Reconstructing the Process Memory

For certain examinations it might be helpful to be able to extract the memory of a single process from the full dump. If the dump was obtained with "dd" the reconstruction of the process' memory is quite simple.

The procedure is straigt forward. To start you'll need the Page Directory Base Address of the corresponding process. This is available from the output of PTfinder for example.

Now you iterate through all of the Page Directory Entries. If the entry refers to a large page (4MB), then dump it immediately. Otherwise the entry will point you to a Page Table. In that case iterate through all of the Page Table Entries and dump the small pages (4kb) they'll refer you to.

Of course you have to check the Present flag of each Page Directory Entry and Page Table Entry to ensure the corresponding page hasn't been swapped out into the pagefile.

Microsoft Windows uses large pages only for the kernel's in-memory image. If you don't want to copy the kernel into every process dump, then you should skip pages of that type. Also consider skipping pages marked as Global for similiar reasons.

Some time ago I wrote a simple Perl script named memdump.pl for that.

For example issue memdump.pl memory.dd 0x30000, to extract the process memory of a Windows 2000 SYSTEM process . The script will create two files:

  • 0x30000.mem contains the memory image
  • 0x30000.map contains a mapping between virtual addresses and their locations in the mem-file.

Please note that the Page Directory Base Address has to be given in hexadecimal notation.

I provide this program for demomstration purposes only. Please see the program source for further documentation.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12