WriteProcessMemory Monitor

Product Overview

NoVirusThanks WriteProcessMemory Monitor is a Windows OS utility designed solely to monitor processes in the system that write to other process’ virtual address spaces. Malware often uses such techniques in order to write payload stubs to a foreign process to hook an API, load a malware DLL etc. ntdll!NtWriteVirtualMemory is hooked in order to achieve the desired logging functionality in usermode.

writeprocessmemory-monitor-gui

NoVirusThanks WriteProcessMemory Monitor displays the caller process and target process filenames as well as their respective process identifiers are shown along with the size of the buffer written to the process and the actual contents represented in hexadecimal of the buffer. The location of the written memory is also listed in hex for run-time reverse engineering convenience.

WriteProcessMemory Monitor can easily be integrated into malware or rootkit test environments to help the security researcher reverse analyze a piece of malware alongside other powerful tools, such as NoVirusThanks Ring3 API Hook Scanner, NoVirusThanks Stream Detector and NoVirusThanks DLL UnInjector.

Additional Details

File Version 1.5.0.0
Last Updated 23 December 2015
Category Malware Analysis
License Type Freeware
Operating System Windows All (32-bit / 64-bit)

Recent Changes and Fixes

[23-12-2015] - v1.5.0.0

+ Improved logging of API call events

[21-11-2015] - v1.4.0.0

+ Improved support for Windows 10
+ Improved the main program interface
+ Added session end handling when rebooting or powering off the PC
+ Added option to save events to a custom log folder
+ Added command-line parameter to hide the main program's interface (-hidegui)
+ Minor fixes and optimizations

[27-05-2014] - v1.3.0.0

+ Fully support unicode
+ Added support for Windows 8
+ Added support for 64-bit operating systems
+ Optimized the main application window
+ Minor fixes and optimizations

[29-11-2011] - v1.2.0.0

+ Added Unicode support (injection)

[29-10-2011] - v1.1.0.0

+ Added "Save Logs To..." Form
+ Optimized monitoring

[09-05-2011] - v1.0.0.0

+ Initial release