Back to Details

memory-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Memory Forensics

内存取证

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
用于事件响应和恶意软件分析的内存转储获取、分析及人工制品提取的综合技术。

Memory Acquisition

内存获取

Live Acquisition Tools

实时内存获取工具

Windows

Windows

powershell
undefined
powershell
undefined

WinPmem (Recommended)

WinPmem(推荐)

winpmem_mini_x64.exe memory.raw
winpmem_mini_x64.exe memory.raw

DumpIt

DumpIt

DumpIt.exe
DumpIt.exe

Belkasoft RAM Capturer

Belkasoft RAM Capturer

GUI-based, outputs raw format

基于GUI,输出原始格式

Magnet RAM Capture

Magnet RAM Capture

GUI-based, outputs raw format

基于GUI,输出原始格式

undefined
undefined

Linux

Linux

bash
undefined
bash
undefined

LiME (Linux Memory Extractor)

LiME(Linux内存提取工具)

sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

/dev/mem (limited, requires permissions)

/dev/mem(功能受限,需要权限)

sudo dd if=/dev/mem of=memory.raw bs=1M
sudo dd if=/dev/mem of=memory.raw bs=1M

/proc/kcore (ELF format)

/proc/kcore(ELF格式)

sudo cp /proc/kcore memory.elf
undefined
sudo cp /proc/kcore memory.elf
undefined

macOS

macOS

bash
undefined
bash
undefined

osxpmem

osxpmem

sudo ./osxpmem -o memory.raw
sudo ./osxpmem -o memory.raw

MacQuisition (commercial)

MacQuisition(商业工具)

undefined
undefined

Virtual Machine Memory

虚拟机内存

bash
undefined
bash
undefined

VMware: .vmem file is raw memory

VMware:.vmem文件为原始内存

cp vm.vmem memory.raw
cp vm.vmem memory.raw

VirtualBox: Use debug console

VirtualBox:使用调试控制台

vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

QEMU

QEMU

virsh dump <domain> memory.raw --memory-only
virsh dump <domain> memory.raw --memory-only

Hyper-V

Hyper-V

Checkpoint contains memory state

检查点包含内存状态

undefined
undefined

Volatility 3 Framework

Volatility 3框架

Installation and Setup

安装与配置

bash
undefined
bash
undefined

Install Volatility 3

安装Volatility 3

pip install volatility3
pip install volatility3

Install symbol tables (Windows)

安装符号表(Windows)

Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

https://downloads.volatilityfoundation.org/volatility3/symbols/下载

Basic usage

基础用法

vol -f memory.raw <plugin>
vol -f memory.raw <plugin>

With symbol path

指定符号路径

vol -f memory.raw -s /path/to/symbols windows.pslist
undefined
vol -f memory.raw -s /path/to/symbols windows.pslist
undefined

Essential Plugins

核心插件

Process Analysis

进程分析

bash
undefined
bash
undefined

List processes

列出进程

vol -f memory.raw windows.pslist
vol -f memory.raw windows.pslist

Process tree (parent-child relationships)

进程树(父子关系)

vol -f memory.raw windows.pstree
vol -f memory.raw windows.pstree

Hidden process detection

隐藏进程检测

vol -f memory.raw windows.psscan
vol -f memory.raw windows.psscan

Process memory dumps

进程内存转储

vol -f memory.raw windows.memmap --pid <PID> --dump
vol -f memory.raw windows.memmap --pid <PID> --dump

Process environment variables

进程环境变量

vol -f memory.raw windows.envars --pid <PID>
vol -f memory.raw windows.envars --pid <PID>

Command line arguments

命令行参数

vol -f memory.raw windows.cmdline
undefined
vol -f memory.raw windows.cmdline
undefined

Network Analysis

网络分析

bash
undefined
bash
undefined

Network connections

网络连接

vol -f memory.raw windows.netscan
vol -f memory.raw windows.netscan

Network connection state

网络连接状态

vol -f memory.raw windows.netstat
undefined
vol -f memory.raw windows.netstat
undefined

