Friday, March 23, 2012

MESMER -- MEmoryze String MappER

What a way to start a blog, with a tool ...

Working in incident response, there are a lot of tools and resources at your disposal.  One of the tools I rely heavily on is Memoryze by Mandiant. Memoryze is a free tool that allows an investigator to quickly analysis memory in search of evil.  You can download it here.  There is also a visual wrapper to display the output in a GUI called AuditViewer, also from Mandiant and also for free and can be downloaded here.

Both Memoryze and AuditViewer do an awesome job at parsing and displaying memory for analysis.  One of the things Memoryze allows you to do is pull all the strings it finds.  This is excellent if you have a certain evil bread crumb your following. However, the AuditViewer GUI isn't too user friendly and is missing some major functionality, such as sorting and searching.  I tried searching the .xml file, and while I did find my evil bread crumb there wasn't much I could do with it, or was there a way to reliably map it to a PID (Process Identifier, a unique tag for each process running).

There was also an av.db file generated that contained hits for my evil bread crumb.  av.db is actually a sqlite database file that Memoryze creates.  As I searched through the database I noticed that it dynamically made multiple tables that started with 'strings_', which when I looked at the schema inside one of these tables I found actually had a mapping of pid to string.

I decided this would be an awesome way to correlate evil bread crumbs with processes running in live memory so I decided to make a python script.

The script is called MESMER (MEmoryze String MappER) and takes two arguments:

  • -f    This is the path to the av.db file that Memoryze creates.
  • -s    This is the string you want to search the file for, use double " ". The string is NOT case sensitive.
In the sample below I am searching for devil1, something McAfee has by default.
Below is a screen shot of my findings:

MESMER.py searching for string devil1
So the results show the PID the string belonged to, based on the database that Memoryze produced, and the FULL string it matched on.

Last but not least, I have uploaded the python script on my github page at: https://github.com/JC-SoCal/MESMER  -- Special thanks to Xavier for peer reviewing my code.

If you use the tool and find it useful, or more importantly find a flaw, please let me know here -- or on twitter @JC_SoCal