Skill

extracting-memory-artifacts-with-rekall

From asi

Analyzes Windows memory dumps with Rekall for process hollowing, injected code via VADs, hidden processes, rootkits using pslist, psscan, malfind, dlllist plugins. For incident response forensics.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When performing authorized security testing that involves extracting memory artifacts with rekall

SKILL.md

Similar Skills

extracting-memory-artifacts-with-rekall

5.9k

Analyzes Windows memory dumps with Rekall plugins (pslist, psscan, malfind, dlllist) to detect process hollowing, injected code, hidden processes, and rootkits in incident response.

3 files

cybersecurity-skills

extracting-memory-artifacts-with-rekall

Analyzes Windows memory dumps with Rekall to detect process hollowing, VAD code injection, hidden processes, rootkits using pslist, psscan, vadinfo, malfind, dlllist plugins. For incident response forensics.

3 files

cybersecurity-skills-zh

performing-memory-forensics-with-volatility3-plugins

Analyzes memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, macOS images. For incident response and DFIR workflows.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Extracting Memory Artifacts with Rekall

When to Use

When performing authorized security testing that involves extracting memory artifacts with rekall

When analyzing malware samples or attack artifacts in a controlled environment

When conducting red team exercises or penetration testing engagements

When building detection capabilities based on offensive technique understanding

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Use Rekall to analyze memory dumps for signs of compromise including process injection, hidden processes, and suspicious network connections.

from rekall import session from rekall import plugins # Create a Rekall session with a memory image s = session.Session( filename="/path/to/memory.raw", autodetect=["rsds"], profile_path=["https://github.com/google/rekall-profiles/raw/master"] ) # List processes for proc in s.plugins.pslist(): print(proc) # Detect injected code for result in s.plugins.malfind(): print(result)

Key analysis steps:

Load memory image and auto-detect profile

Run pslist and psscan to find hidden processes

Use malfind to detect injected/hollowed code in process VADs

Examine network connections with netscan

Extract suspicious DLLs and drivers with dlllist/modules

Examples

from rekall import session s = session.Session(filename="memory.raw") # Compare pslist vs psscan for hidden processes pslist_pids = set(p.pid for p in s.plugins.pslist()) psscan_pids = set(p.pid for p in s.plugins.psscan()) hidden = psscan_pids - pslist_pids print(f"Hidden PIDs: {hidden}")