[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-892c0820-3692-4a69-800c-a6d29bd6c07c":3,"$feahgF9MuTGyRNA2cRiagpK1IJfuo8ymzFwo6aYsgai4":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"892c0820-3692-4a69-800c-a6d29bd6c07c","memory-forensics","全面获取、分析和从内存转储中提取证据的技术，用于事件响应和恶意软件分析。","cat_life_career","mod_other","sickn33,other","---\nname: memory-forensics\ndescription: \"Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# Memory Forensics\n\nComprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.\n\n## Use this skill when\n\n- Working on memory forensics tasks or workflows\n- Needing guidance, best practices, or checklists for memory forensics\n\n## Do not use this skill when\n\n- The task is unrelated to memory forensics\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Memory Acquisition\n\n### Live Acquisition Tools\n\n#### Windows\n```powershell\n# WinPmem (Recommended)\nwinpmem_mini_x64.exe memory.raw\n\n# DumpIt\nDumpIt.exe\n\n# Belkasoft RAM Capturer\n# GUI-based, outputs raw format\n\n# Magnet RAM Capture\n# GUI-based, outputs raw format\n```\n\n#### Linux\n```bash\n# LiME (Linux Memory Extractor)\nsudo insmod lime.ko \"path=\u002Ftmp\u002Fmemory.lime format=lime\"\n\n# \u002Fdev\u002Fmem (limited, requires permissions)\nsudo dd if=\u002Fdev\u002Fmem of=memory.raw bs=1M\n\n# \u002Fproc\u002Fkcore (ELF format)\nsudo cp \u002Fproc\u002Fkcore memory.elf\n```\n\n#### macOS\n```bash\n# osxpmem\nsudo .\u002Fosxpmem -o memory.raw\n\n# MacQuisition (commercial)\n```\n\n### Virtual Machine Memory\n\n```bash\n# VMware: .vmem file is raw memory\ncp vm.vmem memory.raw\n\n# VirtualBox: Use debug console\nvboxmanage debugvm \"VMName\" dumpvmcore --filename memory.elf\n\n# QEMU\nvirsh dump \u003Cdomain> memory.raw --memory-only\n\n# Hyper-V\n# Checkpoint contains memory state\n```\n\n## Volatility 3 Framework\n\n### Installation and Setup\n\n```bash\n# Install Volatility 3\npip install volatility3\n\n# Install symbol tables (Windows)\n# Download from https:\u002F\u002Fdownloads.volatilityfoundation.org\u002Fvolatility3\u002Fsymbols\u002F\n\n# Basic usage\nvol -f memory.raw \u003Cplugin>\n\n# With symbol path\nvol -f memory.raw -s \u002Fpath\u002Fto\u002Fsymbols windows.pslist\n```\n\n### Essential Plugins\n\n#### Process Analysis\n```bash\n# List processes\nvol -f memory.raw windows.pslist\n\n# Process tree (parent-child relationships)\nvol -f memory.raw windows.pstree\n\n# Hidden process detection\nvol -f memory.raw windows.psscan\n\n# Process memory dumps\nvol -f memory.raw windows.memmap --pid \u003CPID> --dump\n\n# Process environment variables\nvol -f memory.raw windows.envars --pid \u003CPID>\n\n# Command line arguments\nvol -f memory.raw windows.cmdline\n```\n\n#### Network Analysis\n```bash\n# Network connections\nvol -f memory.raw windows.netscan\n\n# Network connection state\nvol -f memory.raw windows.netstat\n```\n\n#### DLL and Module Analysis\n```bash\n# Loaded DLLs per process\nvol -f memory.raw windows.dlllist --pid \u003CPID>\n\n# Find hidden\u002Finjected DLLs\nvol -f memory.raw windows.ldrmodules\n\n# Kernel modules\nvol -f memory.raw windows.modules\n\n# Module dumps\nvol -f memory.raw windows.moddump --pid \u003CPID>\n```\n\n#### Memory Injection Detection\n```bash\n# Detect code injection\nvol -f memory.raw windows.malfind\n\n# VAD (Virtual Address Descriptor) analysis\nvol -f memory.raw windows.vadinfo --pid \u003CPID>\n\n# Dump suspicious memory regions\nvol -f memory.raw windows.vadyarascan --yara-rules rules.yar\n```\n\n#### Registry Analysis\n```bash\n# List registry hives\nvol -f memory.raw windows.registry.hivelist\n\n# Print registry key\nvol -f memory.raw windows.registry.printkey --key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\n\n# Dump registry hive\nvol -f memory.raw windows.registry.hivescan --dump\n```\n\n#### File System Artifacts\n```bash\n# Scan for file objects\nvol -f memory.raw windows.filescan\n\n# Dump files from memory\nvol -f memory.raw windows.dumpfiles --pid \u003CPID>\n\n# MFT analysis\nvol -f memory.raw