Windows Physical Memory Analysis

I'll be writing more on this particular subject as time goes on, but I
wanted to post something right away. I've noticed over the past couple
of weeks that Andreas Schuster
has been doing some work with debuggers, etc., to document some of the
structures found in physical memory for various versions of Windows,
from Win2000 SP4 through Vista (he's noted that most of the structures
change between versions and even between Service Packs). Well, I took a
look the other day and noticed that he'd posted something called PTFinder,
which as it just so happens is a Perl script that parses a dump of
physical memory (this version works for dumps of physical memory from
Win2000 SP4 systems).

So, I took a look at what he was doing,
and exchanged some emails, and expressed my desire to assist with what
he's doing. As it turns out, the DFRWS 2005 Memory Challenge provides a great set of test files (2, actually) for testing any tools you're writing to parse a memory dump generated using dd.exe.

started working on something of my own, using the exercise as a
learning process so that I can not only be smarter on this stuff, but
to also assist Andreas with what he's doing. I've got the output of the
Memory Challenge submissions to check my work against, and so far,
things are working pretty well. Here's an excerpt of the output from my
version of the script…

From The Windows Incident Response Blog.  Read Part 1 and Part 2.


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s