{"id":13612456,"url":"https://github.com/gleeda/memtriage","last_synced_at":"2025-03-17T11:30:32.821Z","repository":{"id":138038849,"uuid":"122637933","full_name":"gleeda/memtriage","owner":"gleeda","description":"Allows you to quickly query a Windows machine for RAM artifacts","archived":false,"fork":false,"pushed_at":"2020-07-17T21:56:19.000Z","size":17179,"stargazers_count":220,"open_issues_count":1,"forks_count":22,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-16T11:11:22.908Z","etag":null,"topics":["live-analysis","malware","memory","memory-analysis","memory-forensics","ram","volatility","windows-machine","winpmem"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gleeda.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-02-23T15:23:39.000Z","updated_at":"2025-03-12T23:29:44.000Z","dependencies_parsed_at":"2023-07-16T06:15:23.365Z","dependency_job_id":null,"html_url":"https://github.com/gleeda/memtriage","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gleeda%2Fmemtriage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gleeda%2Fmemtriage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gleeda%2Fmemtriage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gleeda%2Fmemtriage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gleeda","download_url":"https://codeload.github.com/gleeda/memtriage/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244025172,"owners_count":20385529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["live-analysis","malware","memory","memory-analysis","memory-forensics","ram","volatility","windows-machine","winpmem"],"created_at":"2024-08-01T20:00:30.167Z","updated_at":"2025-03-17T11:30:30.044Z","avatar_url":"https://github.com/gleeda.png","language":"Python","funding_links":[],"categories":["Analysis Tools","\u003ca id=\"4d2a33083a894d6e6ef01b360929f30a\"\u003e\u003c/a\u003eVolatility"],"sub_categories":[],"readme":"# memtriage (previously lmem)\nAllows you to quickly query a live Windows machine for RAM artifacts\n\nThis tool utilizes the [Winpmem](https://github.com/google/rekall/tree/master/tools/pmem/resources/winpmem) drivers to access physical memory, and [Volatility](https://github.com/volatilityfoundation/volatility) for analysis.\n\n**Caveats:**\n* Drivers updated to work with Device Guard\n  * http://blog.rekall-forensic.com/2018/09/virtual-secure-mode-and-memory.html\n* Should be tested on machines before deploying as some Windows 10 builds may BSOD.\n  * Builds that may BSOD: 1607 and 1709\n\n## Volatility Plugins\n\nThe following are currently supported:\n\n* apihooks \n* atoms\n* cmdline \n* dlldump \n* dlllist \n* driverirp \n* dumpfiles \n* envars\n* getsids \n* handles \n* ldrmodules \n* malfind \n* moddump \n* modules\n* netscan \n* privs \n* procdump \n* pslist \n* psxview \n* shimcachemem\n* svcscan \n* vaddump \n* vadinfo \n* verinfo \n* volshell \n* yarascan\n\n## Example Usage\n\n```\nusage: memtriage.exe [-h] [--unload] [--load] [--debug] [--service SERVICE]\n                     [--output OUTPUT] [--dumpdir DUMPDIR] [--base BASE]\n                     [--offset OFFSET] [--memory MEMORY] [--pid PID] [--leave]\n                     [--plugins PLUGINS] [--physoffset PHYSOFFSET]\n                     [--physical] [--ignore] [--regex REGEX] [--name NAME]\n                     [--keepname] [--outfile OUTFILE] [--yararules YARARULES]\n                     [--yarafile YARAFILE] [--kernel] [--all] [--case]\n                     [--wide] [--size SIZE] [--reverse REVERSE]\n\nMemtriage options:\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --unload              Unload the driver and exit\n  --load                Load the driver and exit\n  --debug               Output debug messages while running\n  --service SERVICE     Change the service name (default: pmem)\n  --output OUTPUT       Output type: json/text/csv\n  --dumpdir DUMPDIR     Directory to dump files to\n                        (dlldump,procdump,moddump,vaddump,dumpfiles)\n  --base BASE           Base of PE file to dump (dlldump,procdump,moddump)\n  --offset OFFSET       Physical offset of process to act on\n                        (dlldump,procdump,moddump,vaddump,dumpfiles)\n  --memory MEMORY       Carve as a