HeapInspector is a heap visualization and analysis tool. It has the ability to collect a process's heaps using both API and raw methods. Features include searching heaps for string or byte patterns (including regex), dumping heap chunks to a file, and viewing chunks in a hex editor pane. Heaps are displayed visually in a bar chart format known as the heap hash map, allowing the user to view allocations spatially. A similar chart called the heap data map overlays regular expression matches for useful patterns on top of the heap bars.
This visualization allows an investigator to quickly discover evidence of a heap spray attack and other useful information stored in an application's heap memory. This presentation will demonstrate how the utility can be used to visualize a heap spray in arbitrary applications and retrieve the shellcode. It will also cover relevant windows internals and some challenges involved in writing this type of utility. Future direction and uses for the tool will be covered. This free tool will be released on the day of the presentation
Aaron LeMasters is a Senior Software Engineer at MANDIANT. His career has spanned a broad range of cyber security disciplines from computer forensics to vulnerability research and exploitation. Aaron spent five years responding to cyber incidents across global DOD networks at DISA and NSA and fighting to improve our nation's security by educating network defenders on advanced threats such as rootkits and providing tools to counter the threat. He most recently worked at Raytheon SI performing vulnerability research. Aaron's research interests include operating system integrity analysis, malware analysis, and reverse engineering.