MANDIANT
Memoryze is free memory forensic software that helps incident
responders find evil in live memory. Memoryze can acquire and/or
analyze memory images, and on live systems can include the paging file
in its analysis. MANDIANT Memoryze can:

  • image the full range of system memory (not reliant on API calls).
  • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
  • image a specified driver or all drivers loaded in memory to disk.
  • enumerate all running processes (including those hidden by
    rootkits). For each process, Memoryze can:

    • report all open handles in a process (for example, all files, registry keys, etc.).
    • list the virtual address space of a given process including:
      • displaying all loaded DLLs.
      • displaying all allocated portions of the heap and execution stack.
    • list all network sockets that the process has open, including any hidden by rootkits.
    • output all strings in memory on a per process basis.
  • identify all drivers loaded in memory, including those hidden by rootkits.
  • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • identify all loaded kernel modules by walking a linked list.
  • identify hooks (often used by rootkits) in the System Call Table,
    the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP
    tables).

http://www.mandiant.com/software/memoryze.htm

[Reposted from antisec]

Advertisements