gleeda / Memtriage
Allows you to quickly query a Windows machine for RAM artifacts
Stars: ✭ 200
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Memtriage
Volatility
An advanced memory forensics framework
Stars: ✭ 5,042 (+2421%)
Mutual labels: memory, malware
Malconfscan
Volatility plugin for extracts configuration data of known malware
Stars: ✭ 327 (+63.5%)
Mutual labels: memory, malware
moneta
Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
Stars: ✭ 384 (+92%)
Mutual labels: memory, malware
Malconfscan With Cuckoo
Cuckoo Sandbox plugin for extracts configuration data of known malware
Stars: ✭ 110 (-45%)
Mutual labels: memory, malware
Unified Hosts Autoupdate
Quickly and easily install, uninstall, and set up automatic updates for any of Steven Black's unified hosts files.
Stars: ✭ 185 (-7.5%)
Mutual labels: malware
Misp Taxonomies
Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Stars: ✭ 168 (-16%)
Mutual labels: malware
Process Governor
This application allows you to put various limits on a Windows process.
Stars: ✭ 190 (-5%)
Mutual labels: memory
Redis Rdb Cli
Redis rdb CLI : A CLI tool that can parse, filter, split, merge rdb and analyze memory usage offline. It can also sync 2 redis data and allow user define there own sink service to migrate redis data to somewhere.
Stars: ✭ 176 (-12%)
Mutual labels: memory
Wgcloud
linux运维监控工具,支持系统信息,内存,cpu,温度,磁盘空间及IO,硬盘smart,系统负载,网络流量等监控,API接口,大屏展示,拓扑图,进程监控,端口监控,docker监控,文件防篡改,日志监控,数据可视化,web ssh,堡垒机,指令下发批量执行,linux面板,探针,故障告警
Stars: ✭ 2,669 (+1234.5%)
Mutual labels: memory
Energizedprotection
A merged collection of hosts from reputable sources. #StayEnergized!
Stars: ✭ 175 (-12.5%)
Mutual labels: malware
Evasions
Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment. Methods are grouped into categories for ease of searching and understanding. Also provided are code samples, signature recommendations and countermeasures within each category for the described techniques.
Stars: ✭ 173 (-13.5%)
Mutual labels: malware
Php Antimalware Scanner
AMWScan (PHP Antimalware Scanner) is a free tool to scan php files and analyze your project to find any malicious code inside it.
Stars: ✭ 181 (-9.5%)
Mutual labels: malware
Ios Monitor Platform
📚 iOS 性能监控 SDK —— Wedjat(华狄特)开发过程的调研和整理
Stars: ✭ 2,316 (+1058%)
Mutual labels: memory
Unityheapexplorer
A Memory Profiler, Debugger and Analyzer for Unity 2019.3 and newer.
Stars: ✭ 179 (-10.5%)
Mutual labels: memory
memtriage (previously lmem)
Allows you to quickly query a live Windows machine for RAM artifacts
This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis.
Caveats:
- Drivers updated to work with Device Guard
- Should be tested on machines before deploying as some Windows 10 builds may BSOD.
