tag:blogger.com,1999:blog-9518042.post111089061673278507..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Imaging physical memoryUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-1111069601133629852005-03-17T09:26:00.000-05:002005-03-17T09:26:00.000-05:00To answer my own question ("Can Cygwin's dd access...To answer my own question ("Can Cygwin's dd access Physical Memory?"), the answer is <B>no</B>. Cygwin is a great toolkit, but the filename for physical memory gets munged along the way. Here's a sample (retyped from memory, not a cut and paste):<BR/><BR/>$ dd if=\\.\PhysicalMemory of=foo<BR/>dd: \\.Physical Memory: No such file or directory<BR/><BR/>Notice that the trailing slash in the filename has been stripped out of the error message.<BR/><BR/>I had to hardcode the entries for PhysicalMemory, logical drives and physical devices into the Windows versions of md5deep et al. I wonder if we need to do the same thing for dd under Cygwin?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1110908009068659112005-03-15T12:33:00.000-05:002005-03-15T12:33:00.000-05:00Hey Harlan,You can use things like ProcDump or the...Hey Harlan,<BR/><BR/>You can use things like ProcDump or the OllyDump plugin for OllyDbg. Those will let you dump a full process image out of memory. This is something I do from time to time when analysing packed or encrypted malware.<BR/><BR/>One could Google for honeynet SotM 32, and read the solutions for full instructions, including fixing the PE headers manually so you can then unpack the binary or open it in IDA or whatever.<BR/><BR/>Otherwise, once you have a dump you can just sort through the thing with any debugger to look at the call stack etc, which might be enough, depending on why you wanted to dump the memory in the first place.<BR/><BR/>Cheers,<BR/><BR/>benAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1110896686504405542005-03-15T09:24:00.000-05:002005-03-15T09:24:00.000-05:00Jesse,Yes, I've looked at those, as well as the Un...Jesse,<BR/><BR/>Yes, I've looked at those, as well as the Unix Utils over on SourceForge. <BR/><BR/>Can you give me an example of how you'd use these tools? <BR/><BR/>Regarding your second question, I have no idea...I find George's version of dd.exe to be quite sufficient so far. If it does, it might be interesting to have a run-off...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1110894508252195162005-03-15T08:48:00.000-05:002005-03-15T08:48:00.000-05:00Not to start a holy war about tools, but have you ...Not to start a holy war about tools, but have you tried the <A HREF="http://gnuwin32.sourceforge.net/packages/coreutils.htm" REL="nofollow">Coreutils for Windows</A> set?<BR/><BR/>Can Cygwin's dd access Physical Memory?Anonymousnoreply@blogger.com