Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps
General
Quincy is a memory forensic tool that detects Host-Based Code Injection Attacks (HBCIAs) in memory dumps. This is the prototpye implementation of Quincy referenced in the paper “Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps” published at DIMVA 2017. Its detection is based on various features that are extracted from a memory dump with the help of the Volatility framework and it employs tree-based machine learning algorithms (CART, RandomForest, ExtraTrees, AdaBoost, GradientBoosting; all included in scikit-learn) for decision making.
Why Quincy?
There are several reasons why you might want to give Quincy a try:
- First open source machine learning approach to detect HBCIAs in memory dumps
- Integration of other approaches (malfind, hollowfind) to compare results
- Integration of VirusTotal to quickly scan suspicious memory areas
- Prefiltering of known memory areas (based on clean base image) to improve scanning performance
- Easily extendable (see Extending Quincy)
Installation
Dependencies
General
Please install the following tools:
- volatility (version 2.5)
- mongodb (version 2.6.10)
- VirtualBox (version 5.0.10)
- python (version 2.7.12)
- genisoimage (version 1.1.11)
Newer version may also work.
Python
For Python independencies use pip:
Please note: for Windows 10 memory dumps, you might have to install volatility from the repository and patch it!
