - HTTP client for IP checking
- PyClamd (β₯0.4.0) - ClamAV integration
System Requirements
- Git (optional) - previously used for cloning rules, no longer required
- ClamAV (optional) - Antivirus scanning support
Build & Development
- Poetry (β₯1.0.0) - Project/dependency management
- Pytest (β₯7.0.0) - Testing framework
- Black (β₯23.0.0) - Code formatting
- Ruff (β₯0.1.0) - Linting
- MyPy (β₯1.0.0) - Type checking
Configuration
Malhunt stores configuration and cached data in ~/.malhunt/:
Cache Files
malware_rules.yar- Merged YARA rules (auto-updated if > 1 day old)
Customization
Volatility3 execution can be customized via VolatilityConfig:
from pathlib import Path
from malhunt import Malhunt
from malhunt.volatility import VolatilityConfig
# Custom timeout and retry settings
config = VolatilityConfig(
timeout=600, # 10 minutes
retry_count=3, # Retry up to 3 times
retry_delay=2.0, # 2 seconds between retries
cache_results=True # Cache command results
)
mh = Malhunt(Path("dump.vmem"), vol_config=config)
mh.run_full_analysis()
Troubleshooting
See TROUBLESHOOTING.md for common issues and solutions.
Contributing
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
License
MIT License - See LICENSE file for details
Author
Andrea Fortuna - @andreafortuna
- Website: https://andreafortuna.org
- Email: andrea@andreafortuna.org
References
Disclaimer
This tool is intended for authorized security testing and malware analysis only. Ensure you have proper authorization before analyzing memory dumps. The authors are not responsible for misuse or damage caused by this tool.