Over the weekend Harlan Carvey has released two tools to analyze full memory dumps of computers running Microsoft Windows 2000.
Lsproc is a clean rewrite of PTfinder. This program locates EPROCESS and ETHREAD structures in a full memory dump. Right now it is still limited to dumps obtained from systems running Microsoft Windows 2000.
The second tool, named lspd, takes a process' offset and extracts a lot of information about it from the dump.
Both tools are written in Perl. Versions compiled with Perl2Exe are provided along with the source code, so you don't have to install Perl on your analysis workstation.
Both tools are available at the newly created WindowsIR project site at Sourceforge.
