Your comprehensive guide to memory integrity validation workflows
%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#667eea','primaryTextColor':'#fff','primaryBorderColor':'#764ba2','lineColor':'#4ecdc4','secondaryColor':'#45b7d1','tertiaryColor':'#96ceb4'}}}%%
graph TB
START([๐ฏ Start Here]) --> DECISION{What's your<br/>use case?}
DECISION -->|Live System<br/>Investigation| LIVE[๐ป Live Memory<br/>Analysis]
DECISION -->|Forensic<br/>Analysis| FORENSIC[๐ฌ Memory Dump<br/>Analysis]
DECISION -->|Development<br/>Debugging| DEBUG[๐ Symbol<br/>Lookup]
LIVE --> LIVEGUIDE[๐ Go to:<br/>Live System Workflow]
FORENSIC --> FORENSICGUIDE[๐ Go to:<br/>Forensic Workflow]
DEBUG --> DEBUGGUIDE[๐ Go to:<br/>Symbol Workflow]
style START fill:#667eea,stroke:#764ba2,color:#fff,stroke-width:3px
style DECISION fill:#f093fb,stroke:#f5576c,color:#fff
style LIVE fill:#4facfe,stroke:#00f2fe,color:#fff
style FORENSIC fill:#fa709a,stroke:#fee140,color:#fff
style DEBUG fill:#30cfd0,stroke:#330867,color:#fff
style LIVEGUIDE fill:#96ceb4,stroke:#618833,color:#fff
style FORENSICGUIDE fill:#ffd93d,stroke:#f4b41a,color:#333
style DEBUGGUIDE fill:#ff6b6b,stroke:#c92a2a,color:#fff
- ๐ป Live Memory Analysis Workflow
- ๐ฌ Forensic Memory Dump Workflow
- ๐ Symbol Lookup Workflow
- ๐จ Incident Response Workflow
- ๐ Threat Hunting Workflow
- โ๏ธ Integration Workflows
%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#4facfe','primaryTextColor':'#fff','primaryBorderColor':'#00f2fe','lineColor':'#f093fb','secondaryColor':'#30cfd0','tertiaryColor':'#96ceb4'}}}%%
stateDiagram-v2
[*] --> Preparation: Start Live Analysis
state Preparation {
[*] --> VerifyAccess: Check Credentials
VerifyAccess --> TestConnection: Verify Network
TestConnection --> InstallModules: Setup PowerShell
InstallModules --> [*]: Ready
}
Preparation --> Configuration: Environment Ready
state Configuration {
[*] --> SetTarget: Define Target Host
SetTarget --> SetCreds: Configure Credentials
SetCreds --> SetThreads: Tune Performance
SetThreads --> SelectProcesses: Optional: Filter Processes
SelectProcesses --> [*]: Configured
}
Configuration --> Execution: Launch Scan
state Execution {
[*] --> Connect: Establish Session
Connect --> Elevate: Get SYSTEM Token
Elevate --> EnumProcesses: List All Processes
EnumProcesses --> ReadMemory: Read Virtual Pages
ReadMemory --> HashPages: Calculate SHA256
HashPages --> SendHashes: Transmit to Server
SendHashes --> ReceiveResults: Get Validation
ReceiveResults --> [*]: Scan Complete
}
Execution --> Analysis: Process Results
state Analysis {
[*] --> ParseResults: Load JSON Data
ParseResults --> BuildTreeMap: Create Visualization
BuildTreeMap --> IdentifyAnomalies: Find Issues
IdentifyAnomalies --> PrioritizeFindings: Rank by Severity
PrioritizeFindings --> [*]: Analysis Complete
}
Analysis --> Response: Take Action
state Response {
[*] --> GenerateReport: Document Findings
GenerateReport --> InvestigateProcess: Deep Dive Suspicious
InvestigateProcess --> DumpMemory: Extract Modified Pages
DumpMemory --> DiffAnalysis: Binary Comparison
DiffAnalysis --> Remediate: Apply Fixes
Remediate --> [*]: Resolved
}
Response --> [*]: Case Closed
note right of Preparation
โฑ๏ธ Est. Time: 5 minutes
๐ง Tools: PowerShell, ShowUI
๐ Permissions: Admin
end note
note right of Execution
โฑ๏ธ Est. Time: 10-30 minutes
๐ Depends on: System size
๐ Parallel: Up to 512 threads
end note
note right of Analysis
โฑ๏ธ Est. Time: 5-10 minutes
๐จ Output: Interactive TreeMap
๐ Focus: Low validation %
end note
# Verify PowerShell version (need 5.0+)
$PSVersionTable.PSVersion
# Install required modules
Install-Module ShowUI -Scope CurrentUser
# Verify remote access
Test-WSMan -ComputerName target-host# Set target parameters
$Target = "192.168.1.100"
$User = "Administrator"
$Pass = "SecurePassword123!"