memory sample rather than exe/disk\n                        (dlldump,procdump,moddump)\n  --pid PID             Operate on this process ID\n  --leave               Leave pmem service running with driver\n  --plugins PLUGINS     Comma delimited list of plugins to run: apihooks atoms\n                        cmdline dlldump dlllist driverirp dumpfiles envars\n                        getsids handles ldrmodules malfind moddump modules\n                        netscan privs procdump pslist psxview shimcachemem\n                        svcscan vaddump vadinfo verinfo volshell yarascan\n  --physoffset PHYSOFFSET\n                        Dump File Object at physical address PHYSOFFSET\n                        (dumpfiles)\n  --physical            Display the physical address of object\n                        (pslist,handles,modules)\n  --ignore              Ignore case in pattern match (dumpfiles,verinfo)\n  --regex REGEX         Dump files matching REGEX (dumpfiles,driverirp,privs)\n  --name NAME           Name of process/object to operate on\n  --keepname            Keep original file name (dumpfiles)\n  --outfile OUTFILE     Combined output file (default: stdout)\n  --yararules YARARULES\n                        Yara rule given on the commandline (yarascan)\n  --yarafile YARAFILE   Yara rules given as a file (yarascan)\n  --kernel              Scan kernel memory (yarascan)\n  --all                 Scan both process and kernel memory (yarascan)\n  --case                Make the search case insensitive (yarascan)\n  --wide                Match wide (unicode) strings (yarascan)\n  --size SIZE           Size of preview hexdump in bytes (default: 256)\n                        (yarascan)\n  --reverse REVERSE     Reverse [REVERSE] number of bytes (default: 0)\n                        (yarascan)\n```\n\n### No Need to Specify Profiles\n\nMemtriage will attempt to figure out the profile automattically and run with the appropriate settings.  If there is a not an exact match, Memtriage will attempt to use the closest named profile available.  Therefore, there is a possibility that object definitions won't line up exactly (like process names etc), which you may also see when running Volatility with an incorrect profile.  Profiles can be added to the Volatility code, and the executable can be recompiled with `pyinstaller`.\n  \n### Loading and Unloading the Driver\n  \nBy default, `memtriage.exe` will attempt to load the driver when it first runs, and unload it when it exits.  You may however load and unload the driver manually with the `--load` and `--unload` options.  You may also request that the driver remain loaded after plugins have finished running with the `--leave` option.\n  \n```\n\u003e memtriage.exe --leave --plugins=dumpfiles --dumpdir=outdir --physoffset=1066160184 --keepname \n```\n\n#### Service Name\n\nThe default service name that is created is `pmem`.  You may specify a different service name with the `--service=` option.  You must then use this `--service=` option for future invocations if you leave the driver loaded.  Example:\n\n```\n\u003e memtriage.exe --leave --service=somename --plugins=dlllist --pid=2924\n[snip]\n\u003e memtriage.exe --unload --service=somename \n```\n\n### Running Plugins\n\nYou may run several plugins at a time by specifying them with comma delimitation with the `--plugins=` option.  Example:\n\n```\n\u003e memtriage.exe --plugins=pslist,handles,dlllist \n```\n![Multiple Plugins](https://github.com/gleeda/memtriage/blob/master/volatility/gifs/Multiple1.gif)\n\nOther options will be used for the appropriate plugin.  Example:\n\n```\n\u003e memtriage.exe --plugins=pslist,handles,dlllist,dlldump,dumpfiles,shimcachemem,volshell --outfile=outfile.txt --pid=2924 --dumpdir=outdir --leave --keepname --physoffset=1066160184\n```\n\n## Releases\n\nYou can find releases, including a `pyinstaller` standalone executable here: [https://github.com/gleeda/memtriage/releases](https://github.com/gleeda/memtriage/releases)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgleeda%2Fmemtriage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgleeda%2Fmemtriage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgleeda%2Fmemtriage/lists"}