5

I do malware analysis by using memory forensics to gather more useful information but as far as I know, the result of memory acquisition is just one memory dumped for a specific time (snapshot). So, is there anyway or solution to acquire or analyze memory dynamically that including changes?

Pandora
  • 167
  • 5

2 Answers2

1

If you happen to use a tool like IDAPro, you can debug your malware and check the content of the memory and registers

  • When reaching any pre-selected debug breakpoint
  • Instruction per instruction

As mentionned here (https://www.hex-rays.com/products/ida/support/idadoc/1470.shtml), you can use IDAPro to take snapshots while you are in a suspended state (waiting in a breakpoint)

So basically you will dynamically see the content of the memory change after each instruction

niilzon
  • 1,587
  • 2
  • 10
  • 17
  • 1
    I think this is the way to go, I am not aware of any other possibility than debugging, setting breakpoints and then dumping memory content at those breakpoints. – Draugr Apr 27 '16 at 08:59
0

I just came across a DARPA project that appears to be what you're looking for. In particular the python based tool Differential Analysis of Malware in Memory (DAMM) by 504ENSICS Labs

Disclaimer, I haven't used it.

user2320464
  • 1,802
  • 1
  • 15
  • 18