Threat Research Blog

Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64

Next month Memoryze will be two years old and a lot has changed over that time. There has been a lot of interesting research in the field of memory forensics, and responders are finding value in the analysis.

Platform Support

From a tool perspective, other than the addition of a GUI called Audit Viewer and the added usability that the Malware Rating Index (MRI) provides, the most noticeable change is the expanding platform support. Today, we are announcing the release of Memoryze 1.4.2900 which has added support for:

  • Windows 7 64-bit
  • Windows 7 32-bit*
  • Windows 2008 64-bit*

This is in addition to the platforms Memoryze already supported:

  • Windows 2000 Service Pack 4 (32-bit)
  • Windows XP Service Pack 2 and Service Pack 3 (32-bit)
  • Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (64-bit)

Attacks Against Memory Forensic Tools

Brendan Dolan-Gavitt et. al. published a great article in the Proceedings of the ACM Conference on Computer and Communications Security (CCS) [1]. In it, they discuss an attack against memory forensic tools that would cause the tools to be blind to the existence of specially modified processes. As Brendan states in his blog, this attack has been known about for some time and requires a rootkit on the part of the intruder in order to modify the desired process(es). Memoryze has expanded upon their research by modifying the detection algorithm slightly and adding support for all the operating systems Memoryze supports. This work by Dolan-Gavitt, Srivastava, Traynor, and Griffin is sure to motivate change. If you would like to test your existing tools or validate that Memoryze is now resilient, Brendan has made a memory image available for download from his blog.

Speed Improvements

In addition to platform support and resilience to recent DKOM attacks, Memoryze is now as much as 40% faster depending on memory size and configuration parameters. This and some of the other improvements made should make string enumeration a lot better.

Portable Installation

Peter Villadsen fixed a bug in the way Memoryze used to install that required the user to use "-portable" at the command line when running Memoryze. Obviously, this broke Audit Viewer because of the way it invokes Memoryze. Now that has been fixed. When you are installing Memoryze to be used portably, you must use special options to msiexec.

msiexec /a MemoryzeSetup.msi /qb TARGETDIR=portable_drive_and_folder

The portable_drive_and_folder should be the drive letter of the USB key and the folder you want to install Memoryze into such as H:Memoryze

Now, the first time you run portable Memoryze it will create several files; therefore, you cannot make the media read-only yet. After that, you should be set to run Memoryze off a USB key or CD-Rom. You can have Audit Viewer invoke Memoryze or use the *.bat files that are included.

It has been fun over the past two years working with our user base and our consultants as they have ran this code over literally hundreds of thousands of hosts. I am looking forward to what the next two years bring.

Download Memoryze NOW

[1] Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J., "Robust signatures for kernel data structures," in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2009.

The "*" means that complete regression testing on those platforms has not been completed, but we felt the feature was important enough to users to get the feature out as soon as it was available.