# Optional: Filter to specific processes
$ProcessFilter = @("chrome.exe", "firefox.exe", "powershell.exe")# Run the scan
$Results = .\Test-AllVirtualMemory.ps1 `
-TargetHost $Target `
-aUserName $User `
-aPassWord $Pass `
-MaxThreads 512 `
-ElevatePastAdmin `
-ProcNameGlob $ProcessFilter `
-GUIOutput# Review suspicious processes (validation < 90%)
$Results.ResultDictionary.Values |
Where-Object { $_.PercentValid -lt 90 } |
Sort-Object PercentValid |
Format-Table Name, PercentValid, Id
# Examine specific process details
$SuspiciousPID = 1234
$Results.ResultDictionary[$SuspiciousPID].Children |
Where-Object { $_.PercentValid -lt 100 } |
Select-Object ModuleName, PercentValid, BaseAddress# Generate detailed report
$Results | ConvertTo-Json -Depth 10 |
Out-File "incident-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
# Extract modified memory regions for analysis
# (Details in TreeMap GUI right-click menu)%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#fa709a','primaryTextColor':'#fff','primaryBorderColor':'#fee140','lineColor':'#4facfe','secondaryColor':'#30cfd0'}}}%%
journey
title Forensic Memory Dump Analysis Journey
section Acquire Image
Capture memory: 5: Forensic Tool
Verify integrity: 5: Hash validation
Transfer to lab: 4: Secure channel
section Setup Analysis
Install Volatility: 5: Python pip
Install plugin: 5: Copy to plugins
Identify profile: 3: imageinfo
Verify profile: 4: Run test command
section Execute Scan
Load dump: 5: Volatility
Enumerate processes: 5: Plugin
Hash memory pages: 4: SHA256
Send to server: 4: HTTPS
Receive validation: 5: JSON response
section Analyze Results
Review metrics: 5: Terminal output
Check failures: 4: Log file
Dump suspicious: 3: Export blocks
Compare binaries: 4: Diff viewer
section Report Findings
Document IOCs: 5: Report tool
Timeline events: 4: Analysis
Recommend actions: 5: Security team
# Using common acquisition tools
# DumpIt, FTK Imager, WinPMEM, etc.
# Verify image integrity
sha256sum memory.raw > memory.raw.sha256# Install Volatility and dependencies
pip install -r requirements.txt
# Copy plugin to Volatility plugins directory
cp inVteroJitHash.py /path/to/volatility/plugins/
# Identify memory profile
python vol.py -f memory.raw imageinfo
# Example output:
# Suggested Profile(s): Win10x64_14393, Win10x64_15063# Basic scan
python vol.py \
--plugins=/path/to/plugins \
-f memory.raw \
--profile=Win10x64_14393 \
invterojithash
# Advanced scan with extras
python vol.py \
--plugins=/path/to/plugins \
-f memory.raw \
--profile=Win10x64_14393 \
invterojithash \
-x \ # Extra totals per module
-s \ # Super verbose
-D /output/failed-blocks \ # Dump failed validations
-F incident-failures.txt # Failure log file%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#30cfd0','primaryTextColor':'#fff','primaryBorderColor':'#330867','lineColor':'#ffd93d','secondaryColor':'#ff6b6b'}}}%%
graph TD
A[๐ Results Output] --> B{Validation<br/>Percentage}
B -->|100%| C[โ
Clean<br/>No Issues]
B -->|90-99%| D[โ ๏ธ Minor<br/>Investigate Headers]
B -->|70-89%| E[โ ๏ธ Moderate<br/>Check Relocations]
B -->|50-69%| F[๐จ Suspicious<br/>Likely Modified]
B -->|<50%| G[๐จ Critical<br/>Definite Tampering]
C --> H[โ Document Clean State]
D --> I[๐ Review PE Headers]
E --> J[๐ Check Import Tables]
F --> K[๐พ Dump for Analysis]
G --> K
I --> L{Valid<br/>Reason?}
J --> L
L -->|Yes| M[โ ๏ธ Note in Report]
L -->|No| K
K --> N[๐ฌ Binary Diff Analysis]
