# Memory Forensics ### Memory Structure: {% embed url="" %} | Name | Purpose | Evil | | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | KDBG | Points to EPROCESS block. | | | EPROCESS: |

Executive Block Process.

Each process has their own EPROCESS and it points to objects that were loaded by the PEB.

| | | PEB: | | | | VAD Tree | Kernel level. Contains DLLs mapped. | | | Private Memory | Sole memory domain of the target process. Only READWRITE privs should be in here, which makes sense for items being read and written into the stack, heap, and data files. | No executables like EXEs or DLLs should be in here. Nor should EXECUTE privileges. | | Sharable Memory |

Also known as mapped memory and is responsible for mapping all or part of shared files for use by process. Files like .dat and .mui are usually present here.


Expected privs: READONLY

| Unexpected: EXECUTE privs | | Image Mapped Memory |

Part of sharable memory. Expected to see DLLs, EXEs, and drivers mapped here.

Expected Privs: EXECUTE\_WRITECOPY
EXECUTE\_READ

| Unexpected Privs: EXECUTE\_READWRITE | | Name | Contains | | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | EPROCESS: | | | | | | | |
**Considerations:** * .**24%** of Priviate Memory, .**014%** of sharable memory, and .**01%** of image memory contain **RWX** memory pages. * **.62%** Priviate, .**036%** sharable, **17.5%** image contain **RX** memory pages.
## Volatility Enumeration {% embed url="" %}
### Vol.py Cheatsheet: ```bash #Enumerate active and closed network sockets vol2.py -f base-rd01-memory.img --profile=Win10x64_16299 netscan | egrep -i 'CLOSE|ESTABLISHED|Offset' vol.py -f base-rd01-memory.img windows.netscan #List handles with files and keys vol.py -f base-rd01-memory.img windows.handles --pid 5848 | egrep 'File|Key' #Get sids of specific user vol.py -f base-rd01-memory.img windows.getsids | grep -i spsql #List command line vol.py -f base-rd01-memory.img windows.cmdline #Psscan output to file vol.py -f base-rd01-memory.img -r pretty windows.pstree > pstree.txt ``` ### Idrmodules: {% embed url="" %}
Note: The base 0x100000 with InInit being "Flase" is present in all memory dumps. That is the process executable and it will not be present in the InInit list, but it should be present in the MapepdPath list. The absence of the image path in MappedPath is suspicious. ### Hide Processes: {% embed url="" %}
### Hunting for Handles: {% embed url="" %} ## MemProc\_FS {% embed url="" %} Directory Explanations {% endembed %} ### Hunting for injection/FindEvil:
The PE\_PATCHED is a false positive due to normal memory modifications caused by 32-bit code (SysWOW64) execution.
### RootKits:
### Extract Memory Objects Volatility
### Labs: {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nk0.gitbook.io/dfir/windows/forensics/memory/memory-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.