Closed bbrty closed 10 months ago
ufrisk
commented
11 months ago Thanks,
You can check out kernel modules (aka drivers) under the System process (PID 4).
For modules that are only mapped into kernel session space (i.e. win32k) I've opened up csrss.exe for this. You can find win32k there together with the other "ordinary" kernel modules.
Please let me know if this is the answer to your question and if it helps.
bbrty
commented
11 months ago Amazing, is it possible to create minidumps of drivers?
The only thing i could find is in the files folder. However it would be amazing if each driver would have a minidump generated!
ufrisk
commented
11 months ago Minidumps don't work on a per-driver basis. They are on a per-process basis. Drivers reside in the kernel so this would be a full memory dump (which is supported in memory.dmp) or a partial kernel-only memory dump (which is not supported).
If you mean a regular memory dump that can be analyzed with WinDbg you have that in the file system root folder as M:\memory.dmp
As far as the driver itself, if you with to dump that, you'll find it under M:\name\System-4\files\modules or as M:\name\System-4\modules\tcpip.sys\pefile.dll These files are incomplete however. Things like signatures will be missing since it's not residing in the executable active view in memory.
Sometimes if you start MemProcFS with memprocfs.exe -device
bbrty
commented
11 months ago Minidumps don't work on a per-driver basis. They are on a per-process basis. Drivers reside in the kernel so this would be a full memory dump (which is supported in memory.dmp) or a partial kernel-only memory dump (which is not supported).
If you mean a regular memory dump that can be analyzed with WinDbg you have that in the file system root folder as M:\memory.dmp
As far as the driver itself, if you with to dump that, you'll find it under M:\name\System-4\files\modules or as M:\name\System-4\modules\tcpip.sys\pefile.dll These files are incomplete however. Things like signatures will be missing since it's not residing in the executable active view in memory.
Sometimes if you start MemProcFS with memprocfs.exe -device -forensic 1 and wait a while M:\forensic\files will appear. In M:\forensic\files\ROOT\Windows\System32\drivers you'll find yet another view of some of the drivers.
OK, that's perfect. Are there currently plans to implement a kernel-only memory dump?
Thank you so much for this amazing project, I feel the community doesn't thank you enough, it's truly brilliant!
ufrisk
commented
11 months ago There are no plans to create a kernel-only dump file. It would just be a stripped down inferior variant of the full memory.dmp that already exists.
I quite don't understand the meaning why that would be necessary. If you wish to save it to disk just save the full memory.dmp, disk space is relatively cheap nowdays anyway. Or just compress it if you wish to save space.
ufrisk
commented
10 months ago Closing the issue since I believe it to be resolved. Let me know if there are any remaining issues not answered.
Hello Ufrisk,
Firstly, thank you so much for all of this amazing work!
I wanted to know if it is possible to dump kernel modules. It says in other process dumps.txt that they cant be running in kernel mode. Is there a specific reason we cant?
Many thanks