

Thanks for the Memories: Identifying Malware from a Memory Capture - 2510c39011c5
http://www.contextis.com/resources/blog/thanks-memories-identifying-malware-memory-capture/

======
cdnsteve
Great summary, these types of articles always make me want to learn more about
capturing malware. Could you use something like Yara to then write your own
ruleset to identify this?

~~~
moyix
Yep; indeed, Volatility itself has a plugin called `yarascan` that will tell
you about any hits on Yara signatures inside of a memory image.

[https://code.google.com/p/volatility/wiki/CommandReferenceMa...](https://code.google.com/p/volatility/wiki/CommandReferenceMal23#yarascan)

Edit: Also, this approach is basically how the Detekt [1] tool works -- it
loads Volatility and scans process memory using its own set of Yara rules.

[1] [https://resistsurveillance.org/](https://resistsurveillance.org/)

------
netman21
There are commercial solutions that look at memory constantly to identify
malware. ManTech Cyber Solutions International, Inc. (MCSI)is the division the
defense contractor created to house it's HBGary division. Guidance Software,
best known for its forensics software, Encase, also does this. But the
underlying technology is also based on HBGary.

------
etep
Where does the memory capture come from?

~~~
chairmankaga
"...the examiner found a hit in C:\Windows\MEMORY.DMP. This file stores debug
information when a system failure occurs."

Seems to be generated on a previous system failure.

~~~
moyix
More generally, the Forensics Wiki has a list of available memory imaging
tools:

[http://www.forensicswiki.org/wiki/Tools:Memory_Imaging](http://www.forensicswiki.org/wiki/Tools:Memory_Imaging)

Anecdotally, I've heard from forensic practitioners that the KnTTools are very
solid (and, importantly, unlikely to crash a running system during
acquisition), but they're not free.

