Tool for analyzing the physical runtime memory of a system

Discussion in 'other anti-malware software' started by Cerxes, Sep 28, 2008.

Thread Status:
Not open for further replies.
  1. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I wonder if some knowledgeable members could advice about some behavior blocker kind of tool that is specifically designed for monitoring and analyzing the physical runtime memory of a system. Please note, I´m not referring to the kind of behavior blockers as e.g. ThreatFire, Mamutu, AntiBot etc, that monitors critical key areas of the filesystem/disk. So I hope you foremost understand the difference, and the intention of my request.

    The only web site I could find regarding these kind of tools, was this one:

    http://www.hbgary.com

    Thanks in advance :).

    /C.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you haven't already done so, try a web search for memory forensics.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    http://mh-nexus.de/en/hxd/
    Would you address the process, could you?

    This will give you access to your ram. Do you speak Hex?
     
  4. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @MrBrian: I´ve already used those search words in my search after some sort of a security monitor/tool and also found some, but they are very "raw" and not easy to manage.

    @Searching: Even if learning hex and assembler was a part of my education, I can´t say I´m specially good at it :). No, I´m looking for an easy to manage security tool/application as e.g. ThreatFire, but designed for just monitoring the physical memory and nothing else (no filesystem/disk). HxD is a great hex editor, I´ve used it before, but it doesn´t fit, and was never intended as, an easy managed security tool that alerts only on suspicious behavior.

    I know now that the title of this thread maybe is a little bit misleading. It´s not a "raw" analyze tool I´m after, it´s more of a security monitor/guard, watching for malicious behavior in the physical memory.

    /C.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    First of all I thought you wanted a memory dumper which is a very good idea when analysing and looking for malware, there are many - you have already mentioned HBGary. Now I'm abit unsure what your looking for, maybe overruns?
     
  6. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Meriadoc: No, it´s something like Responder Pro (HBGary) or similar that covers what I´m looking for. Have you tested Responder Pro yourself? How do you rate it? (that is, if you tested it).

    /C.
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Not yet but hopefully in the near future I've just got to get back to 'em - but I've been extremely busy at work with a major transformation.
    I have an in-house tool but here are some others I've used and looked at, Windows Memory Forensic Toolkit, KNTTools, IDetect amongst others. Debugging tools I use are Syser, Olly and I still use Softice and DriverStudio.
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Rootrepeal. Though it isn't real-time.
     
  9. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    @Meriadoc: Thanks, I will check up both Windows Memory Forensic Toolkit and KNTTools even if they are basically forensic analyze tools and therefore quite don´t fit in what I´m looking for.

    @Searching: One can never have enough ARK´s... :D. Since I´m already using both RKU and OSAM I feel content with those ones, even if I´ve heard positive reviews about RootRepeal, and also seems well considered by EP.

    /C.
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Responder videos

    I couldn't post here so...

    Molebox vs Responder(rootkitdotcom)
     
  11. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  14. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Hmm...This product is slightly on the expensive side :doubt:

    $9,000 seems a little much to me.

    Oh and if I remember right there was something similar called Mandiant Red Curtain. Search the forums for it there was a discussion on it a while back. I think it's only an on demand though.
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Just a note to say the sites been updated. $9,000 is expensive individually but not so much for a lab or organisation (take off a 0 for the field version.)
    - Some nice stuff on there I already use their free tools:thumb: . Mandiant Red Curtain, yes I've used also.
     
  16. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Attention Meriadoc: your Post #10 with dangerous link: rootkitdotcom!

    'Certificate error: the security certificate of this Website has a problem. ... We recommend ... close this webpage and leave this site.'

    Hmmm, Meriadoc ...
     
  17. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    It's safe :)
     
  18. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Well.

    If I click on this link from post 10: rootkitdotcom, I have this Page IE:

    'Certificate error: the security certificate of this website has a problem.
    The security certificate presented by this website was NOT issued by a certification authority approved.
    The problems of safety certificate may indicate an attempt at deception of interception of data you send to the server.
    We recommend you close this webpage and leave this site.
    Click here to close this page.' ...


    Look also: https://www.wilderssecurity.com/showthread.php?t=221027

    Hmmm, Meriadoc, 333halfevil ... :blink:
     
  19. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Right, its safe.

    Pro, you are probably getting the message because Greg Hogland - rootkitdotcom, (HBGary and author of ROOTKITS, Subverting the Windows Kernel with Jamie Butler) hasn't purchased, or problem with authority or self signed certificate.

    ________________________________

    Note on the above site, rootkitdotcom is a clearing house for everything to do with the subject, rootkits...for example you will find discussions and articles, PoC and antirootkits.
     
    Last edited: Apr 6, 2009
  20. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,979
    Location:
    U.S.A.
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I was logged in when I took the link.
     
  22. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,979
    Location:
    U.S.A.
    Ah, that explains the https. Thanks!
     
  23. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Yes JRViejo, your link 'Molebox vs Responder' works well, Thank You!

    And I have nothing against :thumb: Rootkit.com, this site I see very often and it is safe and very interesting, yes!

    So, I have the problem of connecting to HTTPS sites.

    Is it the problem of my Windows Services or IE Options? Perhaps 'HTTP SSL' service, I have turned Off long ago? - Now I have put in Manual (or Automatic) but there is no change with the link from Post 10 ... this service do not want to start when I click on this link.

    In 'Seconfig XP' - I checked all.

    In IE Options/Content/Certificates/Editor approval - I have nothing in the window. In IE Options/Advanced/HTTP 1.1 settings is checked twice. Lately I have reset IE settings.

    Your suggestions are welcome. :thumb:
     
  24. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    ... and HTTP links from the GUI of softwares do not work. o_O
     
  25. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    ... but if I start an instance of IE before press the GUI link - it works!

    Very strange for me.

    Help! SOS!

    save our souls ...


    *puppy* :shifty:
     
Loading...
Thread Status:
Not open for further replies.