Coder Social home page Coder Social logo

memtriage's Introduction

memtriage (previously lmem)

Allows you to quickly query a live Windows machine for RAM artifacts

This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis.

Caveats:

  • Doesn't work with Device Guard enabled.
  • Should be tested on machines before deploying.

Volatility Plugins

The following are currently supported:

  • pslist
  • dlllist
  • ldrmodules
  • modules
  • handles
  • malfind
  • driverirp
  • psxview
  • privs
  • svcscan
  • getsids
  • vadinfo
  • netscan
  • cmdline
  • envars
  • verinfo
  • atoms
  • shimcachemem
  • apihooks
  • procdump
  • dlldump
  • moddump
  • dumpfiles
  • volshell

Example Usage

usage: memtriage.exe [-h] [--unload] [--load] [--debug] [--service SERVICE]
                     [--output OUTPUT] [--dumpdir DUMPDIR] [--base BASE]
                     [--offset OFFSET] [--memory MEMORY] [--pid PID] [--leave]
                     [--plugins PLUGINS] [--physoffset PHYSOFFSET]
                     [--physical] [--ignore] [--regex REGEX] [--name NAME]
                     [--keepname]

Memtriage options:

optional arguments:
  -h, --help            show this help message and exit
  --unload              Unload the driver and exit
  --load                Load the driver and exit
  --debug               Output debug messages while running
  --service SERVICE     Change the service name (default: pmem)
  --output OUTPUT       Output type: json/text/csv
  --dumpdir DUMPDIR     Directory to dump files to
                        (dlldump,procdump,moddump,vaddump,dumpfiles)
  --base BASE           Base of PE file to dump (dlldump,procdump,moddump)
  --offset OFFSET       Physical offset of process to act on
                        (dlldump,procdump,moddump,vaddump,dumpfiles)
  --memory MEMORY       Carve as a memory sample rather than exe/disk
                        (dlldump,procdump,moddump)
  --pid PID             Operate on this process ID
  --leave               Leave pmem service running with driver
  --plugins PLUGINS     Comma delimited list of plugins to run: dlldump
                        netscan cmdline procdump envars moddump handles
                        dlllist psxview vadinfo dumpfiles svcscan malfind
                        atoms apihooks volshell vaddump privs driverirp
                        shimcachemem ldrmodules modules verinfo pslist getsids
  --physoffset PHYSOFFSET
                        Dump File Object at physical address PHYSOFFSET
                        (dumpfiles)
  --physical            Display the physical address of object
                        (pslist,handles,modules)
  --ignore              Ignore case in pattern match (dumpfiles,verinfo)
  --regex REGEX         Dump files matching REGEX (dumpfiles,driverirp,privs)
  --name NAME           Name of process/object to operate on
  --keepname            Keep original file name (dumpfiles)
  --outfile OUTFILE     Combined output file (default: stdout)

No Need to Specify Profiles

Memtriage will attempt to figure out the profile automattically and run with the appropriate settings. If there is a not an exact match, Memtriage will attempt to use the closest named profile available. Therefore, there is a possibility that object definitions won't line up exactly (like process names etc), which you may also see when running Volatility with an incorrect profile. Profiles can be added to the Volatility code, and the executable can be recompiled with pyinstaller.

Loading and Unloading the Driver

By default, memtriage.exe will attempt to load the driver when it first runs, and unload it when it exits. You may however load and unload the driver manually with the --load and --unload options. You may also request that the driver remain loaded after plugins have finished running with the --leave option.

> memtriage.exe --leave --plugins=dumpfiles --dumpdir=outdir --physoffset=1066160184 --keepname

Service Name

The default service name that is created is pmem. You may specify a different service name with the --service= option. You must then use this --service= option for future invocations if you leave the driver loaded. Example:

> memtriage.exe --leave --service=somename --plugins=dlllist --pid=2924
[snip]
> memtriage.exe --unload --service=somename

Running Plugins

You may run several plugins at a time by specifying them with comma delimitation with the --plugins= option. Example:

> memtriage.exe --plugins=pslist,handles,dlllist

Multiple Plugins

Other options will be used for the appropriate plugin. Example:

> memtriage.exe --plugins=pslist,handles,dlllist,dlldump,dumpfiles,shimcachemem,volshell --outfile=outfile.txt --pid=2924 --dumpdir=outdir --leave --keepname --physoffset=1066160184

Releases

You can find releases, including a pyinstaller standalone executable here: https://github.com/gleeda/memtriage/releases

memtriage's People

Contributors

imhlv2 avatar atcuno avatar gleeda avatar ikelos avatar awalters avatar bridgeythegeek avatar moyix avatar blschatz avatar f-s-p avatar nolaforensix avatar ladipro avatar wroersma avatar williamshowalter avatar takahiroharuyama avatar bneuburg avatar iquaba avatar scudette avatar mpv35 avatar hiddenillusion avatar haco20292 avatar githubfoo avatar dennisieur avatar cyli avatar bconstanzo avatar kost avatar toconnor avatar robbyfux avatar regala avatar rcatolino avatar masdif avatar

Watchers

꿀보 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.