Mandiant lists all open network sockets, including those hidden by rootkits

Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.

Memoryze can:

  • Image the full range of system memory (no reliance on API calls).
  • Image a process' entire address space to disk, including a process' loaded DLLs, EXEs, heaps and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Enumerate all running processes (including those hidden by rootkits), including:
    • Report all open handles in a process (including all files, registry keys, etc.)
    • List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
    • List all network sockets that the process has open, including any hidden by rootkits.
    • Specify the functions imported and exported by the EXE and DLLs.
    • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based).
    • Verify the digital signatures of the EXEs and DLLs (disk-based).
    • Output all strings in memory on a per-process basis.
  • Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
    • Specify the functions the driver imports and exports.
    • Hash the driver (MD5, SHA1, and SHA256. disk-based).
    • Verify the digital signature of the driver (disk-based).
    • Output all strings in memory on a per driver basis.
  • Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.

Memoryze for the Mac can:

  • Image the full range of system memory
  • Acquire individual process memory regions
  • Enumerate all running processes (including those hidden by rootkits).
  • For each process Memoryze for the Mac can:
    • Report all open file handles in a process (including all files, sockets, pipes, etc)
    • List the virtual address space of a process including:
      • loaded libraries
      • allocated portions of heap and execution stack
      • network connections
      • all loaded kernel extensions, including those hidden by rootkits
      • system call table and mach trap table
      • all running mach tasks
      • ASLR support

Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

The utility, called Mandiant Memoryze, was released at this year's Hack in the Box conference in Kuala Lumpur, Malaysia.

Memoryze is a free memory analysis tool that can acquire physical memory from a Windows system and can also perform advanced analysis of live memory while a computer is running. It allows incident responders to quickly identify everything that is running on a computer and filter the output looking for evidence of compromise.

In Mandiant's forensics lab, Butler said Memoryze is used to find memory resident-only shellcode, that does not exist on disk. "If the attacker is there, Memoryze can pull the malicious code directly from memory, so our malware analysis team can begin the analysis," he added.

Memoryze features include:

  • image the full range of system memory (not reliant on API calls).
  • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
  • image a specified driver or all drivers loaded in memory to disk.
  • enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
    • report all open handles in a process (for example, all files, registry keys, etc.).
    • list the virtual address space of a given process including:
      • displaying all loaded DLLs.
      • displaying all allocated portions of the heap and execution stack.
    • list all network sockets that the process has open, including any hidden by rootkits.
    • output all strings in memory on a per process basis.
  • identify all drivers loaded in memory, including those hidden by rootkits.
  • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • identify all loaded kernel modules by walking a linked list.
  • identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

Mandiant says the tool can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Memoryze (free download) supports Windows 2000 Service Pack 4, Windows XP Service Pack 2 and Service Pack 3 (32-bit), and Windows 2003 Service Pack 2 (32-bit).

Which type of strategy hides the most valuable data at the innermost part of the network?

Layered network defense strategy, which sets up layers of protection to hide the most valuable data at the innermost part of the network.

Which one of the following is defined as hiding messages in such a way that only the intended recipient knows the message is there?

Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination. The use of steganography can be combined with encryption as an extra step for hiding or protecting data.

What is the biggest problem with live acquisitions?

The biggest problem with live acquisitions is the order of volatility. It determines how long a piece of information lasts on a system during a live acquisition.

What type of attacks use every possible letter number and character found on a keyboard when cracking a password?

Brute-force attacks are carried out by hackers who try to crack a password by simply trying out different combinations of characters in quick succession. The algorithm is very simple and is limited to trying out as many character combinations as possible, which is why it is also called "exhaustive search".