Analysis of malware in memory with Mandiant Audit Viewer and Memoryze

Discussion in 'other anti-malware software' started by MrBrian, Mar 3, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Mandiant Audit Viewer and Memoryze can be used to help an analyst find malware in memory, including rootkits. Signatures are not used. An article detailing use of Audit Viewer can be found at http://computer-forensics.sans.org/...sics-howto-memory-analysis-mandiant-memoryze/.

    A nice feature of Audit Viewer is Malware Rating Index, which gives a numerical score to each process based on how suspicious it is.

    Using the option "extract strings" may take a great deal of time, and thus shouldn't be used if not needed.

    These programs work on x64 too, including Windows 7 x64 :).
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I should also mention that Audit Viewer highlights any process in red that has an injected DLL.

    Another nice feature of Audit Viewer is the ability to identify DLL load order attacks.
     
  3. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thanks @Mrbrian ...i have been using it for 3 months and it's really awesome tool though sometimes causing my pc to hang :(
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
Loading...
Thread Status:
Not open for further replies.