![Page 2: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/2.jpg)
Founder of MoonSols (based in France) Twitter Addict (@msuiche) Microsoft MVP Turned 21 (Beers please !) Reverse Engineering works related to Physical Memory
Windows Hibernation file Memory Acquisition Mac OS X Physical Memory Analysis
![Page 3: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/3.jpg)
Who ?
![Page 4: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/4.jpg)
Memory (crash) Dumps are interesting for Kernel developers Kernel troubleshooters Bug hunter Investigator Forensic Expert Malware Analyst Incident Responder
![Page 5: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/5.jpg)
Who ? Why ?
![Page 6: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/6.jpg)
Bug hunter: Hey man ! I just wrote my fuzzer of 10 lines Python ! I got a remote BSOD ! And all I got is this crash dump ! (CVE-‐2009-‐3103)
Kernel Developer F*** ! What the F*** is why with this null pointer ?
![Page 7: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/7.jpg)
Investigator / Forensic Expert Inspector Gadget just made a memory dump of Dr. Claw computer to extract his Facebook and Twitter activity. Moreover, the login/passwd he used to connect to his pr0n server.
Malware Analyst I got this crazy packed Rootkit for Win 7 64-‐bits ! Why the Numega guys stopped to dev SoftIce ? I rather disassemble memory area and the dumper driver.
![Page 8: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/8.jpg)
Incident Responder We just got pwned ! There is not artifact of the
the source of this ! @!&$¨^ WTF Adobe Acrobat Reader is using 400MB of the physical address space with only 90 90 90 90 90 90 90 everywhere ?
![Page 9: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/9.jpg)
Who ? Why ? What / How ?
![Page 10: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/10.jpg)
RAM
Raw dump
Hibernation File
Microsoft Crash Dump
Virtual Machine State
![Page 11: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/11.jpg)
Physical Attacks too DMA via Bus PCI (FireWire, PCMCIA, ExpressCard,
See VirtDbg
(Damien Aumaitre, Christophe Devine 2010) FPGA over CardBus for DMA I/O Early stage of Dev, but looks interesting. Unfortunately, there is no release yet.
![Page 12: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/12.jpg)
Software's way do not require any hardware specification.
(Unless you are trying to install a NVIDIA driver on your laptop with hardware virtualization j/k)
Can also be an artifact E.g. hibernation file never wiped.
Can be acquired remotely over TCP .
![Page 13: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/13.jpg)
Whatever you can say.
game blabla What people tell you is that it works in both ways !
Software is everywhere even in virtualization.
![Page 14: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/14.jpg)
Since virtualization is widely used for servers.
machine. State is saved and/or maintained on disk. E.g. .vmem file with VMWare Workstation E.g. .bin file with Microsoft Hyper-‐V
![Page 15: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/15.jpg)
Hibernation file Compressed
Microsoft Crash Dump B.S.O.D.
Raw \Device\PhysicalMemory
![Page 16: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/16.jpg)
RAM
Raw dump
Hibernation File
Microsoft Crash Dump
Virtual Machine State
![Page 17: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/17.jpg)
0.00 GB
3.50 GB
4.00 GB
RAM Device Memory (MMIO)
6.00 GB
2.00 GB
2.50 GB
4096 B BIOS reserved
2 GB
512 MB
1 GB
512 MB
2 GB
![Page 18: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/18.jpg)
Blue Blocks are the physical memory These blocks are copied into the
Microsoft hibernation file 4GB limitation (Patched/Improved in Win7)
Microsoft crash dump file 2GB limitation
![Page 19: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/19.jpg)
X0 MB
X1 MB
X2 MB
X3 MB
X4 MB
X5 MB
X0 MB
X1 MB
-‐-‐-‐
X3 MB
-‐-‐-‐
X5 MB
![Page 20: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/20.jpg)
0x1000 bytes on 32-‐bits system.
0x2000 bytes on 64-‐bits system.
X0 MB
X1 MB
X2 MB
X3 MB
X4 MB
X5 MB
Microsoft Crash Dump Header
X1 MB
X3 MB
X5 MB
![Page 21: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/21.jpg)
0x7000 bytes max. X0 MB
X1 MB
X2 MB
X3 MB
X4 MB
X5 MB
Hibernation file header.
Memory Range Array a
Compressed(X1)0 Compressed(X1)1
Memory Range Array b
Compressed(X1)n+1
Compressed(X2)0
Compressed(X2)1
Compressed(X1)n
![Page 22: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/22.jpg)
Raw dump No file format, then no additional information. Most available tools only support this one, but this is really limited.
