NoVirusThanks WriteProcessMemory Monitor is a Windows OS utility designed solely to monitor processes in the system that write to other process’ virtual address spaces. Malware often uses such techniques in order to write payload stubs to a foreign process to hook an API, load a malware DLL etc. ntdll!NtWriteVirtualMemory is hooked in order to achieve the desired logging functionality in usermode.
NoVirusThanks WriteProcessMemory Monitor displays the caller process and target process filenames as well as their respective process identifiers are shown along with the size of the buffer written to the process and the actual contents represented in hexadecimal of the buffer. The location of the written memory is also listed in hex for run-time reverse engineering convenience.
WriteProcessMemory Monitor can easily be integrated into malware or rootkit test environments to help the security researcher reverse analyze a piece of malware alongside other powerful tools, such as NoVirusThanks Ring3 API Hook Scanner, NoVirusThanks Stream Detector and NoVirusThanks DLL UnInjector.
|Last Updated||23 December 2015|
|Operating System||Windows All (32-bit / 64-bit)|
Recent Changes and Fixes
[23-12-2015] - v126.96.36.199 + Improved logging of API call events [21-11-2015] - v188.8.131.52 + Improved support for Windows 10 + Improved the main program interface + Added session end handling when rebooting or powering off the PC + Added option to save events to a custom log folder + Added command-line parameter to hide the main program's interface (-hidegui) + Minor fixes and optimizations [27-05-2014] - v184.108.40.206 + Fully support unicode + Added support for Windows 8 + Added support for 64-bit operating systems + Optimized the main application window + Minor fixes and optimizations [29-11-2011] - v220.127.116.11 + Added Unicode support (injection) [29-10-2011] - v18.104.22.168 + Added "Save Logs To..." Form + Optimized monitoring [09-05-2011] - v22.214.171.124 + Initial release