Analyzes Windows memory dumps with Rekall to detect process hollowing, VAD code injection, hidden processes, rootkits using pslist, psscan, vadinfo, malfind, dlllist plugins. For incident response forensics.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
使用 Rekall 分析内存转储,查找入侵迹象,包括进程注入、隐藏进程和可疑网络连接。
Analyzes Windows memory dumps with Rekall for process hollowing, injected code via VADs, hidden processes, rootkits using pslist, psscan, malfind, dlllist plugins. For incident response forensics.
Analyzes Windows memory dumps with Rekall plugins (pslist, psscan, malfind, dlllist) to detect process hollowing, injected code, hidden processes, and rootkits in incident response.
Analyzes memory dumps using Volatility3 plugins to detect code injections, rootkits, hidden processes, credential theft, and malware in Windows/Linux/macOS images. For DFIR and incident response.
Share bugs, ideas, or general feedback.
使用 Rekall 分析内存转储,查找入侵迹象,包括进程注入、隐藏进程和可疑网络连接。
from rekall import session
from rekall import plugins
# 使用内存镜像创建 Rekall 会话
s = session.Session(
filename="/path/to/memory.raw",
autodetect=["rsds"],
profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)
# 列出进程
for proc in s.plugins.pslist():
print(proc)
# 检测注入代码
for result in s.plugins.malfind():
print(result)
关键分析步骤:
from rekall import session
s = session.Session(filename="memory.raw")
# 比较 pslist 与 psscan,查找隐藏进程
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
print(f"Hidden PIDs: {hidden}")