登录
下载
技能 编程开发 Rekall内存工件提取

Rekall内存工件提取

v20260317
extracting-memory-artifacts-with-rekall
借助 Rekall 对 Windows 内存镜像进行分析,发现进程注入、隐藏进程、异常 VAD、可疑 DLL 和驱动等内存工件,支持响应阶段的威胁诊断。
Rekall 内存取证 Windows 事件响应 代码注入 隐藏进程 可疑模块
获取技能
118 次下载
概览

Extracting Memory Artifacts with Rekall

Instructions

Use Rekall to analyze memory dumps for signs of compromise including process injection, hidden processes, and suspicious network connections.

from rekall import session
from rekall import plugins

# Create a Rekall session with a memory image
s = session.Session(
    filename="/path/to/memory.raw",
    autodetect=["rsds"],
    profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)

# List processes
for proc in s.plugins.pslist():
    print(proc)

# Detect injected code
for result in s.plugins.malfind():
    print(result)

Key analysis steps:

  1. Load memory image and auto-detect profile
  2. Run pslist and psscan to find hidden processes
  3. Use malfind to detect injected/hollowed code in process VADs
  4. Examine network connections with netscan
  5. Extract suspicious DLLs and drivers with dlllist/modules

Examples

from rekall import session
s = session.Session(filename="memory.raw")
# Compare pslist vs psscan for hidden processes
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
print(f"Hidden PIDs: {hidden}")
信息
Category 编程开发
Name extracting-memory-artifacts-with-rekall
版本 v20260317
大小 7.66KB
Source mukul975/Anthropic-Cybersecurity-Skills
更新时间 2026-03-18
语言
简体中文
English