windows.mftscan\n```\n\n### Linux Analysis\n\n```bash\n# Process listing\nvol -f memory.raw linux.pslist\n\n# Process tree\nvol -f memory.raw linux.pstree\n\n# Bash history\nvol -f memory.raw linux.bash\n\n# Network connections\nvol -f memory.raw linux.sockstat\n\n# Loaded kernel modules\nvol -f memory.raw linux.lsmod\n\n# Mount points\nvol -f memory.raw linux.mount\n\n# Environment variables\nvol -f memory.raw linux.envars\n```\n\n### macOS Analysis\n\n```bash\n# Process listing\nvol -f memory.raw mac.pslist\n\n# Process tree\nvol -f memory.raw mac.pstree\n\n# Network connections\nvol -f memory.raw mac.netstat\n\n# Kernel extensions\nvol -f memory.raw mac.lsmod\n```\n\n## Analysis Workflows\n\n### Malware Analysis Workflow\n\n```bash\n# 1. Initial process survey\nvol -f memory.raw windows.pstree > processes.txt\nvol -f memory.raw windows.pslist > pslist.txt\n\n# 2. Network connections\nvol -f memory.raw windows.netscan > network.txt\n\n# 3. Detect injection\nvol -f memory.raw windows.malfind > malfind.txt\n\n# 4. Analyze suspicious processes\nvol -f memory.raw windows.dlllist --pid \u003CPID>\nvol -f memory.raw windows.handles --pid \u003CPID>\n\n# 5. Dump suspicious executables\nvol -f memory.raw windows.pslist --pid \u003CPID> --dump\n\n# 6. Extract strings from dumps\nstrings -a pid.\u003CPID>.exe > strings.txt\n\n# 7. YARA scanning\nvol -f memory.raw windows.yarascan --yara-rules malware.yar\n```\n\n### Incident Response Workflow\n\n```bash\n# 1. Timeline of events\nvol -f memory.raw windows.timeliner > timeline.csv\n\n# 2. User activity\nvol -f memory.raw windows.cmdline\nvol -f memory.raw windows.consoles\n\n# 3. Persistence mechanisms\nvol -f memory.raw windows.registry.printkey \\\n    --key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\n\n# 4. Services\nvol -f memory.raw windows.svcscan\n\n# 5. Scheduled tasks\nvol -f memory.raw windows.scheduled_tasks\n\n# 6. Recent files\nvol -f memory.raw windows.filescan | grep -i \"recent\"\n```\n\n## Data Structures\n\n### Windows Process Structures\n\n```c\n\u002F\u002F EPROCESS (Executive Process)\ntypedef struct _EPROCESS {\n    KPROCESS Pcb;                    \u002F\u002F Kernel process block\n    EX_PUSH_LOCK ProcessLock;\n    LARGE_INTEGER CreateTime;\n    LARGE_INTEGER ExitTime;\n    \u002F\u002F ...\n    LIST_ENTRY ActiveProcessLinks;   \u002F\u002F Doubly-linked list\n    ULONG_PTR UniqueProcessId;       \u002F\u002F PID\n    \u002F\u002F ...\n    PEB* Peb;                        \u002F\u002F Process Environment Block\n    \u002F\u002F ...\n} EPROCESS;\n\n\u002F\u002F PEB (Process Environment Block)\ntypedef struct _PEB {\n    BOOLEAN InheritedAddressSpace;\n    BOOLEAN ReadImageFileExecOptions;\n    BOOLEAN BeingDebugged;           \u002F\u002F Anti-debug check\n    \u002F\u002F ...\n    PVOID ImageBaseAddress;          \u002F\u002F Base address of executable\n    PPEB_LDR_DATA Ldr;              \u002F\u002F Loader data (DLL list)\n    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n    \u002F\u002F ...\n} PEB;\n```\n\n### VAD (Virtual Address Descriptor)\n\n```c\ntypedef struct _MMVAD {\n    MMVAD_SHORT Core;\n    union {\n        ULONG LongFlags;\n        MMVAD_FLAGS VadFlags;\n    } u;\n    \u002F\u002F ...\n    PVOID FirstPrototypePte;\n    PVOID LastContiguousPte;\n    \u002F\u002F ...\n    PFILE_OBJECT FileObject;\n} MMVAD;\n\n\u002F\u002F Memory protection flags\n#define PAGE_EXECUTE           0x10\n#define PAGE_EXECUTE_READ      0x20\n#define PAGE_EXECUTE_READWRITE 0x40\n#define PAGE_EXECUTE_WRITECOPY 0x80\n```\n\n## Detection Patterns\n\n### Process Injection Indicators\n\n```python\n# Malfind indicators\n# - PAGE_EXECUTE_READWRITE protection (suspicious)\n# - MZ header in non-image VAD region\n# - Shellcode patterns at allocation start\n\n# Common injection techniques\n# 1. Classic DLL Injection\n#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread\n\n# 2. Process Hollowing\n#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory\n\n# 3. APC Injection\n#    - QueueUserAPC targeting alertable threads\n\n# 4. Thread