Blog

MoonSols Advanced Incident Response Memory Forensics Training - Dubai, UAE

MoonSols is delivering a 5-day advanced incident response and memory forensics training course in Dubai, UAE on 11-15 May. You can already pre-book your seat for the class or inquiry by contacting the Training is based on MoonSols...
Read More

MoonSols’s Digital Forensics, Incident Response & Memory Forensics Mailing-List

MoonSols is launching a mailing-list to discuss about Digital Forensics, Incident Response and Memory Forensics and increase security awareness. Subscription can be done at the following address:...
Read More

MWMT 2.0 - Some of the new features

DumpIt Many of you probably are also probably familiar with win32dd and win64dd, those applications belong to the past and only DumpIt remain to avoid any confusion. As part of MoonSols Windows Memory Toolkit 2.0, DumpIt is now a merged version of win32dd...
Read More

MoonSols 2.0

MoonSols Ltd is a privately held information security company specialized on passive and active protective intelligence using tailored technologies and services delivering a range of products and services to businesses, organisations and individuals...
Read More

New commands in WinDbg 6.2.219.0

Windows Developer Preview WDK contains the new version of WinDbg which is 6.2.219.0 (previous version was 6.12.220 - it seems that Microsoft decided to change the version name to the corresponding NTOS kernel version). Two interesting commands...
Read More

NEW UTILITY: MoonSols HyperTaskMgr v1.0

Today, I finally decided to release the first public version of MoonSols HyperTaskMgr. What is MoonSols HyperTaskMgr ? It’s a new generation Task Manager for IT Professionals to manage Windows Virtual Machines running under Microsoft Hyper-V R2...
Read More

MoonSols DumpIt goes mainstream !

After talking with few people who expressed their limitations with current Windows memory dumpers, I decided to release MoonSols DumpIt publicly. MoonSols DumpIt is a fusion of win32dd and win64dd in one executable, no options is asked to the end-user....
Read More

Are ASLR or DEP flags enabled ?

Few days ago, Peter Vreugdenhil twitted a one-line WinDbg command to detect if ASLR (Address Space Layout Randomization) is used by the current process and its Dlls. [box type=”info”]!for_each_module “.if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18)&0x40)){.echo...
Read More

WMI, VMs, LiveCloudKd, MoonSols Analyst & CVE-211-0611 -Part 1

Some people have already made the analysis of the lastest Flash 0day itself, which means this blogpost is not going to cover the attack itself but only a specific part: when Microsoft Word is re-opened from a Command Line shell created by the exploit....
Read More