Memory Forensics

Memory Structure:

LogoWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] —…Medium

Name
Purpose
Evil

KDBG

Points to EPROCESS block.

EPROCESS:

Executive Block Process.

Each process has their own EPROCESS and it points to objects that were loaded by the PEB.

PEB:

VAD Tree

Kernel level. Contains DLLs mapped.

Private Memory

Sole memory domain of the target process. Only READWRITE privs should be in here, which makes sense for items being read and written into the stack, heap, and data files.

No executables like EXEs or DLLs should be in here. Nor should EXECUTE privileges.

Sharable Memory

Also known as mapped memory and is responsible for mapping all or part of shared files for use by process. Files like .dat and .mui are usually present here.

Expected privs: READONLY

Unexpected: EXECUTE privs

Image Mapped Memory

Part of sharable memory. Expected to see DLLs, EXEs, and drivers mapped here. Expected Privs: EXECUTE_WRITECOPY EXECUTE_READ

Unexpected Privs: EXECUTE_READWRITE

Name
Contains

EPROCESS:

  • Name of process executable (image file name)

  • PID

  • PPID

  • Location in mem (offset)

  • Creation time

  • Termination time (exit)

  • Threads assigned to process

  • Handles to other OS artifacts

  • Link to the VAD tree

  • Link to the PEB block

Considerations:

  • .24% of Priviate Memory, .014% of sharable memory, and .01% of image memory contain RWX memory pages.

  • .62% Priviate, .036% sharable, 17.5% image contain RX memory pages.

Volatility Enumeration

LogoWindows Process Internals : A few Concepts to know before jumping on Memory ForensicsMedium

Vol.py Cheatsheet:

#Enumerate active and closed network sockets
vol2.py -f base-rd01-memory.img --profile=Win10x64_16299 netscan | egrep -i 'CLOSE|ESTABLISHED|Offset'
vol.py -f base-rd01-memory.img windows.netscan

#List handles with files and keys
vol.py -f base-rd01-memory.img windows.handles --pid 5848 | egrep 'File|Key'

#Get sids of specific user
vol.py -f base-rd01-memory.img windows.getsids | grep -i spsql

#List command line
vol.py -f base-rd01-memory.img windows.cmdline

#Psscan output to file
vol.py -f base-rd01-memory.img -r pretty windows.pstree > pstree.txt

Idrmodules:

LogoWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 2] —…Medium

Note: The base 0x100000 with InInit being "Flase" is present in all memory dumps. That is the process executable and it will not be present in the InInit list, but it should be present in the MapepdPath list. The absence of the image path in MappedPath is suspicious.

Hide Processes:

LogoManipulating ActiveProcessLinks to Hide Processes in UserlandRed Team Notes

Hunting for Handles:

LogoWindows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 5] — A…Medium

MemProc_FS

LogoHomeGitHub
Directory Explanations

Hunting for injection/FindEvil:

The PE_PATCHED is a false positive due to normal memory modifications caused by 32-bit code (SysWOW64) execution.

RootKits:

Extract Memory Objects Volatility

Labs:

LogoEnumerating Registry Hives
LogoCyberDefenders: InjectorMedium
LogoWindows Memory Forensics: DumpMe (CyberDefenders)Medium
LogoGitHub - evild3ad/MemProcFS-Analyzer: MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIRGitHub
PreviousPowerShell DumpNextNetwork Logs

Last updated