Αναζήτηση

Πλοήγηση

• Κοινότητες

Ο Χώρος μου

• Είσοδος

From memmap to minidump: Creating a Volatility Plugin to facilitate per-process memory analysis

Stavrou Odysseas

Full record

---

Summary

The Volatility Framework is the most advanced memory analysis frameworkin its category out there. It can effectively analyse Windows, Linux and Macmemory snapshots. However, Volatility deals explicitly with and in memory.It will give you a view into the memory snapshot for you to explore the lowlevel system structures and venture at any (valid) address of any processphysical or virtual, either in kernel-land or user-land. But what happens ifwe want to explore a tad bit higher level of memory, say for example theObjects in a process suspected of being a Command and Control (C2/CnC)agent? Or a red-teamer extracting secrets from a specific process? How do wego from a whole Windows memory snapshot into an isolated "user-friendly"Minidump that we can use with already made tools (WinDBG, mimikatz, andmost notably their plugins) to analyse a single process? This work leveragessome pre-existing research in an attempt to create a Volatility plugin thatcan extract and restructure a Process’ memory into a Minidump snapshottaking advantage of Volatility’s highly modular, and pluggable tooling and inthe process, outlining how given access to the opaque structures (_EPROCESS,_ETHREAD, etc.) one can generate analysable Minidumps.

Available Files

Services