PowerShell module for comprehensive memory threat analysis for process memory regions. Scan a process for suspicious patterns, map memory regions to threads; then analyze for threats & produce a detailed report.
Contains of 2 scripts:
-
Get-RWXAndMapThreads.ps1
Scan a process for suspicious executable memory (exec+write and exec-only) and map detected memory regions to threads whose Start Address address lies inside them.
-
Invoke-MemoryThreatAnalysis.ps1
Takes the output json file from 'Get-RWXAndMapThreads.ps1' and analyzes it for threat injection, NOP sleds, syscall stubs, trampoline regions, RWX regions, high-entropy payloads, suspicious strings and more. Output to console + a dark-themed detailed HTML report. (Note: Requires Python 3.x for JSON parsing of large/concatenated JSON arrays)
Malicious bytes might reside in threads in memory - this is represented in step 1. The first script, 'Get-RWXAndMapThreads.ps1', is represented by step 2: You scan one or more processes and produce a json file. The second script, 'Invoke-MemoryThreatAnalysis.ps1', is represented in steps 3 + 4: analyzing the output json file for multiple threat patterns, and producing a detailed html report:
.SYNOPSIS
Scan a process for suspicious executable memory (exec+write and exec-only) and map detected memory regions to threads whose Start Address address lies inside them.
can be later leveraged for memory threat analysis of threat injection, NOP sleds, syscall stubs, trampoline regions, RWX regions, high-entropy payloads, suspicious strings and more.
The output json file can later be loaded into 'Invoke-MemoryThreatAnalysis.ps1' for a comprehensive memory threat analysis and a detailed HTML report.
.NOTES
- Run elevated (Administrator).
- Use matching bitness (64-bit PowerShell for 64-bit target).
- This script reads memory (safe). It does not write or inject.
.EXAMPLE
Scan a process for default string ('MZ'), 4096 bytes read (can set to less or more bytes)
& C:\temp\Get-RWXAndMapThreads.ps1 -ProcessID 11804 -ExportJson C:\temp\ProcMemory.json
Scan all processes and save into a json file
Get-Process | ForEach-Object { & C:\temp\Get-RWXAndMapThreads.ps1 -ProcessID $_.id -ExportJson C:\temp\memory.json -StringToLookFor 'MZ'}
.SYNOPSIS
Comprehensive memory threat analysis script for process memory region JSON data.
Use 'Get-RWXAndMapThreads.ps1' to generate the input json file.
.DESCRIPTION
Analyzes JSON output from memory scanning tools (e.g., Get-RWXAndMapThreads) to detect
suspicious patterns including: RWX regions, MZ/PE headers, NOP sleds, syscall stubs,trampolines, INT3 patterns, high-entropy regions, suspicious strings and active threads.
Generates a per-process risk assessment and outputs an HTML report.
Uses an input json file generated by 'Get-RWXAndMapThreads.ps1' script.
.PARAMETER JsonFilePath
Path to the memory.json file to analyze. Defaults to memory.json in the script directory.
.PARAMETER HtmlReportPath
Path for the HTML report output. Defaults to findings.htm in the script directory.
.PARAMETER RiskThreshold
Minimum risk score to flag a process as high-risk. Default: 500.
.NOTES
Requires Python 3.x for JSON parsing of large/concatenated JSON arrays.
Author: Claude Opus 4.6 - Memory Threat Analyzer
Prompt design & AI implementation plan: Yossi Sassi
.EXAMPLE
Run with defaults
.\Invoke-MemoryThreatAnalysis.ps1
Run with setting input Json file path and ouput html report path
.\Invoke-MemoryThreatAnalysis.ps1 -JsonFilePath C:\data\memory.json -HtmlReportPath C:\reports\findings.htm
High risk analysis (post-scan) - detected injected mimikatz that bypassed EDR
Low risk scan - PowerShell & PWSH
Analysis of low risk PowerShell & PWSH - Part 1
Analysis of low risk PowerShell & PWSH - Part 2
Scan with suspicious bytes in memory
Analysis of medium risk score with suspicious bytes (See also sample html report)
Sample HTML findings report can be found View Report
Suggestions & comments are welcome to yossis@protonmail.com