https://github.com/forrest-orr/moneta

Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
https://github.com/forrest-orr/moneta

artifact dump hollowing injection ioc malware memory moneta pe process reflective scanner shellcode usermode windows

Last synced: 8 days ago
JSON representation

Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs

• Host: GitHub
• URL: https://github.com/forrest-orr/moneta
• Owner: forrest-orr
• License: gpl-3.0
• Created: 2019-10-15T15:47:45.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2024-03-16T22:58:19.000Z (8 months ago)
• Last Synced: 2024-10-16T07:41:48.900Z (22 days ago)
• Topics: artifact, dump, hollowing, injection, ioc, malware, memory, moneta, pe, process, reflective, scanner, shellcode, usermode, windows
• Language: C++
• Homepage: https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
• Size: 5.31 MB
• Stars: 673
• Watchers: 13
• Forks: 82
• Open Issues: 1
• Metadata Files:
  • Readme: README.txt
  • License: LICENSE

Awesome Lists containing this project

README

        
   _____                        __          

  /     \   ____   ____   _____/  |______   

 /  \ /  \ /  _ \ /    \_/ __ \   __\__  \  

/    Y    (  <_> )   |  \  ___/|  |  / __ \_

\____|__  /\____/|___|  /\___  >__| (____  /

        \/            \/     \/          \/ 

Moneta v1.0 | Forrest Orr | 2020

REQUIRED

-m {*|region|referenced|ioc}

-p {*|PID}

OPTIONAL

-v {detail|debug|surface}

-d

--option {from-base|statistics}

--filter {unsigned-module|clr-prvx|clr-heap|metadata-modules}

--address 

--region-size 

-m                  The memory to select and apply scanner settings to.

                    *                   Select all regions of committed memory.

                    ioc                 Select only regions which have suspicions associated with them.

                    region              Select only the region(s) which overlap with the region provided

                                        through the --address and --region-size arguments.

                    referenced          Select only regions which are referenced within the region(s)

                                        associated with the provided --address and --region-size arguments

-p                  The process(es) to scan. In the event that * is used, all accessible processes will

                    be enumerated and scanned.

--option            Additional actions to optionally apply to the memory selected from the scan.

                    from-base           All subregions associated with the allocation bases of all

                                        selected memory will also be selected.

                    statistics          Calculate permission statistics on the selected memory after a

                                        scan has completed.

-d                  Dump all selected memory to the local file system after each process scan is complete.

--address           A memory address in 0x* format to be used in conjunction with either the "region" or

                    "referenced" selection types.

--region-size       Optionally specify the size of the region of the provided "--address." The default is

                    a region size of 0.

-v                  The verbosity level with which to print information related to the selected memory.

                    The default is "surface"

--filter            The filters to apply when eliminating suspicions associated with selected memory.

                    

                    *                   Apply all filters. Only malware and unknown false positives shown.

                    unsigned-module     Regions of image memory associated with unsigned PE files.

                    metadata-modules    Regions of image memory stemming from signed Windows metadata PE

                                        files on disk.

                    clr-heap            Native executable heaps created during CLR initialization.

                    clr-prvx            Managed heaps associated with active CLR heaps and JIT code.

                    wow64-init          IOCs resulting from Wow64 process initialization such as certain

                                        modified system library code sections

										

EXAMPLES

Enumerate a detailed log of all committed memory in all processes on the OS:

    Moneta64.exe -m * -p * -v detail

Enumerate surface level information related to suspicious memory in a specific process:

    Moneta64.exe -m ioc -p 1234

	

Enumerate surface level information related to suspicious memory in a specific process from its allocation

base:

    Moneta64.exe -m ioc -p 1234 --option from-base

Dump a specific memory region by address within a specific process from its allocation base:

    Moneta64.exe -m region -p 1234 --option from-base --address 0x0000000077DD0000 -d

    

Enumerate surface level information related to suspicious memory in all processes and show memory

statistics on IOCs and region types when the scan is complete:

    Moneta64.exe -m ioc -p * --option statistics

	

Enumerate surface level information related to suspicious memory in all processes but exclude IOCs

stemming from unsigned modules and metadata modules:

    Moneta64.exe -m ioc -p * --filter unsigned-modules metadata-modules