This project forked from forrest-orr/moneta
Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
Home Page: https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
License: GNU General Public License v3.0
_____ __
/ \ ____ ____ _____/ |______
/ \ / \ / _ \ / \_/ __ \ __\__ \
/ Y ( <_> ) | \ ___/| | / __ \_
\____|__ /\____/|___| /\___ >__| (____ /
\/ \/ \/ \/
Moneta v1.0 | Forrest Orr | 2020
REQUIRED
-m {*|region|referenced|ioc}
-p {*|PID}
OPTIONAL
-v {detail|debug|surface}
-d
--option {from-base|statistics}
--filter {unsigned-module|clr-prvx|clr-heap|metadata-modules}
--address <memory address>
--region-size <memory region size>
-m The memory to select and apply scanner settings to.
* Select all regions of committed memory.
ioc Select only regions which have suspicions associated with them.
region Select only the region(s) which overlap with the region provided
through the --address and --region-size arguments.
referenced Select only regions which are referenced within the region(s)
associated with the provided --address and --region-size arguments
-p The process(es) to scan. In the event that * is used, all accessible processes will
be enumerated and scanned.
--option Additional actions to optionally apply to the memory selected from the scan.
from-base All subregions associated with the allocation bases of all
selected memory will also be selected.
statistics Calculate permission statistics on the selected memory after a
scan has completed.
-d Dump all selected memory to the local file system after each process scan is complete.
--address A memory address in 0x* format to be used in conjunction with either the "region" or
"referenced" selection types.
--region-size Optionally specify the size of the region of the provided "--address." The default is
a region size of 0.
-v The verbosity level with which to print information related to the selected memory.
The default is "surface"
--filter The filters to apply when eliminating suspicions associated with selected memory.
* Apply all filters. Only malware and unknown false positives shown.
unsigned-module Regions of image memory associated with unsigned PE files.
metadata-modules Regions of image memory stemming from signed Windows metadata PE
files on disk.
clr-heap Native executable heaps created during CLR initialization.
clr-prvx Managed heaps associated with active CLR heaps and JIT code.
wow64-init IOCs resulting from Wow64 process initialization such as certain
modified system library code sections
EXAMPLES
Enumerate a detailed log of all committed memory in all processes on the OS:
Moneta64.exe -m * -p * -v detail
Enumerate surface level information related to suspicious memory in a specific process:
Moneta64.exe -m ioc -p 1234
Enumerate surface level information related to suspicious memory in a specific process from its allocation
base:
Moneta64.exe -m ioc -p 1234 --option from-base
Dump a specific memory region by address within a specific process from its allocation base:
Moneta64.exe -m region -p 1234 --option from-base --address 0x0000000077DD0000 -d
Enumerate surface level information related to suspicious memory in all processes and show memory
statistics on IOCs and region types when the scan is complete:
Moneta64.exe -m ioc -p * --option statistics
Enumerate surface level information related to suspicious memory in all processes but exclude IOCs
stemming from unsigned modules and metadata modules:
Moneta64.exe -m ioc -p * --filter unsigned-modules metadata-modules
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.