search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.26k stars 1.28k forks source link

Minidump support #443

Open DigiAngel opened 7 years ago

DigiAngel commented 7 years ago

Not sure if this has been asked, but I thought I'd give it a go. I'm hoping for Minidump support in volatility. These are acquired using tools like ProcessHacker or Process Explorer...the file command shows:

 Mini DuMP crash report, 12 streams, Fri Jun 16 12:35:07 2017, 0x1826 type

and the first bits of hex:

00000000  4D 44 4D 50 93 A7 02 6C 0C 00 00 00 20 00 00 00 00 00 00 00 7B D0 43 59 26 18 00 00 00 00 00 00  MDMP...l............{.CY&.......
00000020  03 00 00 00 44 02 00 00 D0 01 00 00 11 00 00 00 0C 03 00 00 14 04 00 00 04 00 00 00 BC 2C 00 00  ....D........................,..
00000040  20 07 00 00 0E 00 00 00 5C 01 00 00 DC 33 00 00 09 00 00 00 80 3B 00 00 B1 86 01 00 10 00 00 00  ........\....3.......;..........
00000060  F0 DC 00 00 C1 A9 00 00 07 00 00 00 38 00 00 00 B0 00 00 00 0F 00 00 00 E8 00 00 00 E8 00 00 00  ............8...................
00000080  0C 00 00 00 10 00 00 00 B1 A9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................................
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 03 3C 02 01 06 00 00 00 01 00 00 00  .....................<..........
000000C0  B1 1D 00 00 02 00 00 00 38 35 00 00 00 03 00 00 47 65 6E 75 69 6E 65 49 6E 74 65 6C C3 06 03 00  ........85......GenuineIntel....

ImageInfo shows:

INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : FileAddressSpace (/media/bad/unknown/powershell.exe.dmp)
                      PAE type : No PAE

kpcrscan and kdbgscan come up with nothing. Thank you.

gleeda commented 7 years ago

We don't currently have support for minidumps, but I know some people have worked on it in the past. Not sure if they have released any plugins for Volatility yet, however. I know @moyix had released a tool a while back that may prove useful, as well: http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html

DigiAngel commented 7 years ago

Thanks...ironically I have that .py on my drive :) Hopefully you folks will get this feature in somedays. Sometimes I only get a chance to get the proc dump, not a full memory dump :(

xambroz commented 6 years ago

+1 ... I would also be glad seeing this in volatility.

NyaMisty commented 6 years ago

+1 as the minidump is quite common.

s0i37 commented 5 years ago

The raw2dmp can create a minidump. But it seems only kernel address space... Why there is not exists pid or eprocess option for dumping usermode process?