[SUPERIOR]

Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. It has been designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze’s live memory analysis with MRI (Malware Risk Index) scoring

Code: Select all

http://www.mandiant.com/products/free_software/redline/

[robertdana]

Hey, I work for Mandiant. Thanks for taking a look at Redline! Sorry I didn't see your post until now.

Dunno if it makes you feel any better, but only the UI is .Net. The memory forensics stuff definitely isn't.

The rating / scoring in Redline (MRI) might not key off of things like IRP and SSDT hooks, but if you go to the right views you should be able to see all of them. If you've got a sample where we're missing IRP hooks (as you suggest), I'd really like to have it so we can understand what's going on. Drop me an email or PM, or stop by the Redline forum at https://forums.mandiant.com/forum/redline.