Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Investigating Memory Forensic

-Processes, DLLs, Consoles,
Process Memory and Networking
Alp Batur · Follow
15 min read · Jun 11, 2023

Memory analysis is a useful and useful technique in malware analysis. The

process of examining the affected computer with various tools after the
current ram image is taken is called memory analysis. It can analyze the
obtained memory image using tools such as Memoryze, Volatility. The
analyzes in this article will be performed using the Volatility tool written in
python.

1 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

RAM, Volatile Data and Advantages of Memory Analysis

RAM is a system that takes on the task of short-term memory in the

computer. Usually the main memory or primary storage in the computer. It
is considered a workspace for loading, displaying, routing applications, and
data. From files to network connection to registry hives to running malware
is available for analysis.

Data stored in cache or RAM is called volatile data. This volatile data is not
permanent and can be lost if the power is lost. Volatile data should be
collected immediately. If we touch on the parts where memory analysis is
advantageous compared to other analysis, we can list it as being the most
appropriate analysis technique for detecting harmful activities in the system,
analyzing and tracking current activities on the system, and collecting
evidence that cannot be analyzed in other analysis methods. In addition, it is
the most suitable analysis method for the examination of advanced malware
(fileless) that executes without writing to disk.

2 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Structure of KDBG

The KDBG is a structure maintained by the Windows kernel for debugging

purposes. It contains a list of the running processes and loaded kernel
modules. There is a pointer called EPROCESS in the KDBG structure. Each
Windows process is represented by an execution processing structure called
_EPROCESS. The pointer to the EPROCESS structure for the system process
is stored in nt!PsInitialSystemProcess and that of the SystemIdle process is
stored nt!PsIdleProcess.

Process Environment Block (PEB) is one of the structures that EPROCESS

points to. PEB contains many process related information like image name,
loaded modules(dlls), image file path, command line parameters passed
with the process etc. In the EPORCESS structure, besides PEB, there are also
handles, access tokens, threads and VAD Tree structures.

Another structure in the EPROCESS data struct that we frequently use in our
analyzes to examine active processes is ActiveProcessLinks.
ActiveProcessLinks is a LIST_ENTRY structure and it is a circular doubly link
list pointing to the node in the next EPROCESS for a different process. This
structure connects all processes running in memory. The pslist plugin we

3 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

use to list the processes in memory will analyze the list executed by
ActiveProcessLink and pointed by PsActiveProcessHead. If the attackers
unlink their malicious processes via the double-linked list, the related
processes cannot be viewed via the pslist plugin.

Memory Analysis Process

In this article, memory analysis was performed using the Volatility.

Where do i start?

In order to detect the first anomaly in the image, we can start by analyzing
the processes, which are the most important objects in the memory. Thus,
after a suspicious process is detected, we can determine our analysis plan
and see other suspicious occurrences.

Identify the Context of an Image using KDBG

In order to make the memory image we have meaningful, we need to define

4 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

the context. Many tools use KDBG structures to identify context in Windows
memory images. Imageinfo plugin in the Volatility tool searches the memory
image and looks for the KDBG signature. Signature of image may not be
specific to a single version of OS, in this case we can observe many profiles
on output. If there are many profiles compatible with our image after KDBG
scan, we should focus on the profile that gives meaningful output by running
the pslist plugin on the profiles in the list. If the KDBG hit is a false positive,
the number of processes and modules will be zero, compared to reasonable
number in case of true KDBG.

Usage of imageinfo Plugin

In addition to the imageinfo plugin, there is another plugin called kdbgscan

that we will use. Kdbgscan plugin gives sharper results than imageinfo
plugin. This plugin scans for the KDBGHeader signatures linked to Volatility

5 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

profiles and applies sanity checks to reduce false positives.

After listing operations with the pslist plugin in cases where no process appears on
the memory image we received from the system and we think it has the specific
operating system (the pslist plugin analyzes the first KDBG in memory via the
process list header), the profile obtained using the imageinfo plugin can be cross-
checked using the kdbgscan plugin.

After choosing the most suitable profile for the image we have, we can start
the analysis.

