MALM Malware Monitor

MALM Malware Monitor is a tiny and practical utility that can be used by malware researchers and other security specialists to determine the location of malware agents after they infiltrate systems. This can be done from the command-line console.

MALM works by making a record of new processes, executable heaps and modules loaded by existing processes since the moment it's deployed. When you ask it to stop the monitor, it compiles a report with all changes made to those processes, heaps and modules, telling you exactly what happened there.

Recorded changes include the ID, filename and extension of each process, along with type of action (e.g. new process, terminated, no longer accessible from the current process security token).

The monitoring can be stopped with Ctrl+C. However, you should know that MALM doesn't generate a text document with the report. Instead, it shows the details in the console, grouped by process.

By default, the report is created by continuously taking snapshots and printing report data incrementally. If you want to skip this and just get hold of the final report, you can use quick mode (-q flag). If you want to ask MALM to stop recording without needing your intervention (useful if you plan to step away from the computer), you can set a time limit (-t [seconds]).

The software utility worked smoothly during our tests, running on low system resources usage. It carried out scanning operations and generated reports swiftly.

Taking into account its straightforward commands, MALM Malware Monitor offers a simple and straightforward solution for malware researchers to analyze the behavior of malware samples, namely the places where agents reside after execution.