Analysis tool – Memoryze


Memoryze

Find evil in live memory

Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.

Source:fireeye

Memoryze can:

  • Image the full range of system memory (no reliance on API calls).
  • Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Enumerate all running processes (including those hidden by rootkits), including:
    • Report all open handles in a process (including all files, registry keys, etc.)
    • List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
    • List all network sockets that the process has open, including any hidden by rootkits.
    • Specify the functions imported and exported by the EXE and DLLs.
    • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based).
    • Verify the digital signatures of the EXEs and DLLs (disk-based).
    • Output all strings in memory on a per-process basis.
  • Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
    • Specify the functions the driver imports and exports.
    • Hash the driver (MD5, SHA1, and SHA256. disk-based).
    • Verify the digital signature of the driver (disk-based).
    • Output all strings in memory on a per driver basis.
  • Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.

Memoryze for the Mac can:

  • Image the full range of system memory
  • Acquire individual process memory regions
  • Enumerate all running processes (including those hidden by rootkits).
  • For each process Memoryze for the Mac can:
    • Report all open file handles in a process (including all files, sockets, pipes, etc)
    • List the virtual address space of a process including:
      • loaded libraries
      • allocated portions of heap and execution stack
      • network connections
      • all loaded kernel extensions, including those hidden by rootkits
      • system call table and mach trap table
      • all running mach tasks
      • ASLR support

Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: