I do malware analysis by using memory forensics to gather more useful information but as far as I know, the result of memory acquisition is just one memory dumped for a specific time (snapshot). So, is there anyway or solution to acquire or analyze memory dynamically that including changes?
Asked
Active
Viewed 119 times
2 Answers
1
If you happen to use a tool like IDAPro, you can debug your malware and check the content of the memory and registers
- When reaching any pre-selected debug breakpoint
- Instruction per instruction
As mentionned here (https://www.hex-rays.com/products/ida/support/idadoc/1470.shtml), you can use IDAPro to take snapshots while you are in a suspended state (waiting in a breakpoint)
So basically you will dynamically see the content of the memory change after each instruction
niilzon
- 1,587
- 2
- 10
- 17
-
1I think this is the way to go, I am not aware of any other possibility than debugging, setting breakpoints and then dumping memory content at those breakpoints. – Draugr Apr 27 '16 at 08:59
0
I just came across a DARPA project that appears to be what you're looking for. In particular the python based tool Differential Analysis of Malware in Memory (DAMM) by 504ENSICS Labs
Disclaimer, I haven't used it.
user2320464
- 1,802
- 1
- 15
- 18