Plausible Deniability

A reporter sent us a note the other day looking for insight on some of the free vulnerability assessment tools that were available. As I searched around to make sure I’d accounted for all (or most) of what was freely available, I was struck by how many good security and forensic tools and utilities are offered for free online, or at least as limited trial editions. Everybody knows about big projects like Metasploit and Snort, or Microsoft’s Baseline Security Analyzer, but there’s much more out there if you just dig around, and especially if you’re willing to entertain “try then buy” offers, rather than limiting yourself to flat out free stuff.

With that in mind, we were contacted by none other than Jamie Butler, an esteemed security expert who now works for security consulting firm Mandiant. Jamie, along with his friend and sometimes co-author Greg Hogland, as an Obi Wan Kenobi of rootkits and other stealthy malware. Jamie wanted to tell us about a new tool, dubbed Memoryze, that Mandiant has released in a free version. What does it do? At a high level, Memoryze is a forensic memory analysis tool that allows users to interrogate live system memory on a host or a saved memory image to determine exactly what is running in memory, including processes that might be hidden by rootkit technology, as well as DLLs, executable files, registry keys, and so on. The program can list network sockets that a process running in memory has open — again, including those hidden by rootkits, as well as modules loaded in the OS kernel.

“This tool is extremely powerful,” Butler said.

What are the applications? Where to start — the most obvious application for Memoryze is as a strict forensic analysis tool: you can use it to pick over a saved image of physical memory. But Mandiant points out that its also useful as an incident response tool, to help understand what processes and drivers are (or are not) running on a host that may have been compromised. As an example, Memoryze’s forensic capabilities have uncovered the shellcode that Metasploit and Immunity’s Canvas inject into processes, Butler said. It can also be used as a reverse engineering tool — defeating anti-reverse engineering techniques to capture and reconstitute an image of a process or driver from physical memory that can then be plugged into IDA Pro or whatever happens to be the researcher’s favorite disassembler/debugger.

Yes, yes. This is a freebie that’s designed to steer you towards a premium product — in this case, Mandiant’s Intelligent Response product, which encapsulates almost all of the Mermoryze functionality. But Butler said its a robust product in its own right — with the ability to write custom filters to look for evidence of compromise using XPath filters. Check it out!