N --> O[๐ Document IOCs]
O --> P[๐จ Alert Response Team]
style C fill:#96ceb4,stroke:#618833,color:#fff
style D fill:#ffd93d,stroke:#f4b41a,color:#333
style E fill:#ffd93d,stroke:#f4b41a,color:#333
style F fill:#ff6b6b,stroke:#c92a2a,color:#fff
style G fill:#c92a2a,stroke:#5c0002,color:#fff
style K fill:#fa709a,stroke:#fee140,color:#fff
style P fill:#667eea,stroke:#764ba2,color:#fff
%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#30cfd0','primaryTextColor':'#fff','primaryBorderColor':'#330867','lineColor':'#4facfe','secondaryColor':'#f093fb'}}}%%
flowchart LR
subgraph "๐ Input"
A[PE Binary<br/>.exe / .dll]
end
subgraph "๐ Query Type"
B[Structure<br/>Definition]
C[Symbol<br/>Name]
D[Address<br/>Lookup]
E[Relocation<br/>Data]
end
subgraph "โ๏ธ dt.sh Processing"
F[Parse PE<br/>Headers]
G[Extract PDB<br/>Debug Info]
H[Format<br/>Query]
I[Send HTTPS<br/>Request]
end
subgraph "โ๏ธ Server Response"
J[JSON<br/>Structure Data]
K[JSON<br/>Symbol Info]
L[JSON<br/>Address Info]
M[Binary<br/>Reloc Data]
end
subgraph "๐ Output"
N[Display<br/>Results]
O[Save to<br/>File]
end
A --> F
F --> G
G --> H
B --> H
C --> H
D --> H
E --> H
H --> I
I --> J
I --> K
I --> L
I --> M
J --> N
K --> N
L --> N
M --> O
style A fill:#4facfe,stroke:#00f2fe,color:#fff
style B fill:#30cfd0,stroke:#330867,color:#fff
style C fill:#30cfd0,stroke:#330867,color:#fff
style D fill:#30cfd0,stroke:#330867,color:#fff
style E fill:#30cfd0,stroke:#330867,color:#fff
style I fill:#fa709a,stroke:#fee140,color:#fff
style N fill:#96ceb4,stroke:#618833,color:#fff
style O fill:#ffd93d,stroke:#f4b41a,color:#333
# Get _EPROCESS structure
./dt.sh -i /path/to/ntoskrnl.exe -t _EPROCESS
# Get all structures (warning: large output!)
./dt.sh -i /path/to/ntoskrnl.exe -t "*"
# Get specific pool header
./dt.sh -i /path/to/ntoskrnl.exe -t _POOL_HEADER
# Save to file
./dt.sh -i /path/to/ntoskrnl.exe -t _KTHREAD -o kthread.json# Find all CreateFile variants
./dt.sh -i /path/to/kernel32.dll -X "CreateFile*"
# Find specific symbol
./dt.sh -i /path/to/ntdll.dll -X "NtQuerySystemInformation"
# Wildcard search
./dt.sh -i /path/to/user32.dll -X "*Window*"# Resolve symbol at specific RVA
./dt.sh -i /path/to/ntoskrnl.exe -A 0x140001000
# With custom base address
./dt.sh -i /path/to/module.dll -A 0x1400 -b 0x7FF800000000# Extract relocations for binary reconstruction
./dt.sh -i /path/to/application.exe -r
# Save relocations to file for later use
./dt.sh -i /path/to/library.dll -r -o relocations.bin%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#ff6b6b','primaryTextColor':'#fff','primaryBorderColor':'#c92a2a','lineColor':'#4ecdc4','secondaryColor':'#45b7d1'}}}%%
graph TB
START([๐จ Incident Detected]) --> TRIAGE{Severity<br/>Assessment}
TRIAGE -->|Critical| CRITICAL[๐ด CRITICAL PATH]
TRIAGE -->|High| HIGH[๐ HIGH PATH]
TRIAGE -->|Medium| MEDIUM[๐ก MEDIUM PATH]
subgraph "๐ด Critical Incident Response"
CRITICAL --> C1[1. Isolate System<br/>๐ Network Disconnect]
C1 --> C2[2. Memory Capture<br/>๐พ Full RAM Dump]
C2 --> C3[3. Quick Scan<br/>โก PDB2JSON Triage]
C3 --> C4[4. Identify IOCs<br/>๐ Extract Artifacts]
C4 --> C5[5. Contain Threat<br/>๐ก๏ธ Block & Quarantine]
C5 --> C6[6. Full Analysis<br/>๐ฌ Deep Dive]
C6 --> REPORT[๐ Incident Report]
end
subgraph "๐ High Priority Response"
HIGH --> H1[1. Monitor Activity<br/>๐๏ธ Live Observation]
H1 --> H2[2. Remote Scan<br/>๐ PDB2JSON Remote]
H2 --> H3[3. Analyze Results<br/>๐ Review Findings]
