Tag: memory

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …

General, Protection, Security

Memory Protection Feature

Data Execution Prevention (DEP) is a memory protection feature available in modern operating systems, Linux, Mac OS X, iOS, Microsoft Windows and Android. DEP allows memory pages to be designated as non-executable. Its duty is to prevent the content of a region of memory to be executed as instructions by a program, service, device driver, …

Auditing, Penetration Testing

Forensic Toolkit for Memory Capturing & Analysis

To analyze a compromised computer or analyze the behavior of malware you will need tools like FTK Imager. You can perform memory dump of the compromised machine and export it to external storage device, extract process-related information from memory snapshots, threads, strings, dependencies and communications.   You can also examine Windows operating system files such …

Passwords, Penetration Testing

Dump credentials stored in Memory

Windows authentication system stores in memory users credentials. Windows caches user’s credentials so she can access for ex. network resources without having to enter her password constantly. There is a tool named Windows Credentials Editor (WCE) from Amplia Security company that can be used to to list logon sessions and add, change, list and delete …

C#

Get total amount of RAM in C#

To get total RAM in C# we are going to use classes from System.Management namespace and WMI classes. public static String GetTotalPhysicalMemory() { ManagementScope ms = new ManagementScope(); ObjectQuery oq = new ObjectQuery("SELECT Capacity FROM Win32_PhysicalMemory"); ManagementObjectSearcher mos = new ManagementObjectSearcher(ms, oq); ManagementObjectCollection moc = mos.Get(); int amount = 0; foreach (ManagementObject moin moc) { …