{"id":10463,"date":"2022-08-11T12:00:00","date_gmt":"2022-08-11T11:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/garbageman\/"},"modified":"2026-05-25T10:14:41","modified_gmt":"2026-05-25T09:14:41","slug":"garbageman","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/","title":{"rendered":"GarbageMan: Dumpster-diving the .NET heap"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    GarbageMan: Dumpster-diving the <span class=\"blue-text\">.NET heap<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                11 8\u6708, 2022                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/&#038;title=GarbageMan:%20Dumpster-diving%20the%20.NET%20heap\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GarbageMan: Dumpster-diving the .NET heap&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                            <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_c52da88fdf39d83e7771ab66d404b281\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                <nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/&#038;title=GarbageMan:%20Dumpster-diving%20the%20.NET%20heap\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GarbageMan: Dumpster-diving the .NET heap&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.<\/p>\n<p>These tools &#8211; researched and developed by Jarkko Turkulainen from W\/Intel &#8211; offer the following benefits to malware researchers:<\/p>\n<ul>\n<li>Convenient GUI tool for intuitive access to .NET heap structures<\/li>\n<li>Ability to extract clear-text payload (PE Images etc.) from .NET heaps quickly,<\/li>\n<li>Easy analysis of encrypted network protocols, signs of data exfiltration, and similar,<\/li>\n<li>Ability to overcome malware anti-dumping techniques with a command-line tool called psnotify,<\/li>\n<li>Ability to analyze .NET heaps even in case of dynamic runtime loading from unmanaged code.<\/li>\n<\/ul>\n<p>The techniques provided by the tools have been found to be extremely useful for malware analysis, especially when other approaches fail to produce results in a timely manner. The techniques also provide much deeper behavioral insights when compared with traditional dynamic analysis methods.<\/p>\n<p>Code, and instructions for installing and setting up GarbageMan &#8211; researched and developed by W\/Intel &#8211; are available from the WithSecure Labs GitHub: <a href=\"https:\/\/github.com\/WithSecureLabs\/GarbageMan\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/WithSecureLabs\/GarbageMan<\/a><\/p>\n<p>If you want to get right into using it, you may want to skip the following background information and jump into Basic Usage section of this writing.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture1-resizedimagewzywmcwzmzhd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Background<\/h2>\n<p>The .NET malware obfuscation ecosystem has gone wild during the last few years because:<\/p>\n<ul>\n<li>Microsoft released the complete .NET runtime and open sourced its compiler framework, enabling better research into offensive and defensive tools and techniques in the .NET space<\/li>\n<li>Some existing .NET research tools, such as de4dot and dnSpy, are showing their age.<\/li>\n<\/ul>\n<p>.NET assemblies are very analysis friendly and offer the same level of convenience with regards to the development of obfuscations. This has resulted in more and more complex obfuscations and anti-analysis techniques. It is not uncommon to encounter unknown, modified, or entirely new obfuscators during day-to-day malware research work.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture2-resizedimagewzywmcwzmzhd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Some of the tricks .NET obfuscators are using for making the analysis harder:<\/p>\n<ul>\n<li>Many layers of droppers and protectors<\/li>\n<li>Process manipulations: hollowing, APC&#x27;s, task schedulers etc<\/li>\n<li>Processes killing each other (watchdogs)<\/li>\n<li>Manual triggering of garbage collection.<\/li>\n<\/ul>\n<p>Spending hours bypassing .NET obfuscations is often a waste of time for incident response teams and researchers. Instead of manually debugging and attempting to extract embedded payloads, it is possible to extract data straight from the .NET heap, thus drastically reducing the time spent on initial malware analysis.<\/p>\n<h2>Technical background and details<\/h2>\n<p>The theory behind GarbageMan relies on these basic assumptions:<\/p>\n<ul>\n<li>Any significant activity in the .NET CLR involves .NET objects in the managed heap<\/li>\n<li>Because of garbage collection, the .NET heap objects are accompanied by a rich metadata describing how objects are related to each other<\/li>\n<li>Everything in the .NET inherits from System.Object &#8211; thus also all primitive types exist in the heap.<\/li>\n<\/ul>\n<p>If it were possible to step inside the heap and see all the objects and their interactions, it would be possible to understand quite precisely what the process is doing and it would work regardless of the load or injection method, encryptions or obfuscations.<\/p>\n<p>The reason for this is very simple:  in order to load additional encrypted payloads, the malware needs to decrypt these payloads, and the decrypted payload is just another byte array object in the heap.<\/p>\n<p>In addition, the intermediate steps from encrypted to decrypted payload very likely involve some .NET objects, like I\/O objects with related parameters like encryption algorithms and keys are present in the heap. By analyzing these objects and their connections to other objects, a coherent view of the behavioral state of the process could be obtained. And this is exactly what GarbageMan tries to accomplish.