Tuesday, May 23, 2006

Sourceforge updates

Okay, I know I haven't blogged in a while, but work's been busy.

On a positive note, I updated the contents of the WindowsIR Sourceforge site tonight, revamping the structure of the project itself. I've uploaded the lsproc, lspd, lspm, and RAMDump tools. If you remember, RAMDump is a GUI wrapper around George Garner's dd.exe, allowing the user to dump the contents of physical memory from a Windows 2000/XP system.

The rest of the tools are specific to Windows 2000 systems. That is to say, lsproc will parse through a dd.exe-style dump of physical memory from a Windows 2000 system and locate EPROCESS blocks. Lspd will extract process details based on the output of lsproc, and lspm will dump the memory used by a process based on the output of lsproc. Each of these three packages contains Perl source code, a Windows EXE compiled using Perl2Exe, and a required DLL.

Again...these three utilities are in the Windows2000 release because they work on memory dumps from Windows 2000 systems.

I will be posting other tools on this site over time, ranging from live response/IR tools to utilities meant for CF analysis.

Besides work (which I won't be posting about) I've been doing a lot of thinking with regards to live response, and I will be posting my thoughts.

Addendum: I uploaded the Offline Registry Parser, regp.pl, to the SF site, as well. The archive contains the Perl code, a Windows EXE compiled with Perl2Exe (you can use PAR, as well), and a required DLL.

2 comments:

Anonymous said...

Great job Harlan! I know I appreciate all the work you put in to this and the fact you share it with the rest of the CF practitioners out there.

Thanks again,

Dave Nardoni

H. Carvey said...

Dave,

Thanks. It's always good to get feedback.

Harlan