Difference between revisions of "Memory analysis"
Joachim Metz (Talk | contribs) |
Joachim Metz (Talk | contribs) (→Volatility Labs) |
||
| Line 27: | Line 27: | ||
* [http://volatility-labs.blogspot.ch/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes] | * [http://volatility-labs.blogspot.ch/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes] | ||
* [http://volatility-labs.blogspot.ch/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs] | * [http://volatility-labs.blogspot.ch/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs] | ||
| + | * [http://volatility-labs.blogspot.ch/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection] | ||
| + | * [http://volatility-labs.blogspot.ch/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows] | ||
[[Category:Memory Analysis]] | [[Category:Memory Analysis]] | ||
Revision as of 23:52, 18 September 2012
Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
Contents |
OS-Independent Analysis
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
Encryption Keys
Various types of encryption keys can be extracted during memory analysis.
- AESKeyFinder extracts 128-bit and 256-bit AES keys and RSAKeyFinder and private and public RSA keys from a memory dump [1].
- cryptoscan.py, which is a plugin for the Volatility framework, scans a memory image for TrueCrypt passphrases
See Also
External Links
Volatility Labs
- MoVP 1.1 Logon Sessions, Processes, and Images
- MoVP 1.2 Window Stations and Clipboard Malware
- MoVP 1.3 Desktops, Heaps, and Ransomware
- MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes
- MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs
- MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection
- MoVP 2.2 Malware In Your Windows
