The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Windows Physical Memory Analysis

Posted by Xavier Ashe on April 7, 2006

I'll be writing more on this particular subject as time goes on, but I
wanted to post something right away. I've noticed over the past couple
of weeks that Andreas Schuster
has been doing some work with debuggers, etc., to document some of the
structures found in physical memory for various versions of Windows,
from Win2000 SP4 through Vista (he's noted that most of the structures
change between versions and even between Service Packs). Well, I took a
look the other day and noticed that he'd posted something called PTFinder,
which as it just so happens is a Perl script that parses a dump of
physical memory (this version works for dumps of physical memory from
Win2000 SP4 systems).

So, I took a look at what he was doing,
and exchanged some emails, and expressed my desire to assist with what
he's doing. As it turns out, the DFRWS 2005 Memory Challenge provides a great set of test files (2, actually) for testing any tools you're writing to parse a memory dump generated using dd.exe.

I
started working on something of my own, using the exercise as a
learning process so that I can not only be smarter on this stuff, but
to also assist Andreas with what he's doing. I've got the output of the
Memory Challenge submissions to check my work against, and so far,
things are working pretty well. Here's an excerpt of the output from my
version of the script…

From The Windows Incident Response Blog.  Read Part 1 and Part 2.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: