Memoryze is a command-line utility that allows advanced memory analysis even while your machine is running.

It is designed to acquire and analyze memory images on live systems efficiently and can include the paging file in its analysis if designated to do so. Memoryze is capable of imaging the full range of system memory (no reliance on API calls), imaging a process' entire address space to disk, including a process' loaded EXEs, DLLs, heaps and stacks as well as imaging a specified driver or all drivers loaded in memory to disk.

Memoryze will also enumerate all running processes (including those hidden by rootkits), including:

-Report all open handles in a process (including all files, registry keys, etc.)
-List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
-List all network sockets that the process has open, including any hidden by rootkits.
-Specify the functions imported and exported by the EXE and DLLs.
-Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256. This is disk-based).
-Verify the digital signatures of the EXEs and DLLs (disk-based).
-Output all strings in memory on a per-process basis.

You can also identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:

-Specify the functions the driver imports and exports.
-Hash the driver (MD5, SHA1, and SHA256. disk-based).
-Verify the digital signature of the driver (disk-based).
-Output all strings in memory on a per driver basis.

Memoryze will report device and driver layering, which can be used to intercept network packets, keystrokes, and file activity. It will additionally identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.