H3 --> H4{Confirmed<br/>Threat?}
H4 -->|Yes| C1
H4 -->|No| H5[Continue Monitoring]
H5 --> REPORT
end
subgraph "๐ก Medium Priority Response"
MEDIUM --> M1[1. Schedule Scan<br/>๐
Non-Intrusive]
M1 --> M2[2. Baseline Check<br/>๐ Compare to Normal]
M2 --> M3[3. Document Findings<br/>๐ Log Anomalies]
M3 --> M4{Action<br/>Required?}
M4 -->|Yes| H1
M4 -->|No| M5[Close Ticket]
M5 --> REPORT
end
REPORT --> END([โ
Case Closed])
style START fill:#ff6b6b,stroke:#c92a2a,color:#fff,stroke-width:3px
style CRITICAL fill:#c92a2a,stroke:#5c0002,color:#fff
style HIGH fill:#fa709a,stroke:#fee140,color:#fff
style MEDIUM fill:#ffd93d,stroke:#f4b41a,color:#333
style C6 fill:#667eea,stroke:#764ba2,color:#fff
style REPORT fill:#96ceb4,stroke:#618833,color:#fff
style END fill:#4ecdc4,stroke:#2c7873,color:#fff,stroke-width:3px
- Assess incident severity
- Identify affected systems
- Determine business impact
- Activate response team
- Isolate affected systems (if critical)
- Capture volatile memory
- Document system state
- Preserve evidence
- Run PDB2JSON memory scan
- Identify modified processes
- Extract IOCs
- Correlate with threat intel
- Remove malicious code
- Patch vulnerabilities
- Reset credentials
- Restore from backup (if needed)
- Verify system integrity
- Monitor for persistence
- Document lessons learned
- Update defenses
%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#667eea','primaryTextColor':'#fff','primaryBorderColor':'#764ba2','lineColor':'#f093fb','secondaryColor':'#4facfe'}}}%%
graph LR
subgraph "1๏ธโฃ Hypothesis"
A[Define<br/>Hypothesis] --> B[Identify<br/>Indicators]
B --> C[Plan<br/>Hunt]
end
subgraph "2๏ธโฃ Collection"
C --> D[Scan<br/>Endpoints]
D --> E[Gather<br/>Memory Data]
E --> F[Collect<br/>Artifacts]
end
subgraph "3๏ธโฃ Analysis"
F --> G[Validate<br/>Memory]
G --> H[Find<br/>Anomalies]
H --> I[Correlate<br/>Data]
end
subgraph "4๏ธโฃ Investigation"
I --> J{Findings?}
J -->|Positive| K[Deep<br/>Analysis]
J -->|Negative| L[Refine<br/>Hypothesis]
L --> A
end
subgraph "5๏ธโฃ Response"
K --> M[Document<br/>TTPs]
M --> N[Create<br/>Detections]
N --> O[Share<br/>Intel]
end
O --> P([Hunt Complete])
style A fill:#667eea,stroke:#764ba2,color:#fff
style D fill:#f093fb,stroke:#f5576c,color:#fff
style G fill:#4facfe,stroke:#00f2fe,color:#fff
style K fill:#fa709a,stroke:#fee140,color:#fff
style M fill:#30cfd0,stroke:#330867,color:#fff
style P fill:#96ceb4,stroke:#618833,color:#fff
# Hypothesis: Malware using process hollowing or DLL injection
# Target: Browser and system processes
$Results = .\Test-AllVirtualMemory.ps1 `
-TargetHost $Target `
-ProcNameGlob @("chrome.exe", "firefox.exe", "explorer.exe", "svchost.exe") `
-MaxThreads 512
# Look for processes with < 95% validation
$Results.ResultDictionary.Values |
Where-Object { $_.PercentValid -lt 95 } |
Select-Object Name, PercentValid, Id, ModuleName# Hypothesis: Fileless malware residing only in memory
# Look for unmapped executable regions
python vol.py -f memory.raw --profile=Win10x64 invterojithash -x
# Review output for "Unable to scan anonymous executable memory"# Hypothesis: Kernel-level rootkit modification
# Scan System process (PID 4)
$Results = .\Test-AllVirtualMemory.ps1 -TargetHost $Target
# Examine System process in detail
$Results.ResultDictionary[4].Children |
Where-Object { $_.PercentValid -lt 100 } |
