Home

Welcome to the inVtero.net wiki!

Binary Setup

• Download / run setup from publish.zip ⇒ https://github.com/ShaneK2/inVtero.net/blob/master/quickdumps/publish.zip

  • MSDIA registered "regsvr32 msdia140.dll" (can skip on dev boxes usually already registered)

Setting up agentless integrity monitoring

Monitor a snapshot

Where to start?

• Memory integrity monitoring with secure hash

• Forensics/DFIR

• Reversing/Active-Passive debugging

  • Edit a suspended VM and then resume it. No debugger in the guest needed.

Source

• Clone & build quickdumps.

  • Nuget used for protobuf-net and other packages may need an update

The embedded shell is an IronPython x64 instance and is now the only supported mechanism for CLI use.

https://github.com/ShaneK2/inVtero.net/blob/master/Scripts/Analyze.py

Analyze.py is a great set of examples

Analyze.py is run by default on startup.

It also matches the logical and physical process lists to ensure that there does not exist a hidden process. Please extend it but in the future will be higher order analytics, pointer/structure type information and integrity checks.

General usages (TYPE SYSTEM)

Usage examples

Workarounds

vmss2core — also; how to override RUN memory descriptor

Why do we need integrity in the computer memory forensic analysis field?

Integrity gives us confidence that we know what were talking about and not just guessing and looking at strings *|grep