I wonder if some knowledgeable members could advice about some behavior blocker kind of tool that is specifically designed for monitoring and analyzing the physical runtime memory of a system. Please note, I´m not referring to the kind of behavior blockers as e.g. ThreatFire, Mamutu, AntiBot etc, that monitors critical key areas of the filesystem/disk. So I hope you foremost understand the difference, and the intention of my request.

The only web site I could find regarding these kind of tools, was this one:

http://www.hbgary.com (http://www.hbgary.com/index.html)

Thanks in advance :).

/C.

If you haven't already done so, try a web search for memory forensics.

http://mh-nexus.de/en/hxd/
Would you address the process, could you?

This will give you access to your ram. Do you speak Hex?

@MrBrian: I´ve already used those search words in my search after some sort of a security monitor/tool and also found some, but they are very "raw" and not easy to manage.

@Searching: Even if learning hex and assembler was a part of my education, I can´t say I´m specially good at it :). No, I´m looking for an easy to manage security tool/application as e.g. ThreatFire, but designed for just monitoring the physical memory and nothing else (no filesystem/disk). HxD is a great hex editor, I´ve used it before, but it doesn´t fit, and was never intended as, an easy managed security tool that alerts only on suspicious behavior.

I know now that the title of this thread maybe is a little bit misleading. It´s not a "raw" analyze tool I´m after, it´s more of a security monitor/guard, watching for malicious behavior in the physical memory.

/C.

First of all I thought you wanted a memory dumper which is a very good idea when analysing and looking for malware, there are many - you have already mentioned HBGary. Now I'm abit unsure what your looking for, maybe overruns?

@Meriadoc: No, it´s something like Responder Pro (HBGary) or similar that covers what I´m looking for. Have you tested Responder Pro yourself? How do you rate it? (that is, if you tested it).

/C.

Not yet but hopefully in the near future I've just got to get back to 'em - but I've been extremely busy at work with a major transformation.
I have an in-house tool but here are some others I've used and looked at, Windows Memory Forensic Toolkit, KNTTools, IDetect amongst others. Debugging tools I use are Syser, Olly and I still use Softice and DriverStudio.

Rootrepeal. Though it isn't real-time.

@Meriadoc: Thanks, I will check up both Windows Memory Forensic Toolkit and KNTTools even if they are basically forensic analyze tools and therefore quite don´t fit in what I´m looking for.

@Searching: One can never have enough ARK´s... ;D. Since I´m already using both RKU and OSAM I feel content with those ones, even if I´ve heard positive reviews about RootRepeal, and also seems well considered by EP.

/C.

Responder videos
(http://www.hbgary.com/resources.html)
I couldn't post here (http://www.wilderssecurity.com/showthread.php?t=216295) so...

-{ Quote: "Responder Videos *new*

* Watch: Physical RAM Acquisition and Analysis (watch now)
* Watch: Runtime Analysis of Optix Pro Trojan (watch now)
* Watch: Short demonstration of Responder Field Edition (watch now)

" }-

Molebox vs Responder(rootkitdotcom) (https://www.rootkit.com/blog.php?newsid=946)

Yes Cerxes, Yes! COMODO MEMORY FIREWALL !

Look: http://www.memoryfirewall.comodo.com/ Very good, but many hooks ... But very good ... but ...:argh:

PROROOTECT

Some tools are mentioned at http://isc.sans.org/diary.html?storyid=5953.

HBGary updated (http://www.hbgary.com/).

Hmm...This product is slightly on the expensive side :-\

$9,000 seems a little much to me.

Oh and if I remember right there was something similar called Mandiant Red Curtain. Search the forums for it there was a discussion on it a while back. I think it's only an on demand though.

-{ Quote: "Hmm...This product is slightly on the expensive side :-\

$9,000 seems a little much to me.

Oh and if I remember right there was something similar called Mandiant Red Curtain. Search the forums for it there was a discussion on it a while back. I think it's only an on demand though." }-
Just a note to say the sites been updated. $9,000 is expensive individually but not so much for a lab or organisation (take off a 0 for the field version.)
- Some nice stuff on there I already use their free tools:thumb: . Mandiant Red Curtain, yes I've used also.

Attention Meriadoc: your Post #10 with dangerous link: rootkitdotcom!

'Certificate error: the security certificate of this Website has a problem. ... We recommend ... close this webpage and leave this site.'

Hmmm, Meriadoc ...

-{ Quote: "Attention Meriadoc: your Post #10 with dangerous link: rootkitdotcom!

'Certificate error: the security certificate of this Website has a problem. ... We recommend ... close this webpage and leave this site.'

Hmmm, Meriadoc ..." }-

It's safe :)

Well.

If I click on this link from post 10: rootkitdotcom, I have this Page IE:

'Certificate error: the security certificate of this website has a problem.
The security certificate presented by this website was NOT issued by a certification authority approved.
The problems of safety certificate may indicate an attempt at deception of interception of data you send to the server.
We recommend you close this webpage and leave this site.
Click here to close this page.' ...


