Entries filed under 'heap inspector'
Exploring Artifacts in Heap Memory with Heap Inspector
Please welcome the latest addition to Mandiant's free forensic gadget grab bag: Heap Inspector. This tool is the manifestation of a very simple idea a colleague and I came up with several months ago when discussing the prevalence of heap sprays as a staging mechanism for most exploits in the wild today (and why anti-virus/HIPS did not recognize and block heap sprays in progress). The idea was simple: a heap spray stores identical copies of the same block of data hundreds of times on the heap, so why not hash each chunk in an application's heap space and report repeating patterns? The idea grew into a full-featured tool to visualize and search an application's heap space in near real-time. I presented Heap Inspector at a <a title="turbo talk" href="http://blackhat.com/html/bh-us-11/bh-us-11-briefings.html#LeMasters" target="_blank">turbo talk</a> this year at Blackhat USA 2011.