DiscordSign up
SKILLS.SH

memory-forensics

Acquire, analyze, and extract artifacts from memory dumps for incident response and malware analysis. Supports live memory acquisition across Windows (WinPmem, DumpIt), Linux (LiME, /dev/mem), and macOS (osxpmem), plus virtual machine memory from VMware, VirtualBox, QEMU, and Hyper-V Volatility 3 framework with 30+ plugins covering process analysis, network connections, DLL inspection, code injection detection, registry analysis, and file system artifacts Includes malware analysis and incident response workflows with process tree visualization, hidden process detection, persistence mechanism discovery, and YARA integration for pattern matching Detects injection techniques, rootkits, and credential artifacts; supports string extraction and cross-referencing across multiple data sources for timeline correlation

INSTALLATION
npx skills add https://github.com/wshobson/agents --skill memory-forensics
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Memory Forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

Memory Acquisition

Live Acquisition Tools

#### Windows

# WinPmem (Recommended)

winpmem_mini_x64.exe memory.raw

# DumpIt

DumpIt.exe

# Belkasoft RAM Capturer

# GUI-based, outputs raw format

Magnet RAM Capture

GUI-based, outputs raw format

#### Linux

LiME (Linux Memory Extractor)

sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

/dev/mem (limited, requires permissions)

sudo dd if=/dev/mem of=memory.raw bs=1M

/proc/kcore (ELF format)

sudo cp /proc/kcore memory.elf


#### macOS

osxpmem

sudo ./osxpmem -o memory.raw

MacQuisition (commercial)


### Virtual Machine Memory

VMware: .vmem file is raw memory

cp vm.vmem memory.raw

VirtualBox: Use debug console

vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

QEMU

virsh dump <domain> memory.raw --memory-only

Hyper-V

Checkpoint contains memory state


## Volatility 3 Framework

### Installation and Setup

Install Volatility 3

pip install volatility3

Install symbol tables (Windows)

Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

Basic usage

vol -f memory.raw <plugin>

With symbol path

vol -f memory.raw -s /path/to/symbols windows.pslist


### Essential Plugins

#### Process Analysis

List processes

vol -f memory.raw windows.pslist

Process tree (parent-child relationships)

vol -f memory.raw windows.pstree

Hidden process detection

vol -f memory.raw windows.psscan

Process memory dumps

vol -f memory.raw windows.memmap --pid <PID> --dump

Process environment variables

vol -f memory.raw windows.envars --pid <PID>

Command line arguments

vol -f memory.raw windows.cmdline


#### Network Analysis

Network connections

vol -f memory.raw windows.netscan

Network connection state

vol -f memory.raw windows.netstat


#### DLL and Module Analysis

Loaded DLLs per process

vol -f memory.raw windows.dlllist --pid <PID>

Find hidden/injected DLLs

vol -f memory.raw windows.ldrmodules

Kernel modules

vol -f memory.raw windows.modules

Module dumps

vol -f memory.raw windows.moddump --pid <PID>


#### Memory Injection Detection

Detect code injection

vol -f memory.raw windows.malfind

VAD (Virtual Address Descriptor) analysis

vol -f memory.raw windows.vadinfo --pid <PID>

Dump suspicious memory regions

vol -f memory.raw windows.vadyarascan --yara-rules rules.yar


#### Registry Analysis

List registry hives

vol -f memory.raw windows.registry.hivelist

Print registry key

vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

Dump registry hive

vol -f memory.raw windows.registry.hivescan --dump


#### File System Artifacts

Scan for file objects

vol -f memory.raw windows.filescan

Dump files from memory

vol -f memory.raw windows.dumpfiles --pid <PID>

MFT analysis

vol -f memory.raw windows.mftscan


### Linux Analysis

Process listing

vol -f memory.raw linux.pslist

Process tree

vol -f memory.raw linux.pstree

Bash history

vol -f memory.raw linux.bash

Network connections

vol -f memory.raw linux.sockstat

Loaded kernel modules

vol -f memory.raw linux.lsmod

Mount points

vol -f memory.raw linux.mount

Environment variables

vol -f memory.raw linux.envars


### macOS Analysis

Process listing

vol -f memory.raw mac.pslist

Process tree

vol -f memory.raw mac.pstree

Network connections

vol -f memory.raw mac.netstat

Kernel extensions

vol -f memory.raw mac.lsmod


## Analysis Workflows

### Malware Analysis Workflow

1. Initial process survey

vol -f memory.raw windows.pstree > processes.txt

vol -f memory.raw windows.pslist > pslist.txt

2. Network connections

vol -f memory.raw windows.netscan > network.txt

3. Detect injection

vol -f memory.raw windows.malfind > malfind.txt

4. Analyze suspicious processes

vol -f memory.raw windows.dlllist --pid <PID>

vol -f memory.raw windows.handles --pid <PID>

5. Dump suspicious executables

vol -f memory.raw windows.pslist --pid <PID> --dump

6. Extract strings from dumps

strings -a pid.<PID>.exe > strings.txt

7. YARA scanning

vol -f memory.raw windows.yarascan --yara-rules malware.yar


### Incident Response Workflow

1. Timeline of events

vol -f memory.raw windows.timeliner > timeline.csv

2. User activity

vol -f memory.raw windows.cmdline

vol -f memory.raw windows.consoles

3. Persistence mechanisms

vol -f memory.raw windows.registry.printkey \

--key "Software\Microsoft\Windows\CurrentVersion\Run"