Execution Hijacking\n#    - SuspendThread + SetThreadContext + ResumeThread\n```\n\n### Rootkit Detection\n\n```bash\n# Compare process lists\nvol -f memory.raw windows.pslist > pslist.txt\nvol -f memory.raw windows.psscan > psscan.txt\ndiff pslist.txt psscan.txt  # Hidden processes\n\n# Check for DKOM (Direct Kernel Object Manipulation)\nvol -f memory.raw windows.callbacks\n\n# Detect hooked functions\nvol -f memory.raw windows.ssdt  # System Service Descriptor Table\n\n# Driver analysis\nvol -f memory.raw windows.driverscan\nvol -f memory.raw windows.driverirp\n```\n\n### Credential Extraction\n\n```bash\n# Dump hashes (requires hivelist first)\nvol -f memory.raw windows.hashdump\n\n# LSA secrets\nvol -f memory.raw windows.lsadump\n\n# Cached domain credentials\nvol -f memory.raw windows.cachedump\n\n# Mimikatz-style extraction\n# Requires specific plugins\u002Ftools\n```\n\n## YARA Integration\n\n### Writing Memory YARA Rules\n\n```yara\nrule Suspicious_Injection\n{\n    meta:\n        description = \"Detects common injection shellcode\"\n\n    strings:\n        \u002F\u002F Common shellcode patterns\n        $mz = { 4D 5A }\n        $shellcode1 = { 55 8B EC 83 EC }  \u002F\u002F Function prologue\n        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  \u002F\u002F Push hash, call\n\n    condition:\n        $mz at 0 or any of ($shellcode*)\n}\n\nrule Cobalt_Strike_Beacon\n{\n    meta:\n        description = \"Detects Cobalt Strike beacon in memory\"\n\n    strings:\n        $config = { 00 01 00 01 00 02 }\n        $sleep = \"sleeptime\"\n        $beacon = \"%s (admin)\" wide\n\n    condition:\n        2 of them\n}\n```\n\n### Scanning Memory\n\n```bash\n# Scan all process memory\nvol -f memory.raw windows.yarascan --yara-rules rules.yar\n\n# Scan specific process\nvol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234\n\n# Scan kernel memory\nvol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel\n```\n\n## String Analysis\n\n### Extracting Strings\n\n```bash\n# Basic string extraction\nstrings -a memory.raw > all_strings.txt\n\n# Unicode strings\nstrings -el memory.raw >> all_strings.txt\n\n# Targeted extraction from process dump\nvol -f memory.raw windows.memmap --pid 1234 --dump\nstrings -a pid.1234.dmp > process_strings.txt\n\n# Pattern matching\ngrep -E \"(https?:\u002F\u002F|[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})\" all_strings.txt\n```\n\n### FLOSS for Obfuscated Strings\n\n```bash\n# FLOSS extracts obfuscated strings\nfloss malware.exe > floss_output.txt\n\n# From memory dump\nfloss pid.1234.dmp\n```\n\n## Best Practices\n\n### Acquisition Best Practices\n\n1. **Minimize footprint**: Use lightweight acquisition tools\n2. **Document everything**: Record time, tool, and hash of capture\n3. **Verify integrity**: Hash memory dump immediately after capture\n4. **Chain of custody**: Maintain proper forensic handling\n\n### Analysis Best Practices\n\n1. **Start broad**: Get overview before deep diving\n2. **Cross-reference**: Use multiple plugins for same data\n3. **Timeline correlation**: Correlate memory findings with disk\u002Fnetwork\n4. **Document findings**: Keep detailed notes and screenshots\n5. **Validate results**: Verify findings through multiple methods\n\n### Common Pitfalls\n\n- **Stale data**: Memory is volatile, analyze promptly\n- **Incomplete dumps**: Verify dump size matches expected RAM\n- **Symbol issues**: Ensure correct symbol files for OS version\n- **Smear**: Memory may change during acquisition\n- **Encryption**: Some data may be encrypted in memory\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,57,1007,"2026-05-16 13:28:25",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"235982c3-cca9-437b-92a9-93cde8937365","1.0.0","memory-forensics.zip",4234,"uploads\u002Fskills\u002F892c0820-3692-4a69-800c-a6d29bd6c07c\u002Fmemory-forensics.zip","e0667963d3a8df1833d2ab08cfca099cc6e590594c599cbcf191a412b6c94085","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":11309}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]