### Create Scanner Context for IOC Detection Source: https://context7.com/forrest-orr/moneta/llms.txt Example of creating a scanner context for IOC detection, specifying options, memory selection mode, and filter flags. ```cpp ScannerContext ScannerCtx( PROCESS_ENUM_FLAG_STATISTICS, // Options: statistics, memdump, from-base ScannerContext::MemorySelection_t::Ioc, // Only suspicious regions nullptr, // Address (optional, for region/referenced modes) 0, // Region size FILTER_FLAG_CLR_PRVX | FILTER_FLAG_CLR_HEAP // Filter flags ); ``` -------------------------------- ### Scan IOCs in a specific process from allocation base Source: https://context7.com/forrest-orr/moneta/llms.txt Scan for IOCs in a specific process, starting the scan from the allocation base of memory regions. Replace '1234' with the target process ID. ```bash Moneta64.exe -m ioc -p 1234 --option from-base ``` -------------------------------- ### Get human-readable description for IOC type Source: https://context7.com/forrest-orr/moneta/llms.txt Retrieves a human-readable string description for a given Indicator of Compromise (IOC) type. ```cpp wstring description = Ioc::GetDescription(Ioc::Type::MODIFIED_CODE); // Returns: L"Modified code" ``` ```cpp wstring description = Ioc::GetDescription(Ioc::Type::PHANTOM_IMAGE); // Returns: L"Phantom image" ``` -------------------------------- ### Apply specific filters to IOC map Source: https://context7.com/forrest-orr/moneta/llms.txt Example of applying specific filter flags to an IOC map to hide benign false positives. Combine flags using the bitwise OR operator. ```cpp uint64_t qwFilterFlags = FILTER_FLAG_CLR_PRVX | FILTER_FLAG_CLR_HEAP; // Filter IOC map after scan IocMap iocMap; iocMap.Filter(qwFilterFlags); ``` -------------------------------- ### Scan referenced memory regions from a specific address Source: https://context7.com/forrest-orr/moneta/llms.txt Scan referenced memory regions starting from a specific address within a process. Replace '1234' with the target process ID and the address/size accordingly. ```bash Moneta64.exe -m referenced -p 1234 --address 0x00007FF600000000 --region-size 4096 ``` -------------------------------- ### Process Enumeration and Scanning Source: https://context7.com/forrest-orr/moneta/llms.txt Demonstrates how to scan a specific process by PID or iterate through all system processes to enumerate memory and detect IOCs. ```cpp // Scan a specific process by PID try { Process TargetProc(1234); // Initialize with PID vector SelectedIocs; vector SelectedSbrs; // Enumerate process memory and detect IOCs TargetProc.Enumerate(ScannerCtx, &SelectedIocs, &SelectedSbrs); // Access process information uint32_t pid = TargetProc.GetPid(); wstring name = TargetProc.GetName(); wstring path = TargetProc.GetImageFilePath(); BOOL isWow64 = TargetProc.IsWow64(); uint32_t clrVersion = TargetProc.GetClrVersion(); // 0, 2, or 4 // Get all memory entities (regions) map entities = TargetProc.GetEntities(); // Get loaded module by name PeVm::Body* ntdll = TargetProc.GetLoadedModule(L"ntdll.dll"); } catch (int32_t nError) { printf("Failed to access process (error %d)\n", nError); } // Scan all processes on the system PROCESSENTRY32W ProcEntry = { 0 }; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); ProcEntry.dwSize = sizeof(PROCESSENTRY32W); if (Process32FirstW(hSnapshot, &ProcEntry)) { do { if (ProcEntry.th32ProcessID != GetCurrentProcessId()) { try { Process TargetProc(ProcEntry.th32ProcessID); TargetProc.Enumerate(ScannerCtx, &SelectedIocs, &SelectedSbrs); } catch (int32_t nError) { continue; // Skip inaccessible processes } } } while (Process32NextW(hSnapshot, &ProcEntry)); } CloseHandle(hSnapshot); ``` -------------------------------- ### Scan all processes for IOCs with memory statistics Source: https://context7.com/forrest-orr/moneta/llms.txt Scan all processes for IOCs and display memory statistics. Use '*' for all processes. ```bash Moneta64.exe -m ioc -p * --option statistics ``` -------------------------------- ### Scan IOCs excluding unsigned and metadata modules Source: https://context7.com/forrest-orr/moneta/llms.txt Scan all processes for IOCs while excluding unsigned modules and Windows metadata modules. Use '*' for all processes. ```bash Moneta64.exe -m ioc -p * --filter unsigned-modules metadata-modules ``` -------------------------------- ### Configure