Open Fr0gZero opened 9 months ago
Hi there, volatility doesn't really do memory acquisition, so I assume you're asking about extracting a processes memory and writing it into a valid minidump file? We don't currently have the capability, and we wouldn't have certain information (such as registers or CPU state) that a minidump might otherwise have, but otherwise if the format is well documented it should be possible to do?
Yes, the acquisition portion would be done using other tools and would create a full dump file of the current physical memory. Would it be possible through volatility or any applicable plugins to search and parse the physical dump file for a specific process memory and output the contents in minidump format? The project I originally discovered that utilized Rekall that achieved this goal would be the following: https://github.com/WithSecureLabs/physmem2profit/
There are already plugins for interacting with LSASS and dumping credentials? (See windows.hashdump and windows.lsadump) Is there a specific reason for wanting to carve the data out of memory into a minidump file? The project you mentioned essentially reads physical memory, so it might be much easier to adapt that to read from a file dump of physical memory in order to achieve your goal?
Currently I would like to be able to utilize all of the minidump parsing capabilities of a tool called mimicatz https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/minidump
I do not believe the windows.hashdump/lsadump cover all of the same parsing routines thus leaving out some potential credentials.
I believe in volatility2 there was a community plugin to support these parsing methods potentially? : https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py
Noting the adaptation for phymem2proft that is definitely and option. But I would like to investigate any other options that may be viable before spending the time.
I appreciate the help!
Ok, that seems a reasonable request then. We'll leave this open but it's quite a niche case and therefore not necessarily a priority for the foundation I'm afraid...
You can write a plugin to use pypykatz for this specific LSASS scenario. I have one example here that I updated from the pypykatz author himself:
https://github.com/daddycocoaman/volplugins
I'm also interested in getting minidumps out of volatility3. It's definitely possible, as the focus probably won't be on things like CPU state and registers, but more just the memory streams. MemProcFS does this effectively, and I wanted to work on a Vol3 plugin for this last year but got distracted with life. I'll re-add this on my list of things to try to do this year. :)
Do you know if the plugin you created above would work for my scenario? I briefly looked at pypykatz a couple weeks ago but ended up going down a rabbit hole with WinDBG with no success. I'm really trying to find any easy solution before I dump a bunch of hours into writing new code.
Also I noticed your dumpscan project it looks awesome.
https://github.com/daddycocoaman/dumpscan
I currently have a couple ways to gather my mem dumps using DFIR tools or windows error reporting but I need to extract that sweet sweet LSASS :)
First of all I would like to say thank you to all the contributors of volatility. This has by far been a fun experience diving into forensics for me!
I have a more of a question then an explicit issue and I am hoping someone can answer it.
Does volatility3 currently have the capability of dumping a process memory in the minidump file format?
There is other projects I have noted that take physical memory and create physical process memory to minidump formats by they are no longer maintained. (I.E. Rekall framework)
Thank you again!