Find evil in live memory
Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
- Image the full range of system memory (no reliance on API calls).
- Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps and stacks.
- Image a specified driver or all drivers loaded in memory to disk.
- Enumerate all running processes (including those hidden by rootkits), including:
- Report all open handles in a process (including all files, registry keys, etc.)
- List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
- List all network sockets that the process has open, including any hidden by rootkits.
- Specify the functions imported and exported by the EXE and DLLs.
- Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256. This is disk based).
- Verify the digital signatures of the EXEs and DLLs (disk-based).
- Output all strings in memory on a per-process basis.
- Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
- Specify the functions the driver imports and exports.
- Hash the driver (MD5, SHA1, and SHA256. disk-based).
- Verify the digital signature of the driver (disk-based).
- Output all strings in memory on a per driver basis.
- Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.
Memoryze for the Mac can:
- Image the full range of system memory
- Acquire individual process memory regions
- Enumerate all running processes (including those hidden by rootkits).
- For each process Memoryze for the Mac can:
- Report all open file handles in a process (including all files, sockets, pipes, etc)
- List the virtual address space of a process including:
- loaded libraries
- allocated portions of heap and execution stack
- network connections
- all loaded kernel extensions, including those hidden by rootkits
- system call table and mach trap table
- all running mach tasks
- ASLR support
Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.