memtriage v0.3-alpha: quickly query a Windows machine for RAM artifacts
Allows you to quickly query a live Windows machine for RAM artifacts
- Doesn’t work with Device Guard enabled.
- Should be tested on machines before deploying.
The following are currently supported:
Changelog v0.3 alpha
- minor bug fixes
- updated Windows 10 profiles
- support for Windows 10 memory compression
No Need to Specify Profiles
Memtriage will attempt to figure out the profile automatically and run with the appropriate settings. If there is a not an exact match, Memtriage will attempt to use the closest named profile available. Therefore, there is a possibility that object definitions won’t line up exactly (like process names etc), which you may also see when running Volatility with an incorrect profile. Profiles can be added to the Volatility code, and the executable can be recompiled with pyinstaller.
Loading and Unloading the Driver
memtriage.exe will attempt to load the driver when it first runs, and unload it when it exists. You may however load and unload the driver manually with the –load and –unload options. You may also request that the driver remain loaded after plugins have finished running with the –leave option.
> memtriage.exe --leave --plugins=dumpfiles --dumpdir=outdir --physoffset=1066160184 --keepname
The default service name that is created is pmem. You may specify a different service name with the –service= option. You must then use this –service= option for future invocations if you leave the driver loaded. Example:
> memtriage.exe --leave --service=somename --plugins=dlllist --pid=2924 [snip] > memtriage.exe --unload --service=somename
You may run several plugins at a time by specifying them with comma delimitation with the –plugins= option. Example:
> memtriage.exe --plugins=pslist,handles,dlllist
Other options will be used for the appropriate plugin. Example: