If you followed through the first part of this tutorial, you might wonder if there shouldn't be a simpler way to extract the binary. Of course there is one.
The principle behind the reconstruction process as it was described in the first part is rather simple:
- find the EPROCESS record
- locate the start of the in-memory image via the PEB
- extract the first page, containing the executable file's header and save it to a file
- for every section listed in the header extract and save the proper portion of virtual memory
What is really annoying, to say the least, are all those conversions from virtual to physical addresses and the endless copy'n paste operations. Memdump.pl comes to help! Just let it extract the process memory. All you need is the memory dump file and the Page Directory Base Address of the process. We already know the latter from the first part of this tutorial, it's 0x01d9e000.
Now issue ./memdump.pl dfrws2005-physical-memory1.dmp 0x01d9e000
If all goes well this will create two files in the current directory:
- 0x1d9e000.map maps virtual addresses to offsets of the extracted process memory
- 0x1d9e000.mem contains the process memory
We'll now have to locate the PEB. Again from the first part we know that it is at virtual address 0x7ffdf000. Looking at the MAP file:
virt. addr. file offset size ------------ ------------ -------- 0x7ffdf000 0x107000 0x1000
So you'll find the PDB at offset 0x107000 in file 0x1d9e000.mem. Eight bytes further you'll find the ImageBaseAddress. Good to see that it's still 0x0400000.
We'd now have to extract the first page (at 0x0400000, that is file offset 0x26000) and reconstruct all the sections. Again based on out experience from the first part we can speed this up a bit. Here's the relevant portion from the MAP file:
virt. addr. file offset size
------------ ------------ --------
0x400000 0x26000 0x1000
0x401000 0x27000 0x1000
0x402000 0x28000 0x1000
0x403000 0x29000 0x1000
0x404000 0x2a000 0x1000
0x405000 0x2b000 0x1000
0x406000 0x2c000 0x1000
0x407000 0x2d000 0x1000
0x408000 0x2e000 0x1000
0x409000 0x2f000 0x1000
0x40a000 0x30000 0x1000
0x40b000 0x31000 0x1000
0x40c000 0x32000 0x1000
0x40d000 0x33000 0x1000
So all left to be done is to copy 14 pages (14 * 4096 bytes = 57344 bytes) starting at offset 0x26000 (38 pages or 155648 bytes in decimal) from the MEM file and save it to a new file. As usual I did it with 010 Editor, but you could do that with dd as well: dd if=0x1d9e000.mem of=reconstructed.exe bs=4096 skip=38 count=14
Now, wasn't that easy?
Harlan Carvey also posted on the subject. Maybe he is going to build an automatic binary extractor? His Perl module to parse the PE header sure would be helpful in the process.
