Memory Analysis Agent
Forensic analysis of memory dumps for incident investigation and malware detection.
Overview
Agent Name: MemoryAnalysisAgent
Scan Type: memory-analysis
Credit Cost: 2 credits
Target Types: Memory dumps (.dmp, .raw, .mem)
Capabilities
- Process and thread analysis
- DLL injection detection
- Rootkit identification
- Network connection extraction
- Hidden process detection
- Malware signature matching
- Credential extraction
- Code injection detection
Usage
# Analyze memory dump
alprina scan ./memory.dmp --type memory-analysis
# Comprehensive analysis
alprina scan ./crash.dmp --type memory-analysis --profile comprehensiveWhat It Analyzes
- Running processes
- Loaded modules and DLLs
- Network connections
- Registry hives
- File handles
- Mutex objects
- Command history
- Injected code
Example Output
{
"scan_id": "scan_mem404",
"findings": [
{
"severity": "critical",
"title": "Suspicious Process with Code Injection",
"description": "Process 'svchost.exe' has injected code in explorer.exe",
"pid": 1234,
"parent_pid": 5678,
"technique": "Process hollowing",
"recommendation": "Investigate process for malware, check parent process legitimacy"
}
],
"processes": [
{
"name": "explorer.exe",
"pid": 1234,
"suspicious": true,
"indicators": ["code_injection", "hidden_threads"]
}
]
}Common Findings
- Process injection
- Rootkit activity
- Hidden network connections
- Credential theft
- Persistence mechanisms
- Anti-forensic techniques
Related
Last updated on