Verbosity Levels Source: https://context7.com/forrest-orr/moneta/llms.txt Control output detail using command-line flags or the programmatic Interface API. ```bash # Surface level - only IOCs and essential information (default) Moneta64.exe -m ioc -p * # Detail level - includes memory region information Moneta64.exe -m ioc -p * -v detail # Debug level - includes internal diagnostic messages Moneta64.exe -m ioc -p * -v debug ``` ```cpp // Programmatic verbosity control Interface::SetVerbosity(Interface::VerbosityLevel::Surface); Interface::SetVerbosity(Interface::VerbosityLevel::Detail); Interface::SetVerbosity(Interface::VerbosityLevel::Debug); // Log at specific verbosity levels Interface::Log(Interface::VerbosityLevel::Surface, "Always shown\r\n"); Interface::Log(Interface::VerbosityLevel::Detail, "Shown with -v detail\r\n"); Interface::Log(Interface::VerbosityLevel::Debug, "Shown with -v debug\r\n"); ``` -------------------------------- ### Collect Memory and IOC Statistics Source: https://context7.com/forrest-orr/moneta/llms.txt Manage and display memory permission breakdowns and IOC statistics using the PermissionRecord and IocRecord classes. ```cpp // Collect permission statistics from subregions vector allSubregions; PermissionRecord permStats(allSubregions); // Update with additional scan results permStats.UpdateMap(moreSubregions); // Display permission breakdown by memory type permStats.ShowRecords(); // Output: // Memory statistics // MEM_IMAGE [1500 total] // |__ PAGE_READONLY: 800 (53.33%) // | PAGE_EXECUTE_READ: 500 (33.33%) // | PAGE_READWRITE: 200 (13.33%) // MEM_PRIVATE [2000 total] // |__ PAGE_READWRITE: 1800 (90.00%) // | PAGE_EXECUTE_READWRITE: 50 (2.50%) // Collect IOC statistics vector allIocs; IocRecord iocStats(&allIocs); // Update with additional IOCs iocStats.UpdateMap(&moreIocs); // Display IOC breakdown iocStats.ShowRecords(); // Output: // IOC statistics [25 total] // |__ Unsigned module: 15 (60.00%) // | Modified code: 5 (20.00%) // | Abnormal private executable memory: 5 (20.00%) ``` -------------------------------- ### Enumerate committed memory in all processes Source: https://context7.com/forrest-orr/moneta/llms.txt Use this command to enumerate all committed memory in all processes with detailed output. Specify '*' for all processes and all memory. ```bash Moneta64.exe -m * -p * -v detail ``` -------------------------------- ### Verify Code Signatures in C++ Source: https://context7.com/forrest-orr/moneta/llms.txt Use these functions to check file signing status, verify embedded or catalog signatures, and retrieve certificate issuer information. ```cpp // Check signing status of a file Signing_t signingType = CheckSigning(L"C:\\Windows\\System32\\ntdll.dll"); switch (signingType) { case Signing_t::Embedded: // File has embedded Authenticode signature break; case Signing_t::Catalog: // File is signed via Windows catalog break; case Signing_t::Unsigned: // File is not signed break; } // Get human-readable signing type const wchar_t* sigStr = TranslateSigningType(signingType); // Translate kernel signing level const wchar_t* levelStr = TranslateSigningLevel(8); // "Microsoft" // Verify embedded signature directly bool hasEmbedded = VerifyEmbeddedSignature(L"C:\\path\\file.exe"); // Verify catalog signature bool hasCatalog = VerifyCatalogSignature(L"C:\\path\\file.dll"); // Get certificate issuer from catalog wchar_t* issuer = GetPeCatalogIssuer(L"C:\\Windows\\System32\\kernel32.dll"); if (issuer) { wprintf(L"Issuer: %s\n", issuer); delete[] issuer; } ``` -------------------------------- ### Scan a specific process for suspicious memory (IOCs) Source: https://context7.com/forrest-orr/moneta/llms.txt Scan a specific process for Indicators of Compromise (IOCs). Replace '1234' with the target process ID. ```bash Moneta64.exe -m ioc -p 1234 ``` -------------------------------- ### Define Memory Selection Types Source: https://context7.com/forrest-orr/moneta/llms.txt Defines the types of memory regions that can be selected for analysis. Use 'Ioc' to select only suspicious regions. ```cpp enum class MemorySelection_t { Invalid, // Invalid selection Block, // Select only region(s) overlapping with --address All, // Select all committed memory regions (*) Ioc, // Select only regions with suspicions Referenced // Select regions referenced by --address range }; ``` -------------------------------- ### Dump