We are excited to announce the release of version 0.3 of our Memory Analysis package, currently in beta. This update introduces two major features: support for prototype Page Table Entries (PTEs) and the ability to enumerate and display Windows services from memory captures.
Prototype PTEs are a crucial aspect of Windows memory management. These entries represent shared memory pages—often from image files or mapped sections—that are referenced by multiple processes. Unlike regular PTEs, prototype PTEs reside in a different part of memory and require special handling to be correctly interpreted during analysis.
By supporting prototype PTEs, our Memory Analysis package can now more accurately resolve virtual memory mappings, especially in cases involving shared memory regions or image-backed memory. This greatly enhances the ability to reconstruct executable images, DLLs, and other shared memory artifacts.
In addition to prototype PTEs, version 0.3 adds support for Windows services visualization. This new capability allows analysts to extract and view the list of services registered on a system directly from a memory dump. The extracted data includes key details such as service names, display names, type, and binary paths.
These additions further strengthen the capabilities of our Memory Analysis package and align with our mission to offer comprehensive and precise tools for memory forensics within Cerbero Suite. While the Memory Analysis package is currently available only to commercial licenses as a beta, it will soon be available to all licenses.