Ways to find Rogue/Suspicious Processes and DLLs in Memory

We can use the pslist, psscan, pstree and psxview plugins on Volatility to list
the processes on the image. We may observe differences between the
outputs as each analyzes on different structures.

pslist : It is used to list the processes on the image we have obtained. This
plugin walks the linked list that is pointed by PsActiveProcessHead and is
run by ActiveProcessLink. Additionally, it shows the offset at which the
process was started and terminated, the process name, the process ID, the
parent process ID, the thread count, the handle count, and the date/time.

6 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of pslist Plugin

As mentioned above, Windows uses the double linked list in the EPROCESS
structure to track all active processes. This area, called ActiveProcessLinks,
contains the flink and blink pointers. The Flink (forward link) points to the
_LIST_ENTRY of the next _EPROCESS structure, and the Blink (backward link)
points to the _LIST_ENTRY of the previous _EPROCESS structure.

Attackers can remove running processes from the ActiveProcessLink list in

order to hide malicious processes. For example, rootkits often monitor new
processes created on the system using the PsSetCreateProcessNotifyRoutine

7 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

API. After creating a new process, it checks whether the path is included in
the global process list, then connects the flink of the process to its blink and
removes it via ActiveProcessLink of the process. When the process is
removed via ActiveProcessLink, it will not be seen in programs such as Task
Manager, and it will not be included in the pslist plugin on Volatility.

Structure of Flink/Blink

pstree : It is used to visualize processes in tree form. Because it uses the

same technique as pslist, it does not show hidden and unlinked processes.

8 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of pstree Plugin

psscan : The psscan plugin doesn’t trust the linked list (called
ActiveProcessLinks) of the processes. Instead searches memory by
heuristically looking for EPROCESS structure that represent processes. Using
the Psscan plugin pool tag scaninng, it can find processes that are hidden
by malware and terminated processes. Pool tag scanning was originally
used for discovering structures associated with processes and threads, but is
now widely used to target many kinds of data structures. It is particularly
effective in detecting direct kernel object manipulation (DKOM), which is
commonly used by malware to hide processes by removing references to
the _EPROCESS allocation from other data structures.

9 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

psxview : EPROCESS kernel structure is not the only (kernel) object that
holds information aboutprocesses running on the system. From the nature
of Windows OS, this information is maintained at several other locations.
Psxview is a plugin designed for this reason and provides detailed
information about running processes. In addition to providing information
about running processes, it collects data from the following structures.

• PspCid is a special table in memory that stores reference for all active
and threads objects. This table can be manipulated to remove any
process, thread reference.

• Csrss plays a critical role in the creation of processes and threads.

• Session and Desktop : Session will attach all the process to a particular
user session, and desktop will find each thread attached to the desktop
which can be mapped to its owning process.

10 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of psxview Plugin

dllist : It is used to view DLLs loaded by a process. It walks the doubly-linked

Detecting of hidden processes on the image we have analyzed below, the use
list of _LDR_DATA_TABLE_ENTRY structures which is pointed to by the
of the above-mentioned plugins will suffice. Another point that we need to
PEB’s InLoadOrderModuleList. When a process calls the DLL, it is
analyze is the thread and handle outputs that we see in the pslist plugin
automatically added to this list. On the load count column, we can see
output. Thread is a subset of processing. There may be more threads than
whether a DLL is loaded statically or dynamically. To view the DLLs of a
one process. A process can exist individually as it contains its own memory
hidden or unlinked process, we use physical offset obtained in the psscan
and other resources, wheread a thread con not have its individual existence.

11 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

If process needs to access any object such as a file, registry key, process,
output.
thread, it must first create a handle. Then the process can access the object
referenced by the handle using this handle. Using these outputs, other
objects that the suspected process interacts with can be detected.

Usage of dllist Plugin

Wow64 processes have a limited list of DLLs in the PEB lists, but that doesn’t
mean they’re the only DLLs loaded in the process address space. Thus
Volatility will remind you to use the ldrmodules instead for these processes.