a specific memory region by address Source: https://context7.com/forrest-orr/moneta/llms.txt Dump a specific memory region identified by its address. Use '-d' to enable dumping. Replace '1234' with the target process ID and the address accordingly. ```bash Moneta64.exe -m region -p 1234 --option from-base --address 0x0000000077DD0000 -d ``` -------------------------------- ### PE File Analysis Source: https://context7.com/forrest-orr/moneta/llms.txt Analyzes loaded PE images for anomalies such as unsigned modules or modified executable sections. ```cpp // PeVm::Body represents a loaded PE image in memory class PeVm::Body { public: // Get underlying PE file parser PeFile* GetPeFile() const; // Signing verification bool IsSigned() const; uint32_t GetSigningLevel() const; // Image characteristics bool IsNonExecutableImage() const; bool IsPartiallyMapped() const; uint32_t GetImageSize() const; // Section access vector GetSections() const; Section* GetSection(string name) const; // PEB module information PebModule& GetPebModule(); }; // Example: Analyze a loaded module PeVm::Body* module = TargetProc.GetLoadedModule(L"suspicious.dll"); if (module) { if (!module->IsSigned()) { printf("WARNING: Module is unsigned\n"); } // Check for modified code sections vector sections = module->GetSections(); for (auto& section : sections) { vector subregions = section->GetSubregions(); for (auto& sbr : subregions) { if (Subregion::PageExecutable(sbr->GetBasic()->Protect) && sbr->GetPrivateSize() > 0) { printf("Modified executable section: %s\n", section->GetHeader()->Name); } } } } ``` -------------------------------- ### Define Filter Flags for IOCs Source: https://context7.com/forrest-orr/moneta/llms.txt Defines bit flags used to filter out known benign suspicious patterns, reducing false positives. Use '-1' to enable all flags. ```cpp #define FILTER_FLAG_UNSIGNED_MODULES 0x1 // Exclude unsigned module IOCs #define FILTER_FLAG_METADATA_MODULES 0x2 // Exclude Windows metadata modules #define FILTER_FLAG_CLR_PRVX 0x4 // Exclude .NET CLR JIT executable memory #define FILTER_FLAG_CLR_HEAP 0x8 // Exclude .NET CLR native heaps #define FILTER_FLAG_WOW64_INIT 0x10 // Exclude WoW64 initialization artifacts ``` -------------------------------- ### Memory Dumping Source: https://context7.com/forrest-orr/moneta/llms.txt Dumps memory regions to disk or into a buffer for offline or in-memory analysis. ```cpp // Initialize memory dump folder (creates timestamped directory) MemDump::Initialize(); // Creates: memdmp-M-D-Y~H.M.S/ // Dump a memory region to file MemDump dumpCtx(hProcess, dwPid); MEMORY_BASIC_INFORMATION mbi; wchar_t dumpPath[MAX_PATH]; // Dump to default folder bool success = dumpCtx.Create(&mbi, dumpPath, MAX_PATH); // Creates: memdmp-*/1234_0x00007FF600000000_RX_IMG.dat // Dump to subfolder success = dumpCtx.Create(L"Suspicious", &mbi, dumpPath, MAX_PATH); // Dump to buffer (for in-memory analysis) uint8_t* pDumpBuf = nullptr; uint32_t dwDumpSize = 0; if (dumpCtx.Create(&mbi, &pDumpBuf, &dwDumpSize)) { // Analyze buffer... delete[] pDumpBuf; } ``` -------------------------------- ### Memory Subregion Analysis Source: https://context7.com/forrest-orr/moneta/llms.txt Provides access to memory attributes and protection flags for specific memory blocks within a process. ```cpp // Subregion provides memory attribute access class Subregion { public: // Get Windows MEMORY_BASIC_INFORMATION structure const MEMORY_BASIC_INFORMATION* GetBasic() const; // Get private (modified) page count in bytes uint32_t GetPrivateSize() const; // Get special flags uint64_t GetFlags() const; // Flags: MEMORY_SUBREGION_FLAG_HEAP, MEMORY_SUBREGION_FLAG_STACK, // MEMORY_SUBREGION_FLAG_TEB, MEMORY_SUBREGION_FLAG_DOTNET, // MEMORY_SUBREGION_FLAG_BASE_IMAGE // Static helpers for memory attributes static bool PageExecutable(uint32_t dwProtect); static const wchar_t* ProtectSymbol(uint32_t dwProtect); static const wchar_t* TypeSymbol(uint32_t dwType); static const wchar_t* StateSymbol(uint32_t dwState); }; // Example: Check memory protection MEMORY_BASIC_INFORMATION mbi; if (Subregion::PageExecutable(mbi.Protect)) { // Memory is executable (PAGE_EXECUTE_*) wprintf(L"Protection: %s\n", Subregion::ProtectSymbol(mbi.Protect)); wprintf(L"Type: %s\n", Subregion::TypeSymbol(mbi.Type)); } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.