book

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

July 2014

Intermediate to advanced

912 pages

24h 5m

English

Wiley

Read now

Unlock full access

Digital EnvironmentPC ArchitectureOperating SystemsProcess ManagementMemory ManagementFile SystemI/O SubsystemSummary
Basic Data TypesSummary
Why Volatility?What Volatility Is NotInstallationThe FrameworkUsing VolatilitySummary
Preserving the Digital EnvironmentSoftware ToolsMemory Dump FormatsConverting Memory DumpsVolatile Memory on DiskSummary
Windows Executive ObjectsPool-Tag ScanningLimitations of Pool ScanningBig Page PoolPool-Scanning AlternativesSummary
ProcessesProcess TokensPrivilegesProcess HandlesEnumerating Handles in MemorySummary
What’s in Process Memory?Enumerating Process MemorySummary

Process Environment BlockPE Files in MemoryPacking and CompressionCode InjectionSummary
Event Logs in MemoryReal Case ExamplesSummary
Windows Registry AnalysisVolatility’s Registry APIParsing Userassist KeysDetecting Malware with the ShimcacheReconstructing Activities with ShellbagsDumping Password HashesObtaining LSA SecretsSummary
Network ArtifactsHidden ConnectionsRaw Sockets and SniffersNext Generation TCP/IP StackInternet HistoryDNS Cache RecoverySummary
Service ArchitectureInstalling ServicesTricks and StealthInvestigating Service ActivitySummary
Kernel ModulesModules in Memory DumpsThreads in Kernel ModeDriver Objects and IRPsDevice TreesAuditing the SSDTKernel CallbacksKernel TimersPutting It All TogetherSummary
The GUI LandscapeGUI Memory ForensicsThe Session SpaceWindow StationsDesktopsAtoms and Atom TablesWindowsSummary
Window Message HooksUser HandlesEvent HooksWindows ClipboardCase Study: ACCDFISA RansomwareSummary
Master File TableExtracting FilesDefeating TrueCrypt Disk Encryption Summary
StringsCommand HistorySummary
Finding Time in MemoryGenerating TimelinesGh0st in the EnterpriseSummary
Historical Methods of AcquisitionModern AcquisitionVolatility Linux ProfilesSummary
ELF FilesLinux Data StructuresLinux Address Translationprocfs and sysfsCompressed SwapSummary
Processes in MemoryEnumerating ProcessesProcess Address SpaceProcess Environment VariablesOpen File HandlesSaved Context StateBash Memory AnalysisSummary
Network Socket File DescriptorsNetwork ConnectionsQueued Network PacketsNetwork InterfacesThe Route CacheARP CacheSummary
Physical Memory MapsVirtual Memory MapsKernel Debug BufferLoaded Kernel ModulesSummary
Mounted File SystemsListing Files and DirectoriesExtracting File MetadataRecovering File ContentsSummary
Shellcode InjectionProcess HollowingShared Library InjectionLD_PRELOAD RootkitsGOT/PLT OverwritesInline HookingSummary
Accessing Kernel ModeHidden Kernel ModulesHidden ProcessesElevating PrivilegesSystem Call Handler HooksKeyboard NotifiersTTY HandlersNetwork Protocol StructuresNetfilter HooksFile OperationsInline Code HooksSummary
Phalanx2Phalanx2 Memory AnalysisReverse Engineering Phalanx2Final Thoughts on Phalanx2Summary
Mac DesignMemory AcquisitionMac Volatility ProfilesMach-O Executable FormatSummary
Mac versus Linux AnalysisProcess AnalysisAddress Space MappingsNetworking ArtifactsSLAB AllocatorRecovering File Systems from MemoryLoaded Kernel ExtensionsOther Mac PluginsMac Live ForensicsSummary
Userland Rootkit AnalysisKernel Rootkit AnalysisCommon Mac Malware in MemorySummary
Keychain RecoveryMac Application AnalysisSummary

Content preview from The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Chapter 8 Hunting Malware in Process Memory

The previous chapter introduced you to process memory internals and set the foundations for you to deep dive into analysis. Now you’ll see some specific examples of how you can detect malware that hides in process memory by unlinking dynamic linked libraries (DLLs) or using one of four different methods of injecting code. You’ll also learn the fundamentals of dumping processes, libraries, and kernel modules (any portable executable [PE] files) from memory, including samples that are initially packed or compressed.

Process Environment Block

Every _EPROCESS structure contains a member called the Process Environment Block (PEB). The PEB contains the full path to the process’ executable, the full command line that starts the process, the current working directory, pointers to the process’ heaps, standard handles, and three doubly linked lists that contain the full path to DLLs loaded by the process.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Learn Computer Forensics - Second Edition

Publisher Resources

ISBN: 9781118824993Purchase book Other

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

by AAron Walters, Jamie Levy, Andrew Case, Michael Hale Ligh

Chapter 8 Hunting Malware in Process Memory

Process Environment Block

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Process Environment Block

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Learn Computer Forensics - Second Edition

Windows Security Internals

Digital Forensics Basics: A Practical Guide Using Windows OS

Mastering Linux Security and Hardening - Second Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.