[ mainpage :: register :: training :: conference :: hitb-labs :: the venue ]
[ capture the flag (CTF) :: wireless village :: lock picking village (LPV) :: open-hack ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

OFFICIAL CONFERENCE VIDEOS HAVE BEEN RELEASED

HITBSecConf2008 - Malaysia (Day 1)

HITBSecConf2008 - Malaysia (Day 2)

Registration for HITBSecConf2009 - Dubai is also now open.

Peter Silberman (Engineer, Mandiant Inc)

Filed under: Main Page — Administrator @ 10:55 am

Jamie Butler who was originally slated to present this paper will unfortunately not be able to make it to HITB in October. Peter Silberman who works with Jamie at Mandiant and who was also involved in the research for this paper will be presenting instead.

Presentation Title: Full Process Reconstitution from Memory
Presentation Details:

Recently there has been a lot of discussion about using memory forensics during incident response as part of an investigation; however, memory forensics can also be leveraged when doing malware analysis in a lab. The only difference between the two use cases is how the binary is acquired. Using memory forensics a malicious process or the malicious portions of a process can be captured from memory without using a debugger; injecting into the process; or relying on any APIs to enumerate, address, and acquire the address space.

This talk will focus on the these forensic techniques and a demonstration of pulling a malicious process or portions of a process from both live memory and previously acquired memory images. The benefits of this approach are numerous but include

a.) the ability to analyze binaries after unpacking (assuming the binary is unpacked at initial runtime and not on a functional basis)
b.) the ability to analyze binaries that exist only in memory and not on disk
c.) the ability to get a full process view of malware including all subsequent binaries loaded and
d.) the ability to leverage other process metadata obtained from memory to include environment, user/owner of the process, start time, and all handles. It is important to realize that all parsing of memory, virtual to physical address translation, and pagefile translation is being done using “raw”, non-API based methods.

About Peter

Peter Silberman works at MANDIANT as an engineer on the agent team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Peter now spends most of his time researching solutions to memory forensic problems. Peter is the co-author and teacher of “Advanced Memory Forensics in Incident Response”. Although he is college educated, Peter does not believe formal education should interfere with learning.


Event Organizer


Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By




Malaysian National Computer Confederation


Multimedia Development Corporation


Platinum Sponsors

Titanium Sponsor (Post Conference Reception)

Gold Sponsors

CTF Sponsor

CTF Prize Sponsor

Open-Hack Sponsor

Metro-e and Official Bandwidth Sponsor


Network Equipment Sponsor

Our Speakers are Supported By


Supporting Media:

Virus Bulletin

InfoSec News

InfoSec News

XAKEP (Russia)

Supporting Organizations


Professional Information Security Association - Hong Kong









Special Interest Group in Security & Information InteGrity Singapore


Copyright 2008 Hack In The Box (M) Sdn. Bhd.