Format-Table ModuleName, PercentValid, BaseAddress%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#4ecdc4','primaryTextColor':'#fff','primaryBorderColor':'#2c7873','lineColor':'#ffd93d','secondaryColor':'#ff6b6b'}}}%%
sequenceDiagram
participant S as ๐
Scheduler
participant P as ๐ท PDB2JSON
participant F as ๐ File System
participant SI as ๐ SIEM
participant A as ๐จ Alerting
S->>P: Trigger hourly scan
P->>P: Execute memory validation
P->>F: Write results.json
F->>SI: Monitor file changes
SI->>SI: Parse JSON data
SI->>SI: Apply correlation rules
alt Anomaly Detected
SI->>A: Generate alert
A->>A: Create incident ticket
A-->>SI: Acknowledgment
else No Issues
SI->>SI: Log for baseline
end
Note over S,A: Continuous monitoring cycle
# Automated daily scan with SIEM integration
$Config = @{
Targets = @("server01", "server02", "workstation-*")
OutputPath = "C:\SIEM\Intake\PDB2JSON\"
Schedule = "0 2 * * *" # 2 AM daily
AlertThreshold = 95 # Alert if < 95% validation
}
foreach ($Target in $Config.Targets) {
$Results = .\Test-AllVirtualMemory.ps1 -TargetHost $Target
# Generate SIEM-friendly output
$SIEMEvent = @{
Timestamp = Get-Date -Format "o"
Source = $env:COMPUTERNAME
Target = $Target
TotalProcesses = $Results.ResultDictionary.Count
SuspiciousCount = ($Results.ResultDictionary.Values |
Where-Object { $_.PercentValid -lt $Config.AlertThreshold }).Count
Details = $Results
}
# Write to SIEM intake folder
$OutputFile = Join-Path $Config.OutputPath "scan-$Target-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
$SIEMEvent | ConvertTo-Json -Depth 10 | Out-File $OutputFile
}โ๏ธ Document Everything - Keep detailed logs of all scans and findings
โ๏ธ Baseline First - Establish normal before hunting for abnormal
โ๏ธ Automate Routine - Schedule regular scans for continuous monitoring
โ๏ธ Validate Findings - Always investigate anomalies before taking action
โ๏ธ Share Intelligence - Contribute findings back to the community
โ Don't Skip Triage - Always assess severity before acting
โ Don't Trust 100% - Even validated systems can have issues
โ Don't Forget Context - Consider the system's role and normal behavior
โ Don't Ignore Performance - Monitor system impact during scans
โ Don't Neglect Documentation - Future you will thank present you
%%{init: {'theme':'dark', 'themeVariables': { 'primaryColor':'#96ceb4','primaryTextColor':'#fff','primaryBorderColor':'#618833','lineColor':'#667eea','secondaryColor':'#f093fb'}}}%%
graph TB
subgraph "๐๏ธ Lab Environment"
VM1[Clean Windows 10<br/>๐ป Baseline System]
VM2[Infected Sample<br/>๐ฆ Known Malware]
VM3[Custom Test<br/>๐ง Your Code]
end
subgraph "๐ Training Exercises"
E1[Exercise 1<br/>โ
Validate Clean System]
E2[Exercise 2<br/>๐ Detect Known Malware]
E3[Exercise 3<br/>๐ฏ Hunt Custom Injections]
E4[Exercise 4<br/>๐ Analyze Memory Dump]
end
VM1 --> E1
VM2 --> E2
VM3 --> E3
VM2 --> E4
E1 --> SKILL1[Learn: Baseline Validation]
E2 --> SKILL2[Learn: Threat Detection]
E3 --> SKILL3[Learn: Custom Analysis]
E4 --> SKILL4[Learn: Forensic Investigation]
style VM1 fill:#96ceb4,stroke:#618833,color:#fff
style VM2 fill:#ff6b6b,stroke:#c92a2a,color:#fff
style VM3 fill:#667eea,stroke:#764ba2,color:#fff
style SKILL1 fill:#4facfe,stroke:#00f2fe,color:#fff
style SKILL2 fill:#fa709a,stroke:#fee140,color:#fff
style SKILL3 fill:#30cfd0,stroke:#330867,color:#fff
style SKILL4 fill:#ffd93d,stroke:#f4b41a,color:#333
- ๐๏ธ Architecture Guide
- ๐ Quick Start
- ๐ค Contributing
- ๐ก Examples
๐ Workflows that work
"Process makes perfect"