mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-18 17:16:10 +00:00
79 lines
4.9 KiB
Markdown
79 lines
4.9 KiB
Markdown
|
# Memory dump analysis
|
|||
|
|
|
|||
|
|
{% hint style="success" %}
|
|||
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary>Support HackTricks</summary>
|
|||
|
|
|
|||
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|
|||
|
|
</details>
|
|||
|
|
{% endhint %}
|
|||
|
|
|
|||
|
|
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|
|||
|
|
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
|||
|
|
|
|||
|
|
{% embed url="https://www.rootedcon.com/" %}
|
|||
|
|
|
|||
|
|
## Start
|
|||
|
|
|
|||
|
|
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
|
|||
|
|
|
|||
|
|
## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)
|
|||
|
|
|
|||
|
|
**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations.
|
|||
|
|
|
|||
|
|
**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Mini dump crash report
|
|||
|
|
|
|||
|
|
When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump.
|
|||
|
|
|
|||
|
|
.png>)
|
|||
|
|
|
|||
|
|
If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
|
|||
|
|
|
|||
|
|
.png>)
|
|||
|
|
|
|||
|
|
You can also load the exception and see the decompiled instructions
|
|||
|
|
|
|||
|
|
.png>)
|
|||
|
|
|
|||
|
|
 (1).png>)
|
|||
|
|
|
|||
|
|
Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump.
|
|||
|
|
|
|||
|
|
You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|
|||
|
|
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
|||
|
|
|
|||
|
|
{% embed url="https://www.rootedcon.com/" %}
|
|||
|
|
|
|||
|
|
{% hint style="success" %}
|
|||
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary>Support HackTricks</summary>
|
|||
|
|
|
|||
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|
|||
|
|
</details>
|
|||
|
|
{% endhint %}
|