{"id":17383442,"url":"https://github.com/forrest-orr/moneta","last_synced_at":"2025-04-13T00:47:10.736Z","repository":{"id":43170517,"uuid":"215337110","full_name":"forrest-orr/moneta","owner":"forrest-orr","description":"Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs","archived":false,"fork":false,"pushed_at":"2024-03-16T22:58:19.000Z","size":5564,"stargazers_count":738,"open_issues_count":2,"forks_count":88,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-04-13T00:47:01.134Z","etag":null,"topics":["artifact","dump","hollowing","injection","ioc","malware","memory","moneta","pe","process","reflective","scanner","shellcode","usermode","windows"],"latest_commit_sha":null,"homepage":"https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/forrest-orr.png","metadata":{"files":{"readme":"README.txt","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-15T15:47:45.000Z","updated_at":"2025-04-06T05:37:19.000Z","dependencies_parsed_at":"2024-10-16T07:41:49.634Z","dependency_job_id":"99158ed4-62ad-4582-bb66-dde2daad697e","html_url":"https://github.com/forrest-orr/moneta","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forrest-orr%2Fmoneta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forrest-orr%2Fmoneta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forrest-orr%2Fmoneta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forrest-orr%2Fmoneta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/forrest-orr","download_url":"https://codeload.github.com/forrest-orr/moneta/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248650433,"owners_count":21139672,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifact","dump","hollowing","injection","ioc","malware","memory","moneta","pe","process","reflective","scanner","shellcode","usermode","windows"],"created_at":"2024-10-16T07:41:44.132Z","updated_at":"2025-04-13T00:47:10.702Z","avatar_url":"https://github.com/forrest-orr.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"   _____                        __          \n  /     \\   ____   ____   _____/  |______   \n /  \\ /  \\ /  _ \\ /    \\_/ __ \\   __\\__  \\  \n/    Y    (  \u003c_\u003e )   |  \\  ___/|  |  / __ \\_\n\\____|__  /\\____/|___|  /\\___  \u003e__| (____  /\n        \\/            \\/     \\/          \\/ \n\nMoneta v1.0 | Forrest Orr | 2020\n\nREQUIRED\n\n-m {*|region|referenced|ioc}\n-p {*|PID}\n\nOPTIONAL\n\n-v {detail|debug|surface}\n-d\n--option {from-base|statistics}\n--filter {unsigned-module|clr-prvx|clr-heap|metadata-modules}\n--address \u003cmemory address\u003e\n--region-size \u003cmemory region size\u003e\n\n\n-m                  The memory to select and apply scanner settings to.\n\n                    *                   Select all regions of committed memory.\n                    ioc                 Select only regions which have suspicions associated with them.\n                    region              Select only the region(s) which overlap with the region provided\n                                        through the --address and --region-size arguments.\n                    referenced          Select only regions which are referenced within the region(s)\n                                        associated with the provided --address and --region-size arguments\n-p                  The process(es) to scan. In the event that * is used, all accessible processes will\n                    be enumerated and scanned.\n--option            Additional actions to optionally apply to the memory selected from the scan.\n\n                    from-base           All subregions associated with the allocation bases of all\n                                        selected memory will also be selected.\n                    statistics          Calculate permission statistics on the selected memory after a\n                                        scan has completed.\n-d                  Dump all selected memory to the local file system after each process scan is complete.\n--address           A memory address in 0x* format to be used in conjunction with either the \"region\" or\n                    \"referenced\" selection types.\n--region-size       Optionally specify the size of the region of the provided \"--address.\" The default is\n                    a region size of 0.\n-v                  The verbosity level with which to print information related to the selected memory.\n                    The default is \"surface\"\n--filter            The filters to apply when eliminating suspicions associated with selected memory.\n                    \n                    *                   Apply all filters. Only malware and unknown false positives shown.\n                    unsigned-module     Regions of image memory associated with unsigned PE files.\n                    metadata-modules    Regions of image memory stemming from signed Windows metadata PE\n                                        files on disk.\n                    clr-heap            Native executable heaps created during CLR initialization.\n                    clr-prvx            Managed heaps associated with active CLR heaps and JIT code.\n                    wow64-init          IOCs resulting from Wow64 process initialization such as certain\n                                        modified system library code sections\n\t\t\t\t\t\t\t\t\t\t\nEXAMPLES\n\nEnumerate a detailed log of all committed memory in all processes on the OS:\n\n    Moneta64.exe -m * -p * -v detail\n\nEnumerate surface level information related to suspicious memory in a specific process:\n\n    Moneta64.exe -m ioc -p 1234\n\t\nEnumerate surface level information related to suspicious memory in a specific process from its allocation\nbase:\n\n    Moneta64.exe -m ioc -p 1234 --option from-base\n\nDump a specific memory region by address within a specific process from its allocation base:\n\n    Moneta64.exe -m region -p 1234 --option from-base --address 0x0000000077DD0000 -d\n    \nEnumerate surface level information related to suspicious memory in all processes and show memory\nstatistics on IOCs and region types when the scan is complete:\n\n    Moneta64.exe -m ioc -p * --option statistics\n\t\nEnumerate surface level information related to suspicious memory in all processes but exclude IOCs\nstemming from unsigned modules and metadata modules:\n\n    Moneta64.exe -m ioc -p * --filter unsigned-modules metadata-modules\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforrest-orr%2Fmoneta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fforrest-orr%2Fmoneta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforrest-orr%2Fmoneta/lists"}