ikelos
commented
1 year ago Hi there, it's possible this has already been implemented. I'm afraid I didn't fully understand what exactly you were after, but as best I can understand there's a piece of malware that generates a key it keeps in memory, and you have taken a full memory dump of the compromised machine, but now want to debug the process as if it were running in a live machine?
I'm not sure that's possible, but you can reduce the amount of data you have to look through by using windows.pslist --dump which can be used to save the just complete process memory space from a single process? @iMHLv2 may be able to provide more information...
gogo2464
Is your feature request related to a problem? Please describe. I was doing reverse engineering to the RensenWare malware. About the decompiled source code, if I exit the process or shutdown my computer the ransomware key is destroy. I want to restore the key from the ram dump taken just in time. Sadly I must run the malware IN HIS CURRENT STATE. Not a rewrite of the .exe. In this way I could debug the current process key. Print it and make the malware think it has took what he wants from the user. The malware must not be shutdown. I need a process to debug a state of the malware with a debugger like dot peek.
Describe the solution you'd like I think it could be a great improvement to do something like
vol.exe -f vmem.mem windows.launchprocess.LaunchProcess --pid 123;In order to achieve this we will need to reconstruct the binary:
Describe alternatives you've considered Find another software online. I did not find nothing except the script name of this 2006 article: https://web.archive.org/web/20160306223112/http://computer.forensikblog.de/en/2006/04/reconstructing-a-binary-2.html
Additional information
If you know a software that does the job could you tell me the name please?