Contents x
    Memory
    • 14 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Memory

    • Updated on 14 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    This page contains details for response events generated by Memory sensor commands.

    DEBUG_DATA_REP

    Response from a get_debug_data request.

    MEM_FIND_HANDLES_REP

    Response event for the mem_find_handle sensor command.

    Platforms:

    MEM_FIND_STRING_REP

    Response event for the mem_find_string sensor command.

    Platforms:

    MEM_HANDLES_REP

    Response event for the mem_handles sensor command. This event will contain an array of handles identified in memory.

    Platforms:

    Sample Event:

    {
    "HANDLES": [
      {
        "HANDLE_NAME": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
        "HANDLE_TYPE": "Key",
        "HANDLE_VALUE": 4,
        "PROCESS_ID": 908
      },
      {
        "HANDLE_NAME": "\\KnownDlls",
        "HANDLE_TYPE": "Directory",
        "HANDLE_VALUE": 48,
        "PROCESS_ID": 908
      },
      "..."
    ],
    "PROCESS_ID": 908
  }

    MEM_MAP_REP

    Response event for the mem_map sensor command. This event will contain an array of arrays, representing processes and their associated memory data. If viewing the event in the LimaCharlie web UI, the results will be collapsed for easier viewing.

    Platforms:

    Sample Event:

    {
    "MEMORY_MAP": [
      {
        "BASE_ADDRESS": 94100802174976,
        "MEMORY_ACCESS": 6,
        "MEMORY_SIZE": 4096,
        "MEMORY_TYPE": 3
      },
      {
        "BASE_ADDRESS": 94100802179072,
        "FILE_PATH": "/usr/bin/python3.9",
        "MEMORY_ACCESS": 2,
        "MEMORY_SIZE": 4096,
        "MEMORY_TYPE": 3
      },
      [...],
      [...],
    ],
    "PROCESS_ID": 745
  }

    MEM_READ_REP

    Response event for the mem_read sensor command. This event will contain a Base64-encoded chunk of memory, as requested by the command.

    Platforms:

    Sample Event:

    {
  "MEMORY_DUMP": "TGltYU...<removed for brevity>...NoYXJsaWU=",
  "PROCESS_ID": 745
}

    MEM_STRINGS_REP

    Response event for the mem_strings sensor command. The response will contain two arrays of arrays, STRINGSA AND STRINGSW, represented ASCII and wide character strings, respectively. If viewing the event in the LimaCharlie web UI, the results will be collapsed for easier viewing.

    Platforms:

    Sample Event:

    {
    "PROCESS_ID" : 745,
    "STRINGSA" : [
        [
            0 : "/lib64/ld-linux-x86-64.so.2",
            1 : "__gmon_start__"
        ],
        [...]
    ],
    "STRINGSW" : [
        [
            0 : "/usr/bin/python3",
            1 :"/usr/sbin/firewalld"
        ],
        [...]
    ]
}
    Was this article helpful?
    What's Next