Hibernation file File format makes our life easier Around 7-‐8 versions of the file format from WinXP to Win7, moreover it is architecture dependent.
![Page 23: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/23.jpg)
Microsoft Crash Dump Has been used for years by kernel developers, and trouble shooters. Microsoft is maintaining a free tool called
Does load automatically Debugging Symbols Makes it working with every Windows version memory dump. Does have an SDK
![Page 24: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/24.jpg)
MEMORY IMAGING
Windows Crash dump file (BSOD)
Hibernation File
(Hibernate)
Third Party Tools
win32dd & win64dd
Raw dump file.
Crash dump file (without
BSOD)
Others
Raw dump file.
![Page 25: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/25.jpg)
MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin
![Page 26: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/26.jpg)
Physical memory acquisition utility for Windows (x86 and x64, from NT 5.1 to 6.1) Supported format
Raw format Microsoft crash dump
Hashing features (MD5, SHA1, SHA-‐256) 3 different memory mapping techniques Let you chose what you want to copy
Blue, Red, Green blocks
![Page 27: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/27.jpg)
Can send a memory dump remotely from kernel-‐land AND does have a server feature to receive the dump Super-‐fast Support SMB file system as target path NO SYMBOLS REQUIERED
Unlike livekd.
![Page 28: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/28.jpg)
Windd /l /f F:\moonsols.dmp
Server Mode
windd /t sample.moonsols.com /d
Host to acquire
sample.moonsols.com
Send data to collect from the host to sample.moonsols.com.
![Page 29: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/29.jpg)
Server Side
Client Side
Commands
![Page 30: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/30.jpg)
UAC Compliant Report on memory activity 60 seconds for 4GB
![Page 31: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/31.jpg)
![Page 32: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/32.jpg)
MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin
![Page 33: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/33.jpg)
dmp2bin <input> <output> Convert a Microsoft full crash dump into a linear memory dump (raw) Print a MD5 hash of the output file.
Works on both x86 and x64 Microsoft full crash dump.
![Page 34: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/34.jpg)
MD5 hash
![Page 35: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/35.jpg)
MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin
![Page 36: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/36.jpg)
bin2dmp <input> <output> Convert a linear memory dump in to a Microsoft full memory crash dump. Print a MD5 hash of the output file.
Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7)
HOT: Can work on live VMWare virtual machine !
![Page 37: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/37.jpg)
MD5 hash
![Page 38: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/38.jpg)
MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin
![Page 39: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/39.jpg)
hibr2dmp <input> <output> Convert a Microsoft hibernation file into a Microsoft full memory crash dump. Print a MD5 hash of the output file.
Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7)
![Page 40: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/40.jpg)
MD5 hash
![Page 41: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/41.jpg)
MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin
![Page 42: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/42.jpg)
hibr2bin <input> <output> Convert a Microsoft hibernation file into a linear memory dump. Print a MD5 hash of the output file.
Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7)
![Page 43: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/43.jpg)
MD5 hash
![Page 44: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/44.jpg)
Maintained by Microsoft itself for years. Firstly, designed for developers for troubleshooting such as crash dump analysis.
![Page 45: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/45.jpg)
WinDbg is a multipurpose graphical debugger for Microsoft Windows, distributed by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. Available in Windows SDK [13] or WDK [14].
![Page 46: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/46.jpg)
![Page 47: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/47.jpg)
Bin2dmp The Professional Edition can work with running VMWare Workstation Virtual Machine on vmem files.
LiveCloudKd (new!) Like Sysinternals LiveKd but for Microsoft Hyper-‐V Virtual Machines
![Page 48: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/48.jpg)
![Page 49: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/49.jpg)
![Page 50: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/50.jpg)
Free Live analysis mode
Read/Write Virtual machine memory
Dump physical memory Does not the virtual machine Either in a raw format Or in Microsoft crash dump file format
![Page 51: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/51.jpg)
No more need to get a Blue Screen of Death to get Microsoft Crash Dump. Converting a Windows hibernation file into a Microsoft crash dump is super cool See you at www.moonsols.com !
![Page 52: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/52.jpg)
Products with Graphical Interface
![Page 53: Advanced Physical Memory Acquisition and Analysis for Windows](https://reader031.vdocuments.mx/reader031/viewer/2022021223/62072fa249d709492c2ec5f7/html5/thumbnails/53.jpg)
Twitter: MoonSols or msuiche Email: [email protected] Web: http://www.moonsols.com To order your copy of MoonSols Windows Memory Toolkit Professional Edition (or send directly an email to [email protected]) and to download LiveCloudKd !