- Builds that may BSOD: 1607 and 1709
Volatility Plugins
The following are currently supported:
- apihooks
- atoms
- cmdline
- dlldump
- dlllist
- driverirp
- dumpfiles
- envars
- getsids
- handles
- ldrmodules
- malfind
- moddump
- modules
- netscan
- privs
- procdump
- pslist
- psxview
- shimcachemem
- svcscan
- vaddump
- vadinfo
- verinfo
- volshell
- yarascan
Example Usage
usage: memtriage.exe [-h] [--unload] [--load] [--debug] [--service SERVICE]
[--output OUTPUT] [--dumpdir DUMPDIR] [--base BASE]
[--offset OFFSET] [--memory MEMORY] [--pid PID] [--leave]
[--plugins PLUGINS] [--physoffset PHYSOFFSET]
[--physical] [--ignore] [--regex REGEX] [--name NAME]
[--keepname] [--outfile OUTFILE] [--yararules YARARULES]
[--yarafile YARAFILE] [--kernel] [--all] [--case]
[--wide] [--size SIZE] [--reverse REVERSE]
Memtriage options:
optional arguments:
-h, --help show this help message and exit
--unload Unload the driver and exit
--load Load the driver and exit
--debug Output debug messages while running
--service SERVICE Change the service name (default: pmem)
--output OUTPUT Output type: json/text/csv
--dumpdir DUMPDIR Directory to dump files to
(dlldump,procdump,moddump,vaddump,dumpfiles)
--base BASE Base of PE file to dump (dlldump,procdump,moddump)
--offset OFFSET Physical offset of process to act on
(dlldump,procdump,moddump,vaddump,dumpfiles)
--memory MEMORY Carve as a memory sample rather than exe/disk
(dlldump,procdump,moddump)
--pid PID Operate on this process ID
--leave Leave pmem service running with driver
--plugins PLUGINS Comma delimited list of plugins to run: apihooks atoms
cmdline dlldump dlllist driverirp dumpfiles envars
getsids handles ldrmodules malfind moddump modules
netscan privs procdump pslist psxview shimcachemem
svcscan vaddump vadinfo verinfo volshell yarascan
--physoffset PHYSOFFSET
Dump File Object at physical address PHYSOFFSET
(dumpfiles)
--physical Display the physical address of object
(pslist,handles,modules)
--ignore Ignore case in pattern match (dumpfiles,verinfo)
--regex REGEX Dump files matching REGEX (dumpfiles,driverirp,privs)
--name NAME Name of process/object to operate on
--keepname Keep original file name (dumpfiles)
--outfile OUTFILE Combined output file (default: stdout)
--yararules YARARULES
Yara rule given on the commandline (yarascan)
--yarafile YARAFILE Yara rules given as a file (yarascan)
--kernel Scan kernel memory (yarascan)
--all Scan both process and kernel memory (yarascan)
--case Make the search case insensitive (yarascan)
--wide Match wide (unicode) strings (yarascan)
--size SIZE Size of preview hexdump in bytes (default: 256)
(yarascan)
--reverse REVERSE Reverse [REVERSE] number of bytes (default: 0)
(yarascan)
No Need to Specify Profiles
Memtriage will attempt to figure out the profile automattically and run with the appropriate settings. If there is a not an exact match, Memtriage will attempt to use the closest named profile available. Therefore, there is a possibility that object definitions won't line up exactly (like process names etc), which you may also see when running Volatility with an incorrect profile. Profiles can be added to the Volatility code, and the executable can be recompiled with pyinstaller.
Loading and Unloading the Driver
By default, memtriage.exe will attempt to load the driver when it first runs, and unload it when it exits. You may however load and unload the driver manually with the --load and --unload options. You may also request that the driver remain loaded after plugins have finished running with the --leave option.
> memtriage.exe --leave --plugins=dumpfiles --dumpdir=outdir --physoffset=1066160184 --keepname
Service Name
The default service name that is created is pmem. You may specify a different service name with the --service= option. You must then use this --service= option for future invocations if you leave the driver loaded. Example:
> memtriage.exe --leave --service=somename --plugins=dlllist --pid=2924
[snip]
> memtriage.exe --unload --service=somename
Running Plugins
You may run several plugins at a time by specifying them with comma delimitation with the --plugins= option. Example:
> memtriage.exe --plugins=pslist,handles,dlllist
Other options will be used for the appropriate plugin. Example:
> memtriage.exe --plugins=pslist,handles,dlllist,dlldump,dumpfiles,shimcachemem,volshell --outfile=outfile.txt --pid=2924 --dumpdir=outdir --leave --keepname --physoffset=1066160184
Releases
You can find releases, including a pyinstaller standalone executable here: https://github.com/gleeda/memtriage/releases
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].