MIG Memory Forensic library
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
common
cresponse
examples
listlibs correct error class ordering, fixes build on darwin Aug 31, 2017
memaccess
memsearch
process
test
.gitignore
.travis.yml
LICENSE
Makefile
README.md

README.md

MASCHE

MASCHE image (Javier Mascherano) MIG Memory Forensic library

MASCHE stands for Memory Analysis Suite for Checking the Harmony of Endpoints. It is being developed as a project for the Mozilla Winter of Security program.

It works on Linux, Mac OS and Windows.

These are the current features:

  • listlibs: Searches for processes that have loaded a certain library.
  • pgrep: Has the same functionallity as pgrep on linux.
  • memaccess/memsearch: Allows access and search into a given process memory.

You can find examples under the examples folder.

Compiling

You need golang installed.

Linux

You need glibc for 64 and 32 bits installed. On Fedora, the packages are:

  • glibc-devel.i686
  • glibc-devel.x86_64
  • glibc-headers.i686
  • glibc-headers.x86_64
  • glibc.i686
  • glibc.x86_64

Windows

In order to compile and run masche in windows you will need a gcc compiler. You can use mingw if you are running a 32 bits version of Windows or mingw-64 if you are running a 64 bits one. Just run go build on the package/example that you want.

It's possible to cross-compile from linux. And this is the recommended way.

  • Install a cross compiler (for example, mingw-w64)
  • Enable cross compiling in your go toolchain (run GOOS=windows ./all.bash inside your $GOROOT/src folder)

After that you should be able to cross compile masche without problems, just make sure to export the correct global variables: GOOS=windows CGO_ENABLED=1 CC=<your-cross-compiler> (for example: CC=x86_64-w64-ming32-gcc )