Advertisements

Memoryze – Memory Forensics Tool

Memoryze is a free memory forensic software that helps incident responders find evil in live memory. It can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.

Memoryze can:
  • Image the full range of system memory (no reliance on API calls).
  • Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Enumerate all running processes (including those hidden by rootkits), including:
    • Report all open handles in a process (including all files, registry keys, etc.)
    • List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
    • List all network sockets that the process has open, including any hidden by rootkits.
    • Specify the functions imported and exported by the EXE and DLLs.
    • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based).
    • Verify the digital signatures of the EXEs and DLLs (disk-based).
    • Output all strings in memory on a per-process basis.
  • Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
    • Specify the functions the driver imports and exports.
    • Hash the driver (MD5, SHA1, and SHA256. disk-based).
    • Verify the digital signature of the driver (disk-based).
    • Output all strings in memory on a per driver basis.
  • Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.
 
Memoryze for the Mac can:
  • Image the full range of system memory
  • Acquire individual process memory regions
  • Enumerate all running processes (including those hidden by rootkits).
  • For each process Memoryze for the Mac can:
    • Report all open file handles in a process (including all files, sockets, pipes, etc)
    • List the virtual address space of a process including:
      • loaded libraries
      • allocated portions of heap and execution stack
      • network connections
      • all loaded kernel extensions, including those hidden by rootkits
      • system call table and mach trap table
      • all running mach tasks
      • ASLR support
It can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements
Advertisements
Advertisements
Advertisements
%d bloggers like this: