Memoryze is free memory forensic software that helps incident
responders find evil in live memory. Memoryze can acquire and/or
analyze memory images, and on live systems can include the paging file
in its analysis. MANDIANT Memoryze can:
- image the full range of system memory (not reliant on API calls).
- image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
- image a specified driver or all drivers loaded in memory to disk.
- enumerate all running processes (including those hidden by
rootkits). For each process, Memoryze can:
- report all open handles in a process (for example, all files, registry keys, etc.).
- list the virtual address space of a given process including:
- displaying all loaded DLLs.
- displaying all allocated portions of the heap and execution stack.
- list all network sockets that the process has open, including any hidden by rootkits.
- output all strings in memory on a per process basis.
- identify all drivers loaded in memory, including those hidden by rootkits.
- report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- identify all loaded kernel modules by walking a linked list.
- identify hooks (often used by rootkits) in the System Call Table,
the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP
[Reposted from antisec]