4. Services

vol -f memory.raw windows.svcscan

5. Scheduled tasks

vol -f memory.raw windows.scheduled_tasks

6. Recent files

vol -f memory.raw windows.filescan | grep -i "recent"


## Data Structures

### Windows Process Structures

// EPROCESS (Executive Process)

typedef struct _EPROCESS {

KPROCESS Pcb; // Kernel process block

EX_PUSH_LOCK ProcessLock;

LARGE_INTEGER CreateTime;

LARGE_INTEGER ExitTime;

// ...

LIST_ENTRY ActiveProcessLinks; // Doubly-linked list

ULONG_PTR UniqueProcessId; // PID

// ...

PEB* Peb; // Process Environment Block

// ...

} EPROCESS;

// PEB (Process Environment Block)

typedef struct _PEB {

BOOLEAN InheritedAddressSpace;

BOOLEAN ReadImageFileExecOptions;

BOOLEAN BeingDebugged; // Anti-debug check

// ...

PVOID ImageBaseAddress; // Base address of executable

PPEB_LDR_DATA Ldr; // Loader data (DLL list)

PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

// ...

} PEB;


### VAD (Virtual Address Descriptor)

typedef struct _MMVAD {

MMVAD_SHORT Core;

union {

ULONG LongFlags;

MMVAD_FLAGS VadFlags;

} u;

// ...

PVOID FirstPrototypePte;

PVOID LastContiguousPte;

// ...

PFILE_OBJECT FileObject;

} MMVAD;

// Memory protection flags

#define PAGE_EXECUTE 0x10

#define PAGE_EXECUTE_READ 0x20

#define PAGE_EXECUTE_READWRITE 0x40

#define PAGE_EXECUTE_WRITECOPY 0x80


## Detection Patterns

### Process Injection Indicators

Malfind indicators

- PAGE_EXECUTE_READWRITE protection (suspicious)

- MZ header in non-image VAD region

- Shellcode patterns at allocation start

Common injection techniques

1. Classic DLL Injection

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

2. Process Hollowing

- CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

3. APC Injection

- QueueUserAPC targeting alertable threads

4. Thread Execution Hijacking

- SuspendThread + SetThreadContext + ResumeThread


### Rootkit Detection

Compare process lists

vol -f memory.raw windows.pslist > pslist.txt

vol -f memory.raw windows.psscan > psscan.txt

diff pslist.txt psscan.txt # Hidden processes

Check for DKOM (Direct Kernel Object Manipulation)

vol -f memory.raw windows.callbacks

Detect hooked functions

vol -f memory.raw windows.ssdt # System Service Descriptor Table

Driver analysis

vol -f memory.raw windows.driverscan

vol -f memory.raw windows.driverirp


### Credential Extraction

Dump hashes (requires hivelist first)

vol -f memory.raw windows.hashdump

LSA secrets

vol -f memory.raw windows.lsadump

Cached domain credentials

vol -f memory.raw windows.cachedump

Mimikatz-style extraction

Requires specific plugins/tools


## YARA Integration

### Writing Memory YARA Rules

rule Suspicious_Injection

{

meta:

description = "Detects common injection shellcode"

strings:

// Common shellcode patterns

$mz = { 4D 5A }

$shellcode1 = { 55 8B EC 83 EC } // Function prologue

$api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } // Push hash, call

condition:

$mz at 0 or any of ($shellcode*)

}

rule Cobalt_Strike_Beacon

{

meta:

description = "Detects Cobalt Strike beacon in memory"

strings:

$config = { 00 01 00 01 00 02 }

$sleep = "sleeptime"

$beacon = "%s (admin)" wide

condition:

2 of them

}


### Scanning Memory

Scan all process memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar

Scan specific process

vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

Scan kernel memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel


## String Analysis

### Extracting Strings

Basic string extraction

strings -a memory.raw > all_strings.txt

Unicode strings

strings -el memory.raw >> all_strings.txt

Targeted extraction from process dump

vol -f memory.raw windows.memmap --pid 1234 --dump

strings -a pid.1234.dmp > process_strings.txt

Pattern matching

grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt


### FLOSS for Obfuscated Strings

FLOSS extracts obfuscated strings

floss malware.exe > floss_output.txt

From memory dump

floss pid.1234.dmp

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card