analyst security skill risk: medium
Heap Spray Exploitation Memory Dump Analyzer
Provides an overview, prerequisites, and four-step procedure for detecting heap spray attacks in memory dumps via Volatility3's malfind, vadinfo, and related plugins, including NOP…
SKILL 4 files · 2 folders
SKILL.md
--- name: analyzing-heap-spray-exploitation description: "Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns," --- # Analyzing Heap Spray Exploitation ## Overview Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis. ## When to Use - When investigating security incidents that require analyzing heap spray exploitation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `volatility3` framework installed - Memory dump file (.raw, .vmem, .dmp format) - Understanding of virtual memory layout and VAD (Virtual Address Descriptor) trees - Familiarity with common shellcode patterns and NOP sled encodings ## Steps ### Step 1: Identify Suspicious Processes Use Volatility3 windows.malfind to scan for processes with executable injected memory regions. ### Step 2: Analyze VAD Entries Examine VAD tree entries using windows.vadinfo for large contiguous allocations with RWX permissions. ### Step 3: Scan for NOP Sled Patterns Search suspicious memory regions for NOP sled signatures (0x90 sequences, 0x0c0c0c0c patterns). ### Step 4: Extract and Analyze Shellcode Dump suspicious memory regions and identify shellcode using byte pattern analysis. ## Expected Output JSON report with suspicious processes, heap spray indicators, NOP sled locations, memory region sizes, and extracted shellcode hashes.
REQUIRED CONTEXT
- memory dump file
- volatility3 framework
EXPECTED OUTPUT
- Format
- json
- Schema
- json_schema · suspicious processes, heap spray indicators, NOP sled locations, memory region sizes, extracted shellcode hashes
- Constraints
- include suspicious processes
- include heap spray indicators
- include NOP sled locations
- include memory region sizes
- include extracted shellcode hashes
SUCCESS CRITERIA
- Detect and analyze heap spray attacks in memory dumps
- Identify suspicious contiguous memory allocations
- Scan for NOP sled patterns
- Extract embedded shellcode for analysis
CAVEATS
- Dependencies
- Python 3.9+ with `volatility3` framework installed
- Memory dump file (.raw, .vmem, .dmp format)
- Understanding of virtual memory layout and VAD (Virtual Address Descriptor) trees
- Familiarity with common shellcode patterns and NOP sled encodings
- Missing context
- Exact Volatility3 command examples or flags
- Placeholder for memory dump file path
- Detailed JSON schema or example for expected output
- Ambiguities
- Description field is truncated mid-sentence ('identify NOP sled patterns,')
QUALITY
- OVERALL
- 0.70
- CLARITY
- 0.85
- SPECIFICITY
- 0.65
- REUSABILITY
- 0.60
- COMPLETENESS
- 0.70
IMPROVEMENT SUGGESTIONS
- Add concrete command-line examples for each Volatility3 plugin in the Steps section
- Include a sample JSON output structure under Expected Output
- Add a placeholder variable for the memory dump filename to improve reusability
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR ANALYST
- CTI Analyst for Cybersecurity Project Revisionsanalystsecurity
- Malware Sandbox Evasion Techniques Analyzeranalystsecurity
- NetFlow Pandas Traffic Baselininganalystsecurity
- Data Staging Exfiltration Threat Hunteranalystsecurity
- NetFlow Security Anomaly Analyzeranalystsecurity
- PowerShell EVTX Script Block Analyzeranalystsecurity
- Domain Fronting C2 Traffic Detectoranalystsecurity
- DNS-Based Persistence Hunting Proceduresanalystsecurity
- PowerShell Empire Event Log Analyzeranalystsecurity
- Anomalous PowerShell Execution Hunting Guideanalystsecurity
- Zeek Conn.log Beaconing Pattern Detectoranalystsecurity
- API Gateway Access Log Attack Analyzeranalystsecurity
- Android APK Malware Static Analysisanalystsecurity
- Kubernetes Audit Log Security Analyzeranalystsecurity
- Cloud Storage Access Anomaly Detectoranalystsecurity
- Office 365 Audit Log Compromise Analyzeranalystsecurity
- Academic Research Brainstorm and Improvement Analyzeranalystresearch
- ML Missing Values Treatment Pipelineanalystanalysis
- Quantitative Sports Betting Edge Evaluatoranalystanalysis
- B2B Manufacturing Homepage Tech-SEO Diagnosticanalystanalysis
- OSINT US Surveillance Source Investigatoranalystresearch
- Curated Compendium of Cuckold BNWO Websitesanalystresearch
- US Indices Market News and Sentiment Reporteranalystfinance
- Technical Academic Paper Revieweranalystanalysis
- UX Landing Page Conversion Analyzeranalystanalysis