Look also: http://www.wilderssecurity.com/showthread.php?t=221027

Hmmm, Meriadoc, 333halfevil ... :blink:

Right, its safe.

Pro, you are probably getting the message because Greg Hogland - rootkitdotcom, (HBGary and author of ROOTKITS, Subverting the Windows Kernel with Jamie Butler) hasn't purchased, or problem with authority or self signed certificate.

________________________________

Note on the above site, rootkitdotcom is a clearing house for everything to do with the subject, rootkits...for example you will find discussions and articles, PoC and antirootkits.

FYI. You can access that Molebox vs Responder (http://rootkit.com/blog.php?newsid=946) page, plus the aforementioned site, via http.

I was logged in when I took the link.

-{ Quote: "I was logged in when I took the link." }-
Ah, that explains the https. Thanks!

Yes JRViejo, your link 'Molebox vs Responder' works well, Thank You!

And I have nothing against :thumb: Rootkit.com, this site I see very often and it is safe and very interesting, yes!

So, I have the problem of connecting to HTTPS sites.

Is it the problem of my Windows Services or IE Options? Perhaps 'HTTP SSL' service, I have turned Off long ago? - Now I have put in Manual (or Automatic) but there is no change with the link from Post 10 ... this service do not want to start when I click on this link.

In 'Seconfig XP' - I checked all.

In IE Options/Content/Certificates/Editor approval - I have nothing in the window. In IE Options/Advanced/HTTP 1.1 settings is checked twice. Lately I have reset IE settings.

Your suggestions are welcome. :thumb:

... and HTTP links from the GUI of softwares do not work. ???

... but if I start an instance of IE before press the GUI link - it works!

Very strange for me.

Help! SOS!

save our souls ...


*puppy* :shifty:

-{ Quote: "So, I have the problem of connecting to HTTPS sites.
Is it the problem of my Windows Services or IE Options? Perhaps 'HTTP SSL' service, I have turned Off long ago? - Now I have put in Manual (or Automatic) but there is no change with the link from Post 10 ... this service do not want to start when I click on this link.
In 'Seconfig XP' - I checked all.
In IE Options/Content/Certificates/Editor approval - I have nothing in the window. In IE Options/Advanced/HTTP 1.1 settings is checked twice. Lately I have reset IE settings.
Your suggestions are welcome. :thumb:" }-
PROROOTECT, when I try to access the rootkit.com https link with IE6, I see this:

207662

Do you see that at all? Under Tools > Internet Properties > Advanced tab: under HTTP 1.1 settings, only Use HTTP 1.1 is checked, also under Security, Check for publisher's certificate revocation, Use SSL 2.0 & Use SSL 3.0 and Warn about invalid site certificates are all checked. Perhaps you want to check these settings.

Hi JRViejo,

Thank you very much for your advices, but the situation has not changed, after check of SSL 2.0 and uncheck of TLS 1 ...

This same problems:
Links from GUI = white empty IE Page and: 'Connection in progress ...' never stopped ...
HTTPS links: 'Certificate error: navigation blocked.' traduction ...


SOS!

*puppy* ???

PROROOTECT, check a couple of things:

Go to My Computer, Tools > Folder Options > File types. Scroll down to the URL:Hypertext Transfer Protocols, click the Advanced button, highlight open in Actions:, click Edit. Make sure the following is in the Application used to perform action box EXACTLY as it appears, including all quote marks and spaces:

"C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe" -nohome

The same applies for URL:Gopher Protocol

DDE should be set to: "%1",,-1,0,,,,
Application should say: IExplore
DDE application not running should be blank
Topic should be: WWW_OpenURL

If that does not do it, what's your IE version?

Thank you JRViejo, I have IE7; I do not have these URL possibility: 'Hypertext Transfer Protocols' - I have: URL: 'Internet short cut'.

In Registry, I have many IEXPLORE.EXE -nohome:argh: many:argh:

I remember days that a Windows ( or an application like Java?) asked me if I want HTTPS option, and I clicked NO ! But I do not remember, where.:gack:

I must find this in my notebook.

Yes, sure.:dry:

Service: HTTP SSL - no run, if I click on links.

If not, my IE7 is very quickly.


Yours PROROOTECT:thumb:

PROROOTECT, first, check the Cipher Strength: Help > About Internet Explorer, is it 128-bit? Also, a couple of things to try:

You cannot log in to or connect to secured Web sites in Internet Explorer (http://support.microsoft.com/?kbid=813444) - especially Method 3. If all that fails:

Internet Explorer stops responding, stops working, or restarts (http://support.microsoft.com/gp/pc_ie_intro) - Self Help Guide.

Hi JRViejo,

I do NOT the Compatibility button ( in the top right corner of the window) ; but I have the padlock, if I click on other HTTPS sites - it's OK! (but service HTTP SSL does not start automatically ...)

But the link for Molebox ... # Post 10: always this same problem and 3 possibilities:
1. click here to close this Web page,
2. continue ( not recommended),
3. Informations ...
Maybe it's normal ...

I did deleted SSL; all .dll successful, OK.( initpki.dll OK after some seconds)

PROROOTECT George. By George!