Tuesday, November 20, 2007

Windows Memory Analysis

It's been a while since I've blogged on memory analysis, I know. This is in part due to my work schedule, but it also has a bit to do with how things have apparently cooled off in this area...there just doesn't seem to be the flurry of activity that there was in the past...

However, I could be wrong on that. I had received an email from someone telling me that certain tools mentioned in my book were not available (of those mentioned...nc.exe, BinText, and pmdump.exe, only BinText seems to be no longer available via the FoundStone site), so I began looking around to see if this was, in fact, the case. While looking for pmdump.exe, I noticed that Arne had released a tool called memimager.exe recently, which allows you to dump the contents of RAM using the NtSystemDebugControl API. I downloaded memimager.exe and ran it on my XP SP2 system, and then ran lsproc.pl (a modified version of my lsproc.pl for Windows 2000 systems) against it and found:

0 0 Idle
408 2860 cmd.exe
2860 3052 memimager.exe
408 3608 firefox.exe
408 120 aim6.exe
408 3576 realsched.exe
120 192 aolsoftware.exe(x)
1144 3904 svchost.exe
408 2768 hqtray.exe
408 1744 WLTRAY.EXE
408 2696 stsystra.exe
244 408 explorer.exe

Look familiar? Sure it does, albeit the above is only an extract of the output. Memimager.exe appears to work very similar to the older version of George M. Garner, Jr's dd.exe (the one that accessed the PhysicalMemory object), particularly where areas of memory that could not be read were filled with 0's. I haven't tried memimager on a Windows 2003 (no SPs) system yet. However, it is important to note that Nigilant32 from Agile Risk Management is the only other freely available tool that I'm aware of that will allow you to dump the contents of PhysicalMemory from pre-Win2K3SP1 systems...it's included with Helix, but if you're a consultant thinking about using it, be sure to read the license agreement. If you're running Nigilant32 from the Helix CD, the AgileRM license agreement applies.

I also wanted to followup and see what AAron's been up to over at Volatile Systems...his Volatility Framework is extremely promising! From there, I went to check out his blog, and saw a couple of interesting posts and links. AAron is definitely one to watch in this area of study, and he's coming out with some really innovative tools.

One of the links on AAron's blog went to something called "Push the Red Button"...this apparently isn't the same RedButton from MWC, Inc. (the RedButton GUI is visible in fig 2-5 on page 50 of my first book...you can download your own copy of the "old skool" RedButton to play with), but is very interesting. One blogpost that caught my eye had to do with carving Registry hive files from memory dumps. I've looked at this recently, albeit from a different perspective...I've written code to locate Registry keys, values, and Event Log records in memory dumps. The code is very alpha at this point, but what I've found appears fairly promising. Running such code across an entire memory dump doesn't provide a great deal of context for your data, so I would strongly suggest first extracting the contents of process memory (perhaps using lspm.pl, found on the DVD with my book), or using a tool such as pmdump.exe to extract the process memory itself during incident response activities. Other tools of note for more general file carving include Scalpel and Foremost.

So...more than anything else, it looks like it's getting to be a good time to update processes and tools. I mentioned an upcoming speaking engagement earlier, and I'm sure that there will be other opportunities to speak on Windows memory analysis in the future.


Anonymous said...

Hi Harlan,

will the modified lsproc version ever be publicly available? On the DVD shipped with your book it´s only the version for w2k :o(
Would be great if it is possible to get that version.
kind regards,

AW said...


I don't think things have cooled off in the area of memory analysis. In fact, I would say there are more exciting projects being worked on now than ever before. There are also a lot more talented people involved, who are really pushing the state of the art. In particular, both Andreas and Brendan have been doing some outstanding work! There are also a number of really exciting collaborations happening. I also know that a lot more organizations are including volatile memory analysis as part of their investigations. On the other hand, people are being more cautious about what they talk about publically, considering recent events (ie BlackHat Vegas). I'm looking forward to a number of great submissions to DFRWS 2008 in the area of volatile memory analysis.


PS. Thanks for the links!

H. Carvey said...


On the other hand, people are being more cautious about what they talk about publically, considering recent events (ie BlackHat Vegas).

Okay, I'll bite...what happened? (Remember, I don't always get to go to these things...)

The reason I was saying that things appear to be cooling off in this area is that...well, you said it yourself. There's less being said (and asked) publicly. There was a thread over on Digital Detective a bit ago, but the testing did not include any sort of rigor, standard or documentation of any kind.

In addition to DFRWS, I see some interesting topics on the agenda at DoD Cybercrime. Also, there's a really good article out of Police Chief Magazine that mentions the need for such things.

Good to hear from you and I enjoy following your blog...

H. Carvey said...


I haven't released any of the new stuff for a couple of reasons...time to clean it up and do testing, as well as time to develop a framework that includes more OSs, a GUI, etc. Also, there just doesn't seem to be any interest...no one's asked...

Jolly said...

I think there are lots of people who would be interested if you released updated tools - I certainly would be!