Closed gogo2464 closed 1 year ago
Hi there, it's possible this has already been implemented. I'm afraid I didn't fully understand what exactly you were after, but as best I can understand there's a piece of malware that generates a key it keeps in memory, and you have taken a full memory dump of the compromised machine, but now want to debug the process as if it were running in a live machine?
I'm not sure that's possible, but you can reduce the amount of data you have to look through by using windows.pslist --dump
which can be used to save the just complete process memory space from a single process? @iMHLv2 may be able to provide more information...
@ikelos
In the current state of volatility, windows.pslist --dump
just extracts to a dump file. It does not load the file in memory. I want to be able to see the process with task manager in windows even if the real old process has been exited.
Ok, I'm afraid that's quite a specific requirement and outside the remit of a forensic analysis tool. You might find someone on the slack channel to help you develop a custom plugin, but it's very unlikely to ever end up as part of the core, particularly as it's windows specific. Your question will still be available in github, but I'm going to mark the issue as closed for the reasons I just mentioned.
Thank you very much. I understand. Best regards.
Is your feature request related to a problem? Please describe. I was doing reverse engineering to the RensenWare malware. About the decompiled source code, if I exit the process or shutdown my computer the ransomware key is destroy. I want to restore the key from the ram dump taken just in time. Sadly I must run the malware IN HIS CURRENT STATE. Not a rewrite of the .exe. In this way I could debug the current process key. Print it and make the malware think it has took what he wants from the user. The malware must not be shutdown. I need a process to debug a state of the malware with a debugger like dot peek.
Describe the solution you'd like I think it could be a great improvement to do something like
vol.exe -f vmem.mem windows.launchprocess.LaunchProcess --pid 123;
In order to achieve this we will need to reconstruct the binary:
Describe alternatives you've considered Find another software online. I did not find nothing except the script name of this 2006 article: https://web.archive.org/web/20160306223112/http://computer.forensikblog.de/en/2006/04/reconstructing-a-binary-2.html
Additional information
If you know a software that does the job could you tell me the name please?