General

Quincy is a memory forensic tool that detects Host-Based Code Injection Attacks (HBCIAs) in memory dumps. This is the prototpye implementation of Quincy referenced in the paper “Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps” published at DIMVA 2017. Its detection is based on various features that are extracted from a memory dump with the help of the Volatility framework and it employs tree-based machine learning algorithms (CART, RandomForest, ExtraTrees, AdaBoost, GradientBoosting; all included in scikit-learn) for decision making.

Why Quincy?

There are several reasons why you might want to give Quincy a try:

• First open source machine learning approach to detect HBCIAs in memory dumps
• Integration of other approaches (malfind, hollowfind) to compare results
• Integration of VirusTotal to quickly scan suspicious memory areas
• Prefiltering of known memory areas (based on clean base image) to improve scanning performance
• Easily extendable (see Extending Quincy)

Installation

Dependencies

General

Please install the following tools:

• volatility (version 2.5)
• mongodb (version 2.6.10)
• VirtualBox (version 5.0.10)
• python (version 2.7.12)
• genisoimage (version 1.1.11)

Newer version may also work.

Python

For Python independencies use pip:

pip install -r requirements.txt

Please note: for Windows 10 memory dumps, you might have to install volatility from the repository and patch it!

Download & Tutorial