<\/p>\n<p>Currently GarbageMan implementation is based on MS-provided library ClrMD. The library offers exactly the features needed for the job:<\/p>\n<ul>\n<li>Types and Values of .NET objects<\/li>\n<\/ul>\n<ul>\n<li>Object references<\/li>\n<li>Object member names and types\/values\/references to child objects<\/li>\n<\/ul>\n<p>With the object references and other metadata, it is possible to arrange heap objects in a timeline, much like any other behavior analysis tool. This works because the .NET objects are allocated in order and there\u2019s practically no fragmentation due to the garbage collection (that is, until of course the garbage collections happen \u2013 this is a feature of automatically managed heaps).<\/p>\n<p>GarbageMan and the underlying ClrMD library offer the same type of functionality as some previous tools, like SOSEX and NETEXT windbg extensions, but hopefully as a more accessible and convenient GUI tool. It can be used standalone, or as .NET reversing &quot;First Aid Kit&quot;, adding value to more traditional methods like network monitoring, process monitoring and memory strings. It features:<\/p>\n<ul>\n<li>Very easy to extract payloads like decrypted assemblies, archives, screenshots etc<\/li>\n<li>Can help in reverse engineering filesystem I\/O, encrypted network connections etc<\/li>\n<li>Extremely useful if everything else fails.<\/li>\n<\/ul>\n<p>The basic concepts of GarbageMan are target, snapshot and database. Target refers to either running live process or user-mode minidump generated with any compatible tool like windbg or the psnotify (described below the diagram). The GUI tool uses command-line tool GM.exe for attaching to live process or opening a dump on disk and tries to locate and process .NET heap objects in the target. From these objects, it creates SQLite database for later fast access of the objects, and for storing session configuration. Heap objects are arranged into series of snapshots, which represent objects in a specific time. In the case of minidump target, there\u2019s only one snapshot, from time the dump itself was created. In the case of live process, GM.exe can take snapshots periodically, for example every 300 milliseconds. This may be sometimes useful, for example, for a tracing process for very long periods of time. In most cases one snapshot is enough.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture3-resizedimagewzywmcwzmjnd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>GarbageMan also relies on the underlying functionality of ClrMD in acquiring data from running processes or from minidump images. This can be very problematic with real-world malware. Typically, it is not possible to just execute a piece of malware and go on to dump the process memory. In many cases, the final payload is preceded by many levels of droppers, injectors and other tricks. That\u2019s why we also developed a helper toolkit called psnotify, which features:<\/p>\n<ul>\n<li>Patching GC.Collect of all new .NET processes for preventing manual garbage collection<\/li>\n<li>Suspending and dumping .NET processes on exit for later heap analysis<\/li>\n<\/ul>\n<p>It should be noted that psnotify cannot prevent the process of doing garbage collection internally, when the runtime thinks it\u2019s time to clean up heaps. This typically happens every five minutes or so, depending on the available memory and other factors. That\u2019s where the periodic snapshot feature might be handy. Note that psnotify creates minidump only on process exit, so you might still need to attach to live process in order to get the data. That\u2019s mostly a concern of analyzing processes running for relatively long time (few minutes): if you just wait for psnotify minidump, it might not contain all the heap objects. This mechanism is especially very useful for catching short-lived droppers and injectors.<\/p>\n<h2>Basic usage<\/h2>\n<h2>Starting up<\/h2>\n<p>When planning your analysis session, first you need to decide the strategy you are going to take for a particular piece of malware. A safe bet is to first run psnotify and then see what\u2019s happening on the system. psnotify will dump all the intermediate malware stages and then it is up to you to take care of the final payload(s). You can wait for couple of minutes or then just use GarbageMan to create database from the running live payload process.<\/p>\n<p>Alternatively, you can just execute the malware and use GarbageMan (or execute the malware using GarbageMan) for the final database. In this case you might miss any intermediate malware stages, and quite possibly also the final payload, if it quits fast.<\/p>\n<p>When GarbageMan starts, if first presents empty view like this:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture4-resizedimagewzywmcwzmjzd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Basic navigation<\/h2>\n<p>Initially, all the above views are empty. You need to either attach to a running program or minidump or open an existing database from the File menu. When the target is opened, its data is presented as follows:<\/p>\n<ul>\n<li>Heap objects. This is where the heap objects are listed, sorted by the heap memory address. There\u2019s also object size, type and value<\/li>\n<li>Object view area. When an object is selected in the heap object view, its details are presented here as hex or as an image, if the data happens to be in recognized image format<\/li>\n<li>Search results. This area is initially empty and can be filled by either entering search items above the area, or then by selecting some search item from Tools menu. A very practical starting point is to run \u201cSearch all\u201d. By double clicking an object in this area, you can jump into corresponding item in the heap object view<\/li>\n<li>References. If the heap object has direct references, they are presented here. Navigation works here the same way as in search view.