Find Evil in Live Memory
Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
- Image the full range of system memory (no reliance on API calls).
- Image a process' entire address space to disk, including a process' loaded DLLs, EXEs, heaps and stacks.
- Image a specified driver or all drivers loaded in memory to disk.
- Enumerate all running processes (including
those hidden by rootkits), including:
- Report all open handles in a process (including all files, registry keys, etc.)
- List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
- List all network sockets that the process has open, including any hidden by rootkits.
- Specify the functions imported and exported by the EXE and DLLs.
- Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256. This is disk based).
- Verify the digital signatures of the EXEs and DLLs (disk-based).
- Output all strings in memory on a per-process basis.
- Identify all drivers loaded in memory, including those hidden by
rootkits. For each driver, Memoryze can:
- Specify the functions the driver imports and exports.
- Hash the driver (MD5, SHA1, and SHA256. disk-based).
- Verify the digital signature of the driver (disk-based).
- Output all strings in memory on a per driver basis.
- Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.
Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
Memoryze officially supports:
- Windows 2000 Service Pack 4 (32-bit)
- Windows XP Service Pack 2 and Service Pack 3 (32-bit)
- Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
- Windows Vista Service Pack 2 (64-bit)*
- Windows 2003 Service Pack 2 (32-bit and 64-bit)
- Windows 7 Service Pack 0 (32-bit and 64-bit)
- Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)*
- Windows 2008 R2 Service Pack 0 (64-bit)
- Windows 8 Service Pack 0 (32-bit and 64-bit)*
- Windows Server 2012 Service Pack 0 (64-bit)*
* means support for a new operating system without experience on millions of hostIn order to visualize Memoryze’s output, please download Redline or use an XML viewer. Redline is Mandiant’s premier free tool for investigating hosts for signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
Current Version: Memoryze 3.0
Release Date: July 23, 2013
Memoryze 3.0 introduces:
Forensic reporting of all 12 TCP states
The ability to import Memoryze 3.0 output into Redline for viewing
Support for the following operating systems:
Windows 8 x86 and x64, Windows Server 2012 x64
Support for IPv6
Several bug fixes
File Size: 8.21 MB