Home > Digital Forensics

Detecting Malware in Memory

Detecting malware in memory is one of the most powerful capabilities of memory forensics. Modern malware often avoids writing files to disk, instead injecting itself directly into RAM, running scripts in memory, or modifying legitimate processes to stay hidden. Because RAM contains a live snapshot of system activity, investigators can identify malware that is invisible to traditional disk-based analysis or antivirus tools.

This chapter explains how malware behaves in memory, the forensic techniques used to detect it, and the indicators that reveal stealthy or fileless threats.

How Malware Hides in Memory

Malware commonly uses memory-based techniques to avoid detection:

1. Reflective DLL Injection

Loads malicious DLLs directly into memory without writing to disk.

2. Code Injection

Injects shellcode or payloads into legitimate processes.

Examples:

  • explorer.exe

  • lsass.exe

  • svchost.exe

3. Hollowing

Replaces the memory of a legitimate process with malicious code.

Example:

  • Launch svchost.exe

  • Unmap its memory

  • Load malware in its place

4. Fileless Malware

Uses:

  • PowerShell

  • WMI

  • Python

  • .NET assemblies

  • macOS Objective-C runtime

Executed directly in memory.

5. Encrypted or Packed Payloads

Malware unpacks itself in RAM, leaving no readable version on disk.

6. Memory-Resident C2 Beacons

Tools like:

  • Cobalt Strike

  • Brute Ratel

  • Sliver

  • Metasploit

run entirely in memory.

7. Kernel Rootkits

Load malicious kernel modules or modify kernel structures.

Memory forensics is the only reliable method to detect many of these techniques.

Indicators of Malware in Memory

Malware rarely behaves perfectly. It leaves behind subtle red flags in RAM.

1. Suspicious or Unknown Processes

Indicators include:

  • Executables with random names

  • Processes running from unusual directories

  • Processes with no command-line arguments

  • Processes missing parent processes

  • Processes not visible in normal OS tools

  • Processes seen in psscan but not in pslist (hidden)

2. Memory-Only Processes

Detected when:

  • The process has no associated file on disk

  • Its executable path is empty

  • Only memory-resident PE headers exist

Volatility plugins like malfind reveal hidden code segments.

3. Suspicious DLLs or Injected Modules

Look for:

  • DLLs loaded from Temp, AppData, Downloads

  • DLLs without file paths

  • DLLs with mismatched signatures

  • Executable + writable (RWX) memory regions

Injected DLLs often appear in:

  • explorer.exe

  • chrome.exe

  • svchost.exe

  • lsass.exe

4. RWX (Read-Write-Execute) Memory Regions

Legitimate processes almost never need RWX pages.

Malfind output example:

  • Memory with executable code

  • Not backed by any file

  • Filled with shellcode or obfuscated instructions

This is a classic sign of:

  • Shellcode injection

  • Meterpreter

  • Cobalt Strike beacon

  • Reflective DLL loading

5. Unusual Network Connections

Memory reveals both active and recently closed connections.

Indicators:

  • Connections to rare or foreign IPs

  • PowerShell or bash spawning network connections

  • Suspicious ports like 4444, 9001, 1337, 8081

  • LISTEN ports created by unknown processes

Reverse shells are easily spotted in memory.

6. Evidence of Process Hollowing

Signs include:

  • Mismatch between process name and loaded modules

  • Executable path does not match memory contents

  • No standard DLLs loaded

  • Parent process anomalies

Example:

  • Process claims to be svchost.exe, but memory contains a PE header for a malware sample.

7. Suspicious Strings in Memory

Memory dumps contain:

  • URLs

  • IP addresses

  • Encryption keys

  • C2 domains

  • Base64 payloads

  • Commands used by attackers

Extracting strings with Volatility or external tools often reveals malicious indicators.

8. Modified Kernel Structures (Rootkits)

Kernel rootkits attempt to:

  • Hook system calls

  • Hide processes

  • Hide modules

  • Manipulate network tables

Volatility’s kernel scanning reveals:

  • Unlinked processes

  • Hidden modules

  • Unexpected SSDT hooks

Detecting Malware Using Volatility (Practical Examples)

Find injected code

windows.malfind

Find hidden processes

windows.psscan

Detect hollowed processes

windows.cmdline
windows.vadinfo

List suspicious DLLs

windows.dlllist

Analyze network activity

windows.netscan

Dump suspicious processes

windows.dumpfiles

Detecting Malware in Linux Memory

Linux indicators:

  • Malicious ELF binaries loaded into memory

  • Rogue kernel modules (linux.lsmod)

  • Suspicious bash history in memory (linux.bash)

  • Reverse shells

  • Processes with deleted executables ((deleted) flag)

Detecting Malware in macOS Memory

Indicators:

  • Suspicious Mach-O binaries

  • In-memory Objective-C payloads

  • Malicious LaunchAgents

  • Malware-injected apps (Safari, Chrome, Finder)

Tools:

  • mac.pslist

  • mac.malfind

  • mac.netstat

Intel Dump

  • Malware commonly hides in memory using techniques like code injection, process hollowing, reflective DLL loading, and fileless execution.

  • Memory-only processes, suspicious parent chains, RWX memory pages, and unknown DLLs are core indicators of compromise.

  • Network artifacts in RAM reveal active C2 connections, reverse shells, and lateral movement.

  • Volatility plugins like malfind, psscan, dlllist, cmdline, and netscan are essential for spotting injected code, hidden processes, and malicious network behavior.

  • Memory forensics detects threats invisible to disk forensics, including fileless malware, in-memory implants, and modern APT tooling.

HOME COMMUNITY CAREERS DASHBOARD