Discover Packages
github.com/CptOfEvilMinions/osquery-memory-forensics
module
Version:
v0.0.0-...-0b02afc
Opens a new window with list of versions in this module.
Published: May 13, 2020
License: Apache-2.0
Opens a new window with license information.
README
README
¶
Osquery-memory-forensics
For several years I have always wanted to write an Osquery extension to perform memory dumps and analysis. I never got the time to do a deep into my idea but since I have been creating some Osquery-go extensions lately I decided to take a whack at my idea. This blog post will provide a high overview of the architecture of this Osquery extension, how to generate memory dumps with Osquery, and how to remotely analyze these memory dumps with Osquery. Follow me another threat detection engineering experience with osquery-go.
Setup dev env
go mod init github.com/CptOfEvilMinions/osquery-memory-forensics
go get
Compile osquery_dump table
Download bins and make
Download ProcDump
Download DumpIt
Copy binaries to bins/dump
as procdump.exe
and dumpit.exe
Make go-bindata
go get -u github.com/go-bindata/go-bindata/...
go install github.com/go-bindata/go-bindata/...
~/go/bin/go-bindata -o assets/dump/bindata.go -pkg dump bins/dump/...
ls -lh assets/dump/bindata.go
Compile
GOOS=windows go build -o osquery_memory_forensic_dump.exe cmd/dump/osquery-memory-forensics-dump.go
Compile osquery_analyze table
Download bins
Download Volatility v3
Copy binary do bins/analyze
as volatility.exe
Make go-bindata
Copy binary do bins/analyze
as volatility.exe
~/go/bin/go-bindata -o assets/analyze/bindata.go -pkg analyze bins/analyze/...
ls -lh assets/analyze/bindata.go
Compile
GOOS=windows go build -o osquery_memory_forensic_analyze.exe cmd/osquery-memory-forensics-analysis/osquery-memory-forensics-analyze.go
Using a different memory dumper (osquery_memory_forensics_dump)
Modify pkg/dumpers/dumpers.go
Using a different memory analysis framework (osquery_memory_forensic_analyze)
Copy new binary to bins/analyze
Follow instructions above to make new go-bindata
Modify pkg/volatility/volatility.go
to support your tool with the proper commands
References
Expand ▾
Collapse ▴
Click to show internal directories.
Click to hide internal directories.