support for dumped process from volatility

[garanews]

PS C:\Users\xxx\Documents\GitHub\ChromeKatz\Debug> .\CookieKatzMinidump.exe .\6784.msedge.exe.0x7ff6cffb0000.dmp
 _____             _    _      _   __      _
/  __ \           | |  (_)    | | / /     | |
| /  \/ ___   ___ | | ___  ___| |/ /  __ _| |_ ____
| |    / _ \ / _ \| |/ / |/ _ \    \ / _` | __|_  /
| \__/\ (_) | (_) |   <| |  __/ |\  \ (_| | |_ / /
 \____/\___/ \___/|_|\_\_|\___\_| \_/\__,_|\__/___|
By Meckazin                     github.com/Meckazin
Kittens love cookies too!

[*] Trying to parse the file: .\6784.msedge.exe.0x7ff6cffb0000.dmp
The signature (785a4d) does not match the expected signature.
The header looks wrong.
[-] Failed to parse file: .\6784.msedge.exe.0x7ff6cffb0000.dmp

[Meckazin]

Sorry, I'm not really familiar with Volatility's memory dump format. I can look into this if you can provide me with clear use case why this would be important or useful?

[garanews]

Well, the goal would be build a plugin that does what you do but directly from volatility, but maybe is not your business! :) You can see current plugins here: https://github.com/volatilityfoundation/volatility3/tree/develop/volatility3/framework/plugins/windows But I would start first with what you have already built so using your cookiekatzminiduymp try to fetch cookies from extracted executables present in memory dumps. More or less is the same concept for pypykatz: standalone: https://github.com/skelsec/pypykatz volatility plugin: https://github.com/skelsec/pypykatz-volatility3 If needed I can send you some msedge or chrome process extracted with volatility framework from some windows memory dump.

[Meckazin]

I believe that the minidump support will satisfy this need. Closing the ticket for now.