<\/li>\n<\/ul>\n<h2>Stack view<\/h2>\n<p>In addition to heaps, GarbageMan also offers managed stack details, presented in the \u201cStack\u201d tab. You can switch to different threads in process from above the stack frame view. Only .NET objects are presented in the stack slots. Thread context presents the state of CPU for selected thread.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture5-resizedimagewzywmcwzmjvd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>One particularly interesting strategy would be to take multiple snapshots with a very small time, for example 50-100ms, and leave out heap objects from collection options (it will still collect objects in stack slots, and objects referenced by them). This results in more traditional behavior-based data collection, and it may be possible to collect rough API trace.<\/p>\n<h2>Object tracing<\/h2>\n<p>By selecting heap object and right-clicking, you can find some interesting tools from the context menu. One of such tools is object tracing tool. It tries to find objects by following references up to a specified depth (the default reference view offers only objects with direct references). With this tool it is possible to find interesting data related to various objects. For example, if you trace HttpWebRequest object, it is possible to find related data buffers, certificates, URLs etc.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture6-resizedimagewzywmcwzmjzd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Also, the other way around works: from a string that looks like URL, you can trace objects related to that URL. In fact, most objects are related to all other objects, provided with enough trace depth. The default depth of seven is in practice a good starting point. Probably objects around a depth of 10 or so are not really related to a given object any more contextually.<\/p>\n<p>Do also note that the trace tool can be very slow in case of large heaps (in the range of millions of objects). That\u2019s why there\u2019s a timer. In most cases the tool finds relevant objects in 10-15 seconds.<\/p>\n<h2>Object searching<\/h2>\n<p>Key functionality of GarbageMan is the ability to search objects from database and present them in the search area.<\/p>\n<p>Search entries in the Search menu are built dynamically from JSON file Search.json. There are two types of search items: \u201cbasic\u201d and \u201ccustom\u201d. Basic types use directly the tools provided above the search area. There\u2019s quite a lot one can do with them, but even more interesting is the custom search functionality. It uses raw SQL queries from the database. You can conveniently experiment with these queries with \u201cRun raw SQL\u201d tool, as presented below<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture7-resizedimagewzywmcwzmjzd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>SQL query language is in fact a programming language on its own, so very complicated search queries can be built on top of it. You can see some examples in the example Search.json.<\/p>\n<p>Once you are happy with the query, just export it as JSON and store it in Search.json. Then reload the database from the Tools menu.<\/p>\n<p>\u201cSearch all\u201d just executes all the available search items and sorts the result by the address, thus picking up only interesting objects and arranging them in a timeline that can be consumed instead of browsing through objects in the heap object list.<\/p>\n<h2>Psnotify<\/h2>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture8-resizedimagewzywmcwzmtvd.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Psnotify needs to be installed to C:\\psnotify (this cannot be changed, unless you modify it and recompile all the components). After this, just run psnotify.exe and it will take care of driver registration and starts to monitor the system. When done, stop it with Ctrl+C or close the console window. Dumps are written to directory C:\\dumps.<\/p>\n<p>The tool uses a simple process whitelisting by name to rule out some .NET processes that you are not interested in dumping, such as the GarbageMan itself. You can edit the file whitelist.txt in C:\\psnotify for modifying this behavior.<\/p>\n<p>You can also use psnotify to dump all processes (not only .NET) with command line option \u2013a. Watch out: this can make your system very slow at times.<\/p>\n<p>Note that the garbage collection prevention requires some work on getting correct debug symbols in place. More information about that can be found in the WithSecure Labs GitHub: <a href=\"https:\/\/github.com\/WithSecureLabs\/GarbageMan\/tree\/master\/psnotify\/\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/WithSecureLabs\/GarbageMan\/tree\/master\/psnotify\/<\/a><\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/&#038;title=GarbageMan:%20Dumpster-diving%20the%20.NET%20heap\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=GarbageMan: Dumpster-diving the .NET heap&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.<br \/>\nThese tools \u2013 researched and developed by Jarkko Turkulainen from W\/Intel \u2013 offer benefits to malware researchers.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[315],"labs_content_type":[321],"class_list":["post-10463","lab_item","type-lab_item","status-publish","hentry","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GarbageMan: Dumpster-diving the .NET heap<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.\nThese tools \u2013 researched and developed by Jarkko Turkulainen from W\/Intel \u2013 offer benefits to malware researchers.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/garbageman\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10463"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}