MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
MANDIANT Memoryze features:
image the full range of system memory (not reliant on API calls).
image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps and stacks.
image a specified driver or all drivers loaded in memory to disk.
enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
report all open handles in a process (for example, all files, registry keys, etc.).
list the virtual address space of a given process including:
displaying all loaded DLLs.
displaying all allocated portions of the heap and execution stack.
list all network sockets that the process has open, including any hidden by rootkits.
specify the tunctions imported by the EXE and DLLs.
specify the functions exported by the EXE and DLLs.
hash the EXE and DLLs in the process address space> (MD5, SHA1, SHA256. This is disk based.)
verify the digital signatures of the EXE and DLLs. (This is disk based.)
output all strings in memory on a per process basis.
identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
specify the functions the driver imports.
specify the functions the driver exports.
hash the driver. (MD5, SHA1, SHA256. this is disk based.)
verify the digital signature of the driver (This is disk based.)
output all strings in memory on a per driver base.
report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
identify all loaded kernel modules by walking a linked list.
identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs) and driver function tables (IRP tables).
MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Memoryze officially supports:
Windows 2000 Service Pack 4 (32-bit)
Windows XP Service Pack 2 and Service Pack 3 (32-bit)
Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (64-bit)
Windows 7 Service Pack 0 (32-bit)
Windows 7 Service Pack 0 (64-bit)
*Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)
Windows 2008 R2 Service Pack 0 (64-bit)
Memoryze provides a simple to use batch script to acquire physical memory. After installing Memoryze:
Open a command shell (cmd.exe)
Change directories to where you installed Memoryze. The default is C:\Program Files\Mandiant\Memoryze\
MemoryDD.batTo write the image to a specific directory, type
MemoryDD.bat –outputIncident Response and Malware Analysis
Memoryze allows the analyst to perform a broad survey of what is running on a system when executing against an image. For the broad survey, Memoryze can identify all running processes and loaded drivers. In the case of processes, the analyst can delve deeper to find all ports open by a process, all strings used by a process, and all open handles of a process – to include filenames, Registry Keys, and many more.
To identify all the running processes, type “
To identify all open ports, type “
Process.bat –ports true”.
To identify all open handles, type “
Process.bat -handles true”. Warning: The output may be large if ran against every process. To specify a particular process type “
To identify all processes with their associated memory sections, type “Process.bat –sections true”. This could be used to find all loaded DLLs.
To identify all processes with their associated strings, type “Process.bat –strings true”. Warning: The output is very large and the audit may take tens of minutes if ran against every process. To specify a particular process type “Process.bat –pid
To really delve deep into an individual process, you can specify the PID and include all of the parameters listed.
To identify all drivers loaded, type “
To identify all modules loaded – to include drivers and kernel level executables such as NTOSKRNL.EXE and HAL.DLL – type “
DriverWalkList.bat”. This list could be compared to the list of drivers reported by DriverSearch.bat to find hidden drivers.
The reverse engineer can now acquire an image of a process or driver with all its binary sections from physical memory. This allows the researcher to avoid anti-debugging techniques employed by malware and reconstitute the process or driver from memory to disk to be used in the researcher’s favorite disassembler.
To create an image of a process:
ProcessDD.bat -pid" to acquire a process from a running system
ProcessDD.bat -pid" to acquire a proces from an image
Creating an image of a driver is very similar:
DriverDD.bat -driver" to acquire a driver from a running system
DriverDD.bat -driver" to acquire a driver from an image
Rootkit and hook detection
Rootkits often cloak themselves by hooking vital portions of the operating system. Memoryze can detect these hooks; however, the presence of a hook is not always malicious. Many security products also hook the operating system to enforce stricter security policies. Memoryze can identify hooked kernel components such as the System Call Table, the System Call functions themselves, and portions of all the Interrupt Descriptor Tables (IDTs) on the system. Device drivers also expose several functions that Memoryze checks.
To check for hooks:
HookDetection.bat” to check the running system
HookDetection.bat -input” to check an image
To check for hidden processes, you could compare the output from Process.bat to other process listing tools such as Task Manager and look for differences.
Memoryze can also do rootkit detection by looking for the presence of hidden drivers. By comparing the output of drivers from DriverSearch.bat and DriverWalkList.bat, you can identify drivers that were hidden. Note: Some entries that are in DriverWalkList’s output will not exist in DriverSearch’s output. This is not evidence of something hidden. Kernel level DLLs and EXEs like HAL.DLL and NTOSKRNL.EXE will not be displayed by DriverSearch.bat.