From https://www.virusbtn.com/conference/vb2014/abstracts/LM5-MacAulay.xml: 1. MProcDetect: 2. The Memory Cruncher: From the manual: Downloads: http://blockwatch.ioactive.com/.
Different/longer version of slides: hxxp://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf .
I tried both of these programs in a virtual machine with a memory dump file produced by the free version of MoonSols Windows Memory Toolkit. MProcDetect (v1.0.5323.27086) output: Code: Possible Directory Base Register Value = [00187000] File Offset = [00127000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [0B35B000] File Offset = [0B2FB000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [0B82F000] File Offset = [0B7CF000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [0CE23000] File Offset = [0CDC3000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [0CEC3000] File Offset = [0CE63000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [0DD30000] File Offset = [0DCD0000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [129BE000] File Offset = [1295E000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [141DD000] File Offset = [1417D000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [14C2D000] File Offset = [14BCD000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [15BF8000] File Offset = [15B98000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [17FEA000] File Offset = [17F8A000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [18754000] File Offset = [186F4000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [18849000] File Offset = [187E9000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1974D000] File Offset = [196ED000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1A9FD000] File Offset = [1A99D000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1AA35000] File Offset = [1A9D5000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1B764000] File Offset = [1B704000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1BB7C000] File Offset = [1BB1C000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1C590000] File Offset = [1C530000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1C6EF000] File Offset = [1C68F000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1CDDD000] File Offset = [1CD7D000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1D0D7000] File Offset = [1D077000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1D158000] File Offset = [1D0F8000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1D5B2000] File Offset = [1D552000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [1D7EC000] File Offset = [1D78C000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [20E34000] File Offset = [20DD4000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [25583000] File Offset = [25523000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [28848000] File Offset = [287E8000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [2EB40000] File Offset = [2EAE0000], Diff = [00060000], mode = [2] Possible Directory Base Register Value = [309B7000] File Offset = [30957000], Diff = [00060000], mode = [2] 30 candiate process page tables The Memory Cruncher (v0.9.1.55) crashed a few seconds after I clicked the "Generate Archive" button.
