XMagic to Find Processes

Brendan Dolan-Gavitt wrote in and pointed me to his fine collection of XMagic definitions. With the help of these patterns and a config file (Brendan provides a sample) FTimes can pull some information about processes from a memory dump.
Here's some sample output from processing the first image of the DFRWS 2005 Memory Analysis Challenge through winproc-2ksp4.pipes.exit.xmagic: "dfrws1.dmp"|xmagic||1564000|Windows Process|672|0|01A24000|7FFDF000|WinMgmt.exe|Running "dfrws1.dmp"|xmagic||3170336|Windows Process|324|0|06F53000|7FFDF000|helix.exe|Running "dfrws1.dmp"|xmagic||9826336|Windows Process|668|0|075A7000|7FFDF000|UMGR32.EXE|Running "dfrws1.dmp"|xmagic||14467104|Windows Process|1112|0|039A2000|7FFDF000|cmd2k.exe|Running "dfrws1.dmp"|xmagic||14809952|Windows Process|784|136|06C98000|7FFDF000|dfrws2005.exe|Exited|Exited "dfrws1.dmp"|xmagic||17063264|Windows Process|176|0|04FE4000|7FFDF000|winlogon.exe|Running "dfrws1.dmp"|xmagic||17072448|Windows Process|176|0|04FC4000|7FFDF000|winlogon.exe|Running "dfrws1.dmp"|xmagic||17091072|Windows Process|164|0|04F24000|7FFDF000|winlogon.exe|Running "dfrws1.dmp"|xmagic||19424384|Windows Process|180|0|0429F000|7FFDF000|csrss.exe|Running "dfrws1.dmp"|xmagic||19495744|Windows Process|168|0|041DF000|7FFDF000|csrss.exe|Running "dfrws1.dmp"|xmagic||19620544|Windows Process|156|0|03104000|7FFDF000|smss.exe|Running "dfrws1.dmp"|xmagic||21093472|Windows Process|8|0|00030000|00000000|System|Running

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12