Locate discarded memory mapping in windows dumps

trolldbois / python-haystack

Process heap analysis framework - Windows/Linux - record type inference and forensics

http://trolldbois.blogspot.com/search?q=python-haystack

GNU General Public License v3.0

94 stars 33 forks source link

Locate discarded memory mapping in windows dumps #34

Open trolldbois opened 7 years ago

trolldbois commented 7 years ago

List HEAP structures found in memdump that do not pass validation and/or that are not listed in PEB. These heaps are probably "deleted" memory. If the mapping is rebased to it's address space, a valid memory graph could probably be extracted. Not necessarily from the same source binary.