'Memoryze' utility pinpoints malware code in live memory
Jamie Butler, a Windows internals expert who co-wrote the definitive book on rootkits, has created a free forensics tool capable of finding malicious code in live memory.The utility, called Mandiant Memoryze, was released at this year's Hack in the Box conference in Kuala Lumpur, Malaysia.
Jamie Butler, a Windows internals expert who co-wrote the definitive book on rootkits, has created a free forensics tool capable of finding malicious code in live memory.
The utility, called Mandiant Memoryze, was released at this year's Hack in the Box conference in Kuala Lumpur, Malaysia.
Memoryze is a free memory analysis tool that can acquire physical memory from a Windows system and can also perform advanced analysis of live memory while a computer is running. It allows incident responders to quickly identify everything that is running on a computer and filter the output looking for evidence of compromise.
In Mandiant's forensics lab, Butler said Memoryze is used to find memory resident-only shellcode, that does not exist on disk. "If the attacker is there, Memoryze can pull the malicious code directly from memory, so our malware analysis team can begin the analysis," he added.
Memoryze features include:
image the full range of system memory (not reliant on API calls).
image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
image a specified driver or all drivers loaded in memory to disk.
enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
report all open handles in a process (for example, all files, registry keys, etc.).
list the virtual address space of a given process including:
displaying all loaded DLLs.
displaying all allocated portions of the heap and execution stack.
list all network sockets that the process has open, including any hidden by rootkits.
output all strings in memory on a per process basis.
identify all drivers loaded in memory, including those hidden by rootkits.
report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
identify all loaded kernel modules by walking a linked list.
identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).
Mandiant says the tool can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Memoryze (free download) supports Windows 2000 Service Pack 4, Windows XP Service Pack 2 and Service Pack 3 (32-bit), and Windows 2003 Service Pack 2 (32-bit).