DLL and Module Analysis

DLL与模块分析

bash
undefined
bash
undefined

Loaded DLLs per process

每个进程加载的DLL

vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID>

Find hidden/injected DLLs

查找隐藏/注入的DLL

vol -f memory.raw windows.ldrmodules
vol -f memory.raw windows.ldrmodules

Kernel modules

内核模块

vol -f memory.raw windows.modules
vol -f memory.raw windows.modules

Module dumps

模块转储

vol -f memory.raw windows.moddump --pid <PID>
undefined
vol -f memory.raw windows.moddump --pid <PID>
undefined

Memory Injection Detection

内存注入检测

bash
undefined
bash
undefined

Detect code injection

检测代码注入

vol -f memory.raw windows.malfind
vol -f memory.raw windows.malfind

VAD (Virtual Address Descriptor) analysis

VAD(虚拟地址描述符)分析

vol -f memory.raw windows.vadinfo --pid <PID>
vol -f memory.raw windows.vadinfo --pid <PID>

Dump suspicious memory regions

转储可疑内存区域

vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
undefined
vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
undefined

Registry Analysis

注册表分析

bash
undefined
bash
undefined

List registry hives

列出注册表配置单元

vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.registry.hivelist

Print registry key

打印注册表项

vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

Dump registry hive

转储注册表配置单元

vol -f memory.raw windows.registry.hivescan --dump
undefined
vol -f memory.raw windows.registry.hivescan --dump
undefined

File System Artifacts

文件系统人工制品

bash
undefined
bash
undefined

Scan for file objects

扫描文件对象

vol -f memory.raw windows.filescan
vol -f memory.raw windows.filescan

Dump files from memory

从内存中转储文件

vol -f memory.raw windows.dumpfiles --pid <PID>
vol -f memory.raw windows.dumpfiles --pid <PID>

MFT analysis

MFT分析

vol -f memory.raw windows.mftscan
undefined
vol -f memory.raw windows.mftscan
undefined

Linux Analysis

Linux分析

bash
undefined
bash
undefined

Process listing

进程列表

vol -f memory.raw linux.pslist
vol -f memory.raw linux.pslist

Process tree

进程树

vol -f memory.raw linux.pstree
vol -f memory.raw linux.pstree

Bash history

Bash历史

vol -f memory.raw linux.bash
vol -f memory.raw linux.bash

Network connections

网络连接

vol -f memory.raw linux.sockstat
vol -f memory.raw linux.sockstat

Loaded kernel modules

已加载内核模块

vol -f memory.raw linux.lsmod
vol -f memory.raw linux.lsmod

Mount points

挂载点

vol -f memory.raw linux.mount
vol -f memory.raw linux.mount

Environment variables

环境变量

vol -f memory.raw linux.envars
undefined
vol -f memory.raw linux.envars
undefined

macOS Analysis

macOS分析

bash
undefined
bash
undefined

Process listing

进程列表

vol -f memory.raw mac.pslist
vol -f memory.raw mac.pslist

Process tree

进程树

vol -f memory.raw mac.pstree
vol -f memory.raw mac.pstree

Network connections

网络连接

vol -f memory.raw mac.netstat
vol -f memory.raw mac.netstat

Kernel extensions

内核扩展

vol -f memory.raw mac.lsmod
undefined
vol -f memory.raw mac.lsmod
undefined

Analysis Workflows

分析工作流

Malware Analysis Workflow

恶意软件分析工作流

bash
undefined
bash
undefined

1. Initial process survey

1. 初始进程调查

vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt
vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt

2. Network connections

2. 网络连接

vol -f memory.raw windows.netscan > network.txt
vol -f memory.raw windows.netscan > network.txt

3. Detect injection

3. 检测注入

vol -f memory.raw windows.malfind > malfind.txt
vol -f memory.raw windows.malfind > malfind.txt

4. Analyze suspicious processes

4. 分析可疑进程

vol -f memory.raw windows.dlllist --pid <PID> vol -f memory.raw windows.handles --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID> vol -f memory.raw windows.handles --pid <PID>

