This is the implementation of the detection framework in our paper.
The file named 'Memory-Resident Samples' Hash' shows the sha-256 value of the total 1050 memory-resident malware we collected in this work.
Please install the following tools:
- VMware Workstation (version 16.0.0)
- python (version 3.7)
MRm-DLDet runs without any special installation. However, you have to ensure several things before first usage.
If you would like to create your own models, then you need to setup virtual machines (VMs). Install at least one Windows 10 VM with VMware Workstation. Configure and harden VM as needed. Take a snapshot of the VM, MRm-DLDet will utilize this snapshot as clean base to start samples.
After placing the malicious and benign samples to be detected in the virtual machine, run this script to roll back the virtual machine to the 'clean' state, and after running the malicious or benign program, this script takes a snapshot of the virtual machine to obtain a memory dump of the malicious samples as they run.
This script covert one dump file to an RGB image.
Cut Ultra-High Resolution RGB image with non-overlapping sliding window.
Liu Jiaxi, Feng Yun, Liu Xinyu, et al. MRm-DLDet: a memory-resident malware detection framework based on memory forensics and deep neural network[J]. Cybersecurity, 2023, 6(1): 21.