Rekall Memory Artifact Extraction

v20260317

extracting-memory-artifacts-with-rekall

Leverages the Rekall forensic framework to scan Windows memory dumps, spot hidden or hollowed processes, anomalous VAD entries, suspicious DLLs, and injected code during incident response.

Rekall MemoryForensics Windows IncidentResponse ProcessHollowing Malfind HiddenProcesses ArtifactExtraction

Get Skill

118 downloads

Overview

Extracting Memory Artifacts with Rekall

Instructions

Use Rekall to analyze memory dumps for signs of compromise including process injection, hidden processes, and suspicious network connections.

from rekall import session
from rekall import plugins

# Create a Rekall session with a memory image
s = session.Session(
    filename="/path/to/memory.raw",
    autodetect=["rsds"],
    profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)

# List processes
for proc in s.plugins.pslist():
    print(proc)

# Detect injected code
for result in s.plugins.malfind():
    print(result)

Key analysis steps:

Load memory image and auto-detect profile
Run pslist and psscan to find hidden processes
Use malfind to detect injected/hollowed code in process VADs
Examine network connections with netscan
Extract suspicious DLLs and drivers with dlllist/modules

Examples

from rekall import session
s = session.Session(filename="memory.raw")
# Compare pslist vs psscan for hidden processes
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
print(f"Hidden PIDs: {hidden}")

Info

Category Development

Name extracting-memory-artifacts-with-rekall

Version v20260317

Size 7.66KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18