12 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of ldrmodules Plugin

ldrmodules : It is one of the trusted plugins of Volatility suit to detect a dll-

hiding or injection kind of activities in a process memory. Ldrmodules
fetches the information about loaded dlls from 3 lists. The name of these 3
lists are as following; InLoadOrderModuleList, InMemoryOrderModuleList
and InInitializationOrderModuleList. These 3 lists track the loaded dlls for a
specific process based on their loading methods and locations in the
memory.

dlldump : This plugin used with pid parameter to export DDL files for a

13 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

specific process and used with offset parameter to export DLL files related to
a hidden or unline process. Since code injection or malicious unlinking
process may not appear in the dll list, we prefer use base parameter to
examine that.

handles : It is used to list the handles in a process. The handles for a

particular process are displayed with the pid parameter. The output includes
handle value and granted access for each object.

Usage of handles Plugin

verinfo : It is used to display the version information of the PE files in the

image. It should be do not forget that not all PE files have version

14 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

information during the analysis, and many attackers imitate the version
information of malicious PE files with legit processes.

Usage of verinfo Plugin

enumfunc : It used to enumerates imported and exported functions from

processes and dlls. This can be useful if we are trying to enumerate
functions in hidden processes or drivers.

envars : This plugin displays a processes environment variables.

15 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of envars Plugin

getsid : This plugin displays SIDs associated with a process. It can help us
identify processes which have maliciously escalated privileges and which
processes belong to specific users.

Analysis of Console Activity

cmdscan : I mentioned that there is a csrss column in the psxview output we

use to obtain information about processes. We can obtain more information
if the attacker used cmd.exe in its actions for the malicious process. The
csrss.exe process on Windows XP/2003/Vista/2008 or the conhost.exe process
on Windows 7 systems store information about the command history. The
cmdscan plugin can provide information about the activities performed on

16 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

the console by scanning the COMMAND_HISTORY structure in the image.

Apart from the command run, we can also access the name of the process
using cmd.exe, the location of the command history buffer, and the
applicaton process handle.

We often see conhost.exe launching simultaneously with command line tools like
cmd and powershell. Conhost.exe acts as a buffer for command line commands,
such as bash history on Unix systems. Command line history can be accessed by
examining the memory space of the conhost.exe process.

consoles : In addition to getting information about the commands run with

Usage of getsids Plugin
the cmdscan plugin, it also provides us with the outputs of the commands
run with the consoles plugin via the CONSOLE_INFORMATION structure in
the image. This build stores the entire screen buffer, both input and output.

Analysis of Process Memory

memmap : This plugin displays exactly which pages are memory resident,
given a specific process DTB. It shows the virtual address of the page, the
corresponding physical offset of the page, and the size of the page.

17 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of memmap Plugin

memdump : This plugin provide us to extract all memory resident pages in a

process into an individual file.

procdump : This plugin provide us to dump a process’s executable. Some

malware intentionally creates size fields in the PE header so memory dump
tools fail. Therefore, generally we use -u flags to bypass certain robustness
checks used when parsing the PE header.

VAD is a structure that we often need during process memory analysis. The Virtual
Address Descriptor (VAD) tree is used by the Windows memory manager to
describe memory ranges used by a process as they are allocated. When a process

18 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

allocates memory with VitualAlloc, the memory manager creates an entry in the
VAD tree. The corresponding page directory and page table entries are not created
until the process tries to referance that memory page, which can provide
significant memory saving for processes that allocate a large amount of memory
but access it sparsely. For example, one of user-mode rootkit is capable of injecting
libraries into processes and then hiding the injected DLLs by unlinking them from
the module list stored in the PEB. Such modification of the PEB, does not affect
the VAD tree, and the loaded DLL can be seen as a mapped file in the address
space of the affected process using vadinfo, such evidence can not be found with
tools that simply walk the PEB’s module list. By looking at the VAD tree, an
examiner can also say whether such string occured in a loaded DLL, a
dynamically allocated memory region, or the process execuable itself.

vadinfo : This plugin displays extended information about process’s VAD

nodes. It shows;

• The address of the VAD structure in kernel memory

• The starting and ending virtual addresses in process memory

• The VAD Tag and The VAD flags,

• The name of the memory mapped file,

19 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

• The memory protection constant.

Usage of vadinfo Plugin

vadwalk : This plugin provides to inspect a process’s VAD nodes in table

form.

