Threat Research Blog

Memoryze now supports Vista SP1 and F-response


If you ever tried to run Memoryze on Vista, you may have been pleasantly surprised to find it already supported memory acquisition on this platform. It was designed with that in mind from the start, but it was still kind of cool when I tested it and it worked. Now, I am happy to report that Memoryze 1.3.0 has beta support for memory analysis on Vista SP1.

What does beta support mean? Well since Memoryze has moved ahead of the roadmap for MANDIANT Intelligent Response with this Vista rollout, we have not had the months of testing on this platform or at an enterprise level with all the possible configurations. That said, we do have two known issues:

  • Memoryze 1.3.0 does not yet support port enumeration on Vista.
  • When enumerating sections, Memoryze may find process sections that are invalid (they have been freed and are no longer in use). These invalid sections may have incorrect start addresses or a size that is too large because the kernel has overwritten part of the section data. This only becomes an issue if you are enumerating strings and Memoryze hits an invalid section range. This will result in extremely long run times for the audit (imagine trying to find all the strings in a 600 MB section).

Should I download Memoryze 1.3.0 if I am not concerned with analyzing Vista memory? Yes, we have made many improvements in this release related to sanitizing the dataset.


While testing this release, we thought it would be cool to try Memoryze in conjunction with F-response. F-response can expose a remote host's memory as a physical drive and Memoryze can open that physical drive just like a saved memory image and analyze it. When running against an image, Memoryze always checks the size of the file so it does not seek past the end of the file during analysis. The only tweak we had to make was to make that check a disk size check as opposed to a file size check.

How do you use Memoryze with F-response? Simply setup F-response according to the directions and set your input file in Memoryze's batch scripts to \.PhysicalDrive2 or whatever drive F-response exposes as the target's memory.

I would like to thank Matthew Shannon for providing me with an evaluation license of F-response.

Download Memoryze 1.3.0 now!