5. Dump suspicious executables

5. 转储可疑可执行文件

vol -f memory.raw windows.pslist --pid <PID> --dump
vol -f memory.raw windows.pslist --pid <PID> --dump

6. Extract strings from dumps

6. 从转储中提取字符串

strings -a pid.<PID>.exe > strings.txt
strings -a pid.<PID>.exe > strings.txt

7. YARA scanning

7. YARA扫描

vol -f memory.raw windows.yarascan --yara-rules malware.yar
undefined
vol -f memory.raw windows.yarascan --yara-rules malware.yar
undefined

Incident Response Workflow

事件响应工作流

bash
undefined
bash
undefined

1. Timeline of events

1. 事件时间线

vol -f memory.raw windows.timeliner > timeline.csv
vol -f memory.raw windows.timeliner > timeline.csv

2. User activity

2. 用户活动

vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles
vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles

3. Persistence mechanisms

3. 持久化机制

vol -f memory.raw windows.registry.printkey
--key "Software\Microsoft\Windows\CurrentVersion\Run"
vol -f memory.raw windows.registry.printkey
--key "Software\Microsoft\Windows\CurrentVersion\Run"

4. Services

4. 服务

vol -f memory.raw windows.svcscan
vol -f memory.raw windows.svcscan

5. Scheduled tasks

5. 计划任务

vol -f memory.raw windows.scheduled_tasks
vol -f memory.raw windows.scheduled_tasks

6. Recent files

6. 最近访问的文件

vol -f memory.raw windows.filescan | grep -i "recent"
undefined
vol -f memory.raw windows.filescan | grep -i "recent"
undefined

Data Structures

数据结构

Windows Process Structures

Windows进程结构

c
// EPROCESS (Executive Process)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // Kernel process block
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // Process Environment Block
    // ...
} EPROCESS;

// PEB (Process Environment Block)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // Anti-debug check
    // ...
    PVOID ImageBaseAddress;          // Base address of executable
    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;
c
// EPROCESS(执行体进程块)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // 内核进程块
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // 双向链表
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // 进程环境块
    // ...
} EPROCESS;

// PEB(进程环境块)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // 反调试检查
    // ...
    PVOID ImageBaseAddress;          // 可执行文件基地址
    PPEB_LDR_DATA Ldr;              // 加载器数据(DLL列表)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;

VAD (Virtual Address Descriptor)

VAD(虚拟地址描述符)

c
typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// Memory protection flags
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
c
typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// 内存保护标志
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80

Detection Patterns

检测模式

Process Injection Indicators

进程注入指示器

python
undefined
python
undefined

Malfind indicators

Malfind指示器

- PAGE_EXECUTE_READWRITE protection (suspicious)

- PAGE_EXECUTE_READWRITE保护(可疑)

- MZ header in non-image VAD region

- 非镜像VAD区域中的MZ头

- Shellcode patterns at allocation start

- 分配起始处的Shellcode模式

Common injection techniques

常见注入技术

1. Classic DLL Injection

1. 经典DLL注入

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

2. Process Hollowing

2. 进程掏空

- CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

- CreateProcess(挂起状态) + NtUnmapViewOfSection + WriteProcessMemory

3. APC Injection

3. APC注入

- QueueUserAPC targeting alertable threads

- 针对可警告线程调用QueueUserAPC

4. Thread Execution Hijacking

4. 线程执行劫持

- SuspendThread + SetThreadContext + ResumeThread

- SuspendThread + SetThreadContext + ResumeThread

undefined
undefined

Rootkit Detection

Rootkit检测

bash
undefined
bash
undefined

Compare process lists

对比进程列表

vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # Hidden processes
vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # 隐藏进程

Check for DKOM (Direct Kernel Object Manipulation)

检查DKOM(直接内核对象操作)

vol -f memory.raw windows.callbacks
vol -f memory.raw windows.callbacks

Detect hooked functions

检测挂钩函数

vol -f memory.raw windows.ssdt # System Service Descriptor Table
vol -f memory.raw windows.ssdt # 系统服务描述符表

