inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques
Since we have OSX/Linux/*Bsd with CoreCLR it was a shame to not port a symbol server into Azure to allow us to run on those platforms w/o a legacy dependency on DIA2SDK. The PDB2JSON server will also be providing some additional services in the future, stay tuned. Also there is currently a hosted bitmap that is loaded with hashes from the Microsoft demo VM's available here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ If you want to use inVtero w/o setting up a white list you can use that VM image and connect to the cloud services.
CORECLR2 is a depedency of inVtero and PS so that's all good.
inVtero.ps1 is a set of functions that demonstrate the new cmdlet's. (their pretty basic but evolving)
ktwo@inVtero:~$ powershell PowerShell v6.0.0-beta.5-76-g1b23a62ae177f189057fc034ba5a11adbf2cdaea Copyright (C) Microsoft Corporation. All rights reserved.
Linux inVtero 4.10.0-32-generic #36~16.04.1-Ubuntu SMP Wed Aug 9 09:19:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Enhancements to the RoP detection & symbol handling to make it easier to understand what you're looking at.
https://github.com/ShaneK2/inVtero.net/blob/master/quickdumps/publish.zip
Very close to the version will be presenting at Black Hat Arsenal USA 2017 publish.zip
Bitmap acceleration tested out, working well for Win10 / integrity checks kernel 15063, back ported to Win7. Validates 8GB of memory in about 30seconds on my laptop. :)
New hash DB functionality for integrity validation of physical memory rate is good for Win10, working on some additional fixes to keep it 100% for downlevel OS.
Dump 8GB in 10 seconds to disk... or hash out to a hash file for a white-list comparison.
Hash.py is the main place to review the tests for these updates.
Added new PT bits for supporting Win10 15063
Reworked the awkward CLI into a PowerArgs based one. Going to see about providing the memory as a LINQ query source in a minor update.
After that will be hosting IronPython (IPY) and possibly C# (CSI/Script#) Interactive and also Cling (native C REPL), maybe all of the above, since it'd be sort of nice to have a Swiss forensics memory army knife. I'll have it finished right after the 25 hour day!