Article on how to use Memoryze and Audit Viewer for malware analysis
Written by Peter Silberman
I know not everyone reads OpenRCE, but it has been a favorite haunt of mine since Pedram launched it. Over the holiday, I posted an article there about how to use Memoryze and Audit Viewer to do malware analysis since that has always been one of my hobbies.
See Memoryze Memory Forensics Tool at OpenRCE.
NOTE: John O. pointed out that having spaces in your path where Memoryze was installed may prevent Audit Viewer from launching Memoryze because of how batch scripts’ input is interpreted. If you install Memoryze in a path with no spaces you should be fine.
Thanks to Pedram for helping with the post to OpenRCE and to Danny Quist at Offensive Computing for his blog entry.
Tags: Audit Viewer, malware analysis, Memoryze, offensive computing, openrce
. 01 Dec 08 | General | Comments (0)
New Audit Viewer for Memoryze
Written by Jamie Butler
If you are tired of trying to load Memoryze’s results into Internet Explorer
or into an Excel spreadsheet, check out the new viewer from Peter
Silberman. The Audit Viewer is written in Python and comes with
the BSD license because you know best how you want to view your data.
Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.
Check out these features:
- Process data can be viewed on a per process basis or in its entirety by double clicking the root node, “Processes”. For example, when you double click on “Processes” and then click on the Files tab, all the file handles open on the host are displayed from least frequently to most frequently occurring.
- Ability to search Files, Processes, Mutants, Events, Registry Keys, and Strings using plain text or regex.
- Ability to load multiple Memoryze result sets contained in the same directory.
- Handle types are separated out into more abstract types representing the logical type of the handle such as Files, Directories (part of the Object Manager’s namespace), Processes, Keys, Mutants, and Events.
- Memory sections with names are displayed under the DLLs tab.
- Layered drivers are displayed in a tree view. This is useful for finding certain types of keyboard sniffers, network sniffers, and file filtering drivers.
- Integrated with Memoryze to seamlessly acquire drivers and processes from live memory and images.
- Ability to scan all processes for “questionable” executable sections. These sections have the EXECUTE_READWRITE flag but no name.
Get the goods, Audit Viewer 1.0.0.7! Want to learn how to harness this power? Check out Audit Viewer PDF.
Special thanks to Peter for spending his nights and weekends to make this available.
Tags: Memory analysis, memory forensics, Memoryze, Memoryze GUI, open source
. 25 Nov 08 | General | Comments (2)
Recent Posts
- DLL Search Order Hijacking Revisited
- Find Evil and Solve Crime, Part 1: Focus
- Reversing Malware Command and Control: From Sockets to COM
- The Challenges to Remediating from the APT
- Stuxnet Memory Analysis and IOC creation
Follow us on Twitter
- Mandiant: M's @nickharbour revisits DLL Search Order Hijacking to propose his solution to the problem http://bit.ly/ctmxM7
- Mandiant: The slides and recording are now posted for the Fresh Prints of Mal-ware: 0x1, 0x2, 0x3s of IOC webinar http://bit.ly/dutt9E #m_fp
- Mandiant: Registration now up for M's State of the Hack webinar ft. Josh Corman/@the451group 9/23 @ 2PM EDT http://bit.ly/c08atu #M_SOH