Usage of vadwalk Plugin

20 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

vadtree : This plugin uses to display the VAD nodes in a visual tree form.

Usage of vadtree Plugin

vaddump : This plugin uses to extract the range of pages described by a VAD
node. This is similar to memdump, except the pages belonging to each VAD
node are placed in separate files (named according to the starting and
ending addresses) instead of one large conglomerate file.

Analysis of Network Activities

connections : This plugin uses to view TCP connections that were active at
the time of the memory acquisition. It is for x86 and x64 Windows XP and
Windows 2003 Server only.

21 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

connscan : This plugin can find artifacts from previous connections that
have since been terminated, in addition to the active ones. It is for x86 and
x64 Windows XP and Windows 2003 Server only.

sockets : This plugin uses to detect listening sockets for any protocol. It is for
x86 and x64 Windows XP and Windows 2003 Server only.

netscan : This plugin uses to scan for network artifacts in 32- and 64-bit
Windows Vista, Windows 2008 Server and Windows 7 memory dumps. This
finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. The
output also includes local and remote IP addresses, the status of the socket,
and the time the connection was established.

22 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of VolShell

If we want to interactively analysis a memory image, we can use the volshell

module. We can list process, displays types of sturctures/objects and more
information about process, disassemble code at a given address and walk
linked list. Usage of netscan Plugin

After specifying the physical offset with the cc command (can be obtained
from the psxview output), we can access the information about the process
on the EPROCESS structure.

23 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Usage of Volshell Module

We can determine the forward process by obtaining the flink and blink
offset values of the processes that unlike themselves from the
ActiveProcessLink list.

Blink/Flink Analysis

Another analysis that I frequently use the volshell module for is command
lines of processes that cannot be detected by AV/EDR. After we find the PEB

24 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

address of the process we are analyzing on the EPROCESS structure, we need

to convert it to hexadecimal value.

Identifying Value of PEB

We obtain the ProcessParameters value by examining the PEB address that

we have obtained and converted to hexadecimal value in the _PEB table with
the dt command.

25 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Identifying Value of ProcessParameters

We need to convert this value back to hexadecimal value again. After

providing this operation, we access the command line information in the
_RTL_USER_PROCESS_PARAMETERS table with the dt command.
Case Study

Firstly, the appropriate profile to be used with imageinfo and kdbgscan

plugins has been determined on the image file we have. When the processes
on the image are listed via the pslist, psscan and psxview plugins, it has been
determined that the vds_ps.exe file hides itself by removing it from the

26 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

ActiveProcessLink list in the psxview output.

Identifying Hidden Process

The network connections of the suspicious process were examined with

Output of Process Command Line
netscan and no active connection was detected. The full path of the file was
determined via the filescan plugin.
ProcessParameters is a pointer to an RTL_USER_PROCESS_PARAMETERS
structure that contains process parameter information such as the command line.

Identifying Full Path of Hidden Suspicious Process

After exporting the suspicious file with the procdump plugin, the hash
information was checked on the VT and it was found to be associated with
emotet by many authorities.

27 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Dumping Suspicious PE File

VT Report of Malicious PE File

Emotet related iocs was also detected when a string search was performed
on the file.

28 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Output of String Search

The dlllist plugin was used to list the DLL files related to the file we are
reviewing. Then, using the malfind plugin, it was determined whether there
are hidden DLL files.

Output of ddllist Plugin

29 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

The malfind command aims to find hidden or injected code/DLL files based on the
VAD tag and page permissions. However, the malfind plugin cannot list DLLs
added to the process using the CreateRemoteThread and LoadLibrary functions.
We can display the DLLs added with this method using the dlllist plugin.

We are displaying one function and two executables files in the output of the
malfind plugin. We can also display the outputs that we display via the
malfind plugin via the vadinfo plugin, but the fact that there are too many
VAD nodes being examined makes our analysis difficult. We can say that the
malfind plugin brings us objects that it considers suspicious in the VAD. At
this point, we are detecting that there are 2 PE injected into the harmful
process.

30 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Output of malfind Plugin

The protected area in the VAD specifies the type of access allowed to the memory
region. The following are memory protection options:

PAGE_NO ACCESS specifies no access to this memory region.

