Find evil in live memory
Mandiant’s Memoryze™ is free memory forensic software that helps
incident responders find evil in live memory. Memoryze can acquire
and/or analyze memory images and on live systems can include the
paging file in its analysis.
- Image the full range of system memory (no reliance on API
- Image a process' entire address space to disk,
including a process' loaded DLLs, EXEs, heaps and stacks.
- Image a specified driver or all drivers loaded in memory to
- Enumerate all running processes (including those hidden
by rootkits), including:
- Report all open handles in a
process (including all files, registry keys, etc.)
the virtual address space of a given process including all
loaded DLLs and all allocated portions of the heap and
- List all network sockets that the process has open,
including any hidden by rootkits.
- Specify the functions
imported and exported by the EXE and DLLs.
- Hash the EXE
and DLLs in the process address space (MD5, SHA1, SHA256. This
is disk based).
- Verify the digital signatures of the
EXEs and DLLs (disk-based).
- Output all strings in
memory on a per-process basis.
- Identify all
drivers loaded in memory, including those hidden by rootkits. For
each driver, Memoryze can:
- Specify the functions the driver
imports and exports.
- Hash the driver (MD5, SHA1, and
- Verify the digital signature of
the driver (disk-based).
- Output all strings in memory
on a per driver basis.
- Report device and
driver layering, which can be used to intercept network packets,
keystrokes and file activity.
- Identify all loaded kernel
modules by walking a linked list. Identify hooks (often used by
rootkits) in system call table, the interrupt descriptor tables
(IDTs) and driver function tables.
Memoryze for the Mac can:
- Image the full range of system memory
individual process memory regions
- Enumerate all running
processes (including those hidden by rootkits).
each process Memoryze for the Mac can:
- Report all open file
handles in a process (including all files, sockets, pipes,
- List the virtual address space of a process
- loaded libraries
portions of heap and execution stack
- all loaded kernel extensions, including
those hidden by rootkits
- system call table and mach
- all running mach tasks
Mandiant’s Memoryze can perform all these functions on live system
memory or memory image files – whether they were acquired by
Memoryze or other memory acquisition tools.