Driver analysis

驱动分析

vol -f memory.raw windows.driverscan vol -f memory.raw windows.driverirp
undefined
vol -f memory.raw windows.driverscan vol -f memory.raw windows.driverirp
undefined

Credential Extraction

凭据提取

bash
undefined
bash
undefined

Dump hashes (requires hivelist first)

转储哈希(需先获取hivelist)

vol -f memory.raw windows.hashdump
vol -f memory.raw windows.hashdump

LSA secrets

LSA机密

vol -f memory.raw windows.lsadump
vol -f memory.raw windows.lsadump

Cached domain credentials

缓存的域凭据

vol -f memory.raw windows.cachedump
vol -f memory.raw windows.cachedump

Mimikatz-style extraction

Mimikatz风格提取

Requires specific plugins/tools

需要特定插件/工具

undefined
undefined

YARA Integration

YARA集成

Writing Memory YARA Rules

编写内存YARA规则

yara
rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}
yara
rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}

Scanning Memory

扫描内存

bash
undefined
bash
undefined

Scan all process memory

扫描所有进程内存

vol -f memory.raw windows.yarascan --yara-rules rules.yar
vol -f memory.raw windows.yarascan --yara-rules rules.yar

Scan specific process

扫描特定进程

vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

Scan kernel memory

扫描内核内存

vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
undefined
vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
undefined

String Analysis

字符串分析

Extracting Strings

提取字符串

bash
undefined
bash
undefined

Basic string extraction

基础字符串提取

strings -a memory.raw > all_strings.txt
strings -a memory.raw > all_strings.txt

Unicode strings

Unicode字符串

strings -el memory.raw >> all_strings.txt
strings -el memory.raw >> all_strings.txt

Targeted extraction from process dump

从进程转储中定向提取

vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt
vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt

Pattern matching

模式匹配

grep -E "(https?://|[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" all_strings.txt
undefined
grep -E "(https?://|[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" all_strings.txt
undefined

FLOSS for Obfuscated Strings

使用FLOSS提取混淆字符串

bash
undefined
bash
undefined

FLOSS extracts obfuscated strings

FLOSS提取混淆字符串

floss malware.exe > floss_output.txt
floss malware.exe > floss_output.txt

From memory dump

从内存转储中提取

floss pid.1234.dmp
undefined
floss pid.1234.dmp
undefined

Best Practices

最佳实践

Acquisition Best Practices

获取阶段最佳实践

  1. Minimize footprint: Use lightweight acquisition tools
  2. Document everything: Record time, tool, and hash of capture
  3. Verify integrity: Hash memory dump immediately after capture
  4. Chain of custody: Maintain proper forensic handling
  1. 最小化足迹:使用轻量级获取工具
  2. 完整记录:记录获取时间、工具及捕获文件的哈希值
  3. 验证完整性:获取后立即对内存转储进行哈希校验
  4. 保管链:遵循正确的取证处理流程

Analysis Best Practices

分析阶段最佳实践

  1. Start broad: Get overview before deep diving
  2. Cross-reference: Use multiple plugins for same data
  3. Timeline correlation: Correlate memory findings with disk/network
  4. Document findings: Keep detailed notes and screenshots
  5. Validate results: Verify findings through multiple methods
  1. 先广后深:先获取整体概览再深入分析
  2. 交叉验证:使用多个插件获取同一数据
  3. 时间线关联:将内存发现与磁盘/网络数据关联
  4. 记录发现:保留详细笔记和截图
  5. 验证结果:通过多种方法验证发现内容

Common Pitfalls

常见陷阱

  • Stale data: Memory is volatile, analyze promptly
  • Incomplete dumps: Verify dump size matches expected RAM
  • Symbol issues: Ensure correct symbol files for OS version
  • Smear: Memory may change during acquisition
  • Encryption: Some data may be encrypted in memory
  • 数据失效:内存易失,需及时分析
  • 不完整转储:验证转储大小是否与预期RAM匹配
  • 符号问题:确保使用与OS版本匹配的符号文件
  • 数据污染:获取过程中内存可能发生变化
  • 加密:部分内存数据可能已加密