Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Winpmem - Mild mannered memory aquisition tool?? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Winpmem - Mild mannered memory aquisition tool??

There should be little argument that with today's threats you should always acquire a memory image when dealing with any type of malware.  Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine.   Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible.  Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want to share with the ISC readers.  It is called winpmem.   It is written by Michael Cohen.  It is free and it is available for download here.  Here is a look at it.  

After downloading and expanding the zip file you will see the following components:

You can see there are two executables.  They are named winpmem_1.4.exe and winpmem_write_1.4.exe.  I'll come back to winpmem_write_1.4.exe later.  There is also a "binaries" directory that includes a couple of device drivers and a Python script.   That sounds like fun!   I'll come back to that one later as well.  For now, lets talk about winpmem_1.4.exe.  If you run it without any parameters you will get a help screen.   It looks like this:

If you want to use winpmem to acquire a raw memory image, all you have to do is provide it with a filename.  A copy of all the bytes in memory will be saved to that file.  For example:

c:\> winpmem_1.4.exe memory.dmp

This will create a raw memory image named "memory.dmp" suitable for analysis with Volatility, Mandiants Redline and others.   The tool can also create a crash dump that is suitable for analysis with Microsoft WinDBG.   To do so you just add the "-d" option to your command line like this:

c:\> winpmem_1.4.exe  -d crashdump.dmp

Now, some of you may be thinking, "So what!  I can already dump memory with dumpit.exe, Win32dd.exe, win64dd.exe and others."  Well, you are right.  But if you have malware that is looking for those tools, now you have another option.   While winpmem might look like a mild mannered memory acquisition tool, it actually has super powers.   The BEST part of winpmem (IMHO) is in those components that I conveniently glazed over.   I'll take a look at winpmem_write_1.4.exe and, better yet, that Python script in my next journal entry.

Interest in Python?   Check out SANS SEC573.  Python for Penetration testers!  I am teaching it in Reston VA March 17th!

Click HERE for more information.

Follow me on twitter?  @MarkBaggett

Mark

81 Posts
ISC Handler
I'm curious--do tools like this work when a GPO has removed the debug programs right? If not, do you have to apply a GP to them that allows debug programs?
John
John

88 Posts Posts
If you are dumping on the suspect machine, you'll want to decide what is acceptable in terms of loss of "unallocated" space is; that 16GB memory dump could possibly overwrite a lot of valuable residual data on the hard disk. A lot of that tolerance probably depends on the type of incident/case you are working on. Depending on your tolerance, your best bet would be to dump it off disk in some fashion, which introduces some complexity and points of failure, but definitely worth it once you get it going.
Bob

2 Posts Posts
winpmem uses a signed device driver. You must be an administrator to install the device driver. You do not require debug privileges to use the tool.
Mark

81 Posts Posts
ISC Handler
You make an excellent point. Where you store your memory image is important.
Mark

81 Posts Posts
ISC Handler
cool, thanks!
John

88 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!