PAGE_READONLY specifies only read access to the memory region.

31 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

PAGE_EXECUTE specifies memory can be executed but cannot be written to.

PAGE_READ WRITE specifies read and write access to the memory but no
permission to execution.
PAGE_EXECUTE_READ specifies memory can be executed or read but cannot be
written to.
PAGE_EXECUTE_WRITECOPY specifies memory enables read-only and copy-on-
write access.
PAGE_EXECUTE_READWRITE specifies memory can be executed, read and
write.

Analyzing Memory Protection Flags of Malicious PE File

PAGE_EXECUTE_READWRITE is suspicious because it may be an indicator

References
that the memory may contain dynamically allocated code, i.e. shellcode, an
unpacked PE image, etc. This is the typical memory protection used for the
• codemachine.com/articles/kernel_structures.html
memory ranges where exe/dll (binary) files are mapped. Memory spaces

32 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

should not be both executable and writable. If a suspicious process has both,
• eforensicsmag.com/windows-process-internals-a-few-concepts-to-know-before-
then it may have code that would alter parts of itself while executing.
jumping-on-memory-forensics-by-kirtar-oza/

• resources.infosecinstitute.com/topic/finding-and-enumerating-processes-
As a result of our analysis, we can clearly detect that 2 PE files were injected
within-memory-part-1/
into the memory of the malicious process.
• sciencedirect.com/science/article/pii/S1742287607000503
Happy hunting �

Dfir Memory Forensics

Written by Alp Batur Follow

48 Followers

www.linkedin.com/in/alpbatursahin/

33 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

More from Alp Batur

Alp Batur Alp Batur

Tüm Detayları ile SQL Injection Tüm Detayları ile XSS

Merhaba arkadaşlar, bu yazımızda SQL Merhaba arkadaşlar, bu yazımızda XSS
Injection saldırısını tüm hatlarıyla ele alacağı… saldırısını tüm detaylarıyla ele alacağız. İlk…

Sep 3, 2020 4 Sep 22, 2020 55

34 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Alp Batur Alp Batur

SMTP Open Relay Konfigürasyonu Portable Executable (PE) Dosya

ile Phishing Saldırıları Formatı Üzerinden Malware Analizi
Bugün SOC ekiplerinin sıkça karşılaştığını Merhaba arkadaşlar, bu yazımızda malware
düşündüğüm SMTP Open Relay üzerinden… analizini ele alacağız. Öncelikle malware’nin…

Feb 2, 2021 6 Oct 6, 2020 5

See all from Alp Batur

Recommended from Medium

35 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

Ian Barwise in OSINT TEAM Alexander Nguyen in Level Up Coding

Embedded Systems Security The resume that got a software

Engineering 101 engineer a $300,000 job at Google.
Some modern applications of Embedded 1-page. Well-formatted.
Systems; image credit: RS DesignSpark

Mar 22 109 Jun 1 10.7K 128

Lists

Staff Picks Stories to Help You Level-Up

681 stories · 1109 saves at Work
19 stories · 678 saves

Self-Improvement 101 Productivity 101

20 stories · 2234 saves 20 stories · 1981 saves

36 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

jcm3 Ameer Mane

Volatility | TryHackMe — Threat Hunting — Encoded

Walkthrough PowerShell Commands — Part 2:…
Hey all, this is the forty-seventh installment in Introduction
my walkthrough series on TryHackMe’s SOC…

Mar 27 3 Jun 15

37 of 38 7/4/2024, 11:13 AM
Investigating Memory Forensic -Processes, DLLs, Consoles, Process Memory and Networking... https://alpbatursahin.medium.com/investigating-memory-forensic-processes-dlls-consoles-pro...

montysecurity Olympix

Hunting Cobalt Strike LNK Loaders A Comprehensive Guide to Fuzz

Introduction Testing Solidity Smart Contracts
Unlock the secrets of Fuzzing in Solidity:
Strengthen your smart contracts and fortify…

Mar 1 57 Jan 17 62
See more recommendations

Help Status About Careers Press Blog Privacy Terms Text to speech Teams

38 of 38 7/4/2024, 11:13 AM