Skip to content

Commit 0bb85b5

Browse files
evild3adevild3ad
committed
MemProcFS-Analyzer v0.9
1 parent 332e00e commit 0bb85b5

File tree

312 files changed

+20049
-557
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

312 files changed

+20049
-557
lines changed

MemProcFS-Analyzer.ps1

Lines changed: 1751 additions & 381 deletions
Large diffs are not rendered by default.

README.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,13 @@ https://github.com/ufrisk/MemProcFS
66

77
Features:
88
* Fast and easy memory analysis!
9-
* You can mount a Raw Physical Memory Dump like a disk image and handle the memory compression feature on Windows
9+
* You can mount a memory snapshot (Raw Physical Memory Dump or Microsoft Crash Dump) like a disk image and handle the memory compression feature on Windows
1010
* Auto-Install of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd, ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
1111
* Auto-Update of MemProcFS, AmcacheParser, AppCompatCacheParser, Elasticsearch, entropy, EvtxECmd (incl. Maps), ImportExcel, IPinfo CLI, jq, Kibana, lnk_parser, RECmd, SBECmd, xsv, YARA, and Zircolite
1212
* Update-Info when there's a new version of ClamAV or a new Dokany File System Library Bundle available
1313
* Pagefile Support
1414
* OS Fingerprinting
15+
* Scan w/ Custom YARA rules (incl. 284 rules by e.g. [Chronicle](https://github.com/chronicle/GCTI/tree/main/YARA) and [Elastic Security](https://github.com/elastic/protections-artifacts))
1516
* Multi-Threaded scan w/ ClamAV for Windows
1617
* Collection of infected files detected by ClamAV for further analysis (PW: infected)
1718
* Collection of injected modules detected by MemProcFS PE_INJECT for further analysis (PW: infected)
@@ -50,7 +51,7 @@ Download the latest version of **MemProcFS-Analyzer** from the [Releases](https:
5051
Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PSVersion: 5.1) as Administrator and open/run MemProcFS-Analyzer.ps1.
5152

5253
![File-Browser](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/01.png)
53-
**Fig 1:** Select your Raw Physical Memory Dump and select your pagefile.sys (Optional)
54+
**Fig 1:** Select your Memory Snapshot and select your pagefile.sys (Optional)
5455

5556
![Auto-Install](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/02.png)
5657
**Fig 2:** MemProcFS-Analyzer auto-installs dependencies (First Run)
@@ -62,7 +63,7 @@ Launch Windows PowerShell (or Windows PowerShell ISE or Visual Studio Code w/ PS
6263
**Fig 4:** If you find MemProcFS useful, please become a sponsor at: https://github.com/sponsors/ufrisk
6364

6465
![Mounted](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/05.png)
65-
**Fig 5:** You can investigate the mounted memory dump by exploring drive letter X:
66+
**Fig 5:** You can investigate the mounted memory dump by exploring drive letter
6667

6768
![Auto-Update](https://github.com/evild3ad/MemProcFS-Analyzer/blob/8ff585672b7bbe689ad10080555f62dce2b0c06d/Screenshots/06.png)
6869
**Fig 6:** MemProcFS-Analyzer checks for updates (Second Run)
@@ -181,19 +182,19 @@ https://ericzimmerman.github.io/
181182
AppCompatCacheParser v1.5.0.0 (.NET 6)
182183
https://ericzimmerman.github.io/
183184

184-
ClamAV - Download → Windows → clamav-1.0.0.win.x64.msi (2022-11-23)
185+
ClamAV - Download → Windows → clamav-1.0.1.win.x64.msi (2023-02-14)
185186
https://www.clamav.net/downloads
186187

187188
Dokany Library Bundle v2.0.6.1000 (2022-10-02)
188189
https://github.com/dokan-dev/dokany/releases/latest → DokanSetup.exe
189190

190-
Elasticsearch 8.6.0 (2023-01-10)
191+
Elasticsearch 8.7.1 (2023-05-02)
191192
https://www.elastic.co/downloads/elasticsearch
192193

193194
entropy v1.0 (2022-02-04)
194195
https://github.com/merces/entropy
195196

196-
EvtxECmd v1.0.0.1 (.NET 6)
197+
EvtxECmd v1.5.0.0 (.NET 6)
197198
https://ericzimmerman.github.io/
198199

199200
ImportExcel v7.8.4 (2022-12-11)
@@ -211,7 +212,7 @@ https://www.elastic.co/downloads/kibana
211212
lnk_parser v0.2.0 (2022-08-10)
212213
https://github.com/AbdulRhmanAlfaifi/lnk_parser
213214

214-
MemProcFS v5.3.0 - The Memory Process File System (2023-01-19)
215+
MemProcFS v5.6.4 - The Memory Process File System (2023-05-01)
215216
https://github.com/ufrisk/MemProcFS
216217

217218
RECmd v2.0.0.0 (.NET 6)
@@ -223,10 +224,10 @@ https://ericzimmerman.github.io/
223224
xsv v0.13.0 (2018-05-12)
224225
https://github.com/BurntSushi/xsv
225226

226-
YARA v4.2.3 (2022-08-09)
227+
YARA v4.3.1 (2023-04-21)
227228
https://virustotal.github.io/yara/
228229

229-
Zircolite v2.9.7 (2022-10-08)
230+
Zircolite v2.9.9 (2023-04-16)
230231
https://github.com/wagga40/Zircolite
231232

232233
## Links

Screenshots/01.png

2.01 KB
Loading

Screenshots/02.png

3.66 KB
Loading

Screenshots/03.png

32 Bytes
Loading

Screenshots/04.png

42.6 KB
Loading

Screenshots/05.png

-108 Bytes
Loading

Screenshots/06.png

4.38 KB
Loading

Screenshots/07.png

16.9 KB
Loading

Screenshots/16.png

30.3 KB
Loading

0 commit comments

Comments
 (0)