Malware authors constantly search for new ways of hiding their activity/content from the eyes of the analysts. In order to help the malware authors in their constant struggle ;-), we introduce three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective on both, Windows and Linux. We are, however, also covering different approaches for detecting the hidden memory and releasing various Volatility 3 and Rekall plugins. The last piece of our release are PoC implementations for all subversion techniques for Windows and Linux, and an upgraded version for one of the subversion techniques, which is controllable with a C&C server. Visit to view the Live Stream and previously recorded micro-interviews.

Chat live with the Security Weekly Staff, Hosts, and Guests in our Discord Server:

Full Episode Show Notes

Hiding Process Memory Via Anti-Forensic Techniques

Segment Resources:


[caption id="attachment_210" align="alignleft" width="120"]Paul Asadoorian Paul Asadoorian - Founder & CTO[/caption]


[caption id="attachment_210" align="alignleft" width="120"]Frank Block Frank Block - Security Researcher [/caption]
[audio src=""]