Stats
Actions
Tags
Analyzes Windows memory dumps with Rekall to detect process hollowing, VAD code injection, hidden processes, rootkits using pslist, psscan, vadinfo, malfind, dlllist plugins. For incident response forensics.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:extracting-memory-artifacts-with-rekallThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
使用 Rekall 分析内存转储,查找入侵迹象,包括进程注入、隐藏进程和可疑网络连接。
使用 Rekall 分析内存转储,查找入侵迹象,包括进程注入、隐藏进程和可疑网络连接。
from rekall import session
from rekall import plugins
# 使用内存镜像创建 Rekall 会话
s = session.Session(
filename="/path/to/memory.raw",
autodetect=["rsds"],
profile_path=["https://github.com/google/rekall-profiles/raw/master"]
)
# 列出进程
for proc in s.plugins.pslist():
print(proc)
# 检测注入代码
for result in s.plugins.malfind():
print(result)
关键分析步骤:
from rekall import session
s = session.Session(filename="memory.raw")
# 比较 pslist 与 psscan,查找隐藏进程
pslist_pids = set(p.pid for p in s.plugins.pslist())
psscan_pids = set(p.pid for p in s.plugins.psscan())
hidden = psscan_pids - pslist_pids
print(f"Hidden PIDs: {hidden}")
npx claudepluginhub killvxk/cybersecurity-skills-zhAnalyzes Windows memory dumps with Rekall for process hollowing, injected code via VADs, hidden processes, rootkits using pslist, psscan, malfind, dlllist plugins. For incident response forensics.
Analyzes Windows memory dumps with Rekall to detect process hollowing, injected code, hidden processes, and rootkits using plugins like pslist, psscan, malfind, and dlllist. Use during incident response memory forensics.
Analyzes Windows memory dumps with Rekall to detect process hollowing, injected code, hidden processes, and rootkits using plugins like pslist, psscan, malfind, and dlllist. Use during incident response memory forensics.