There are currently 86 patterns in 67 groups and more are coming. I’m working the first two weeks in July to classify them. The classification scheme(s) should appear around 15th of July.
- Dmitry Vostokov @ DumpAnalysis.org -
Analysis of computer memory snapshots (memory dumps) and their evolution is the domain of memoretics. Computer memory semiotics (memiotics or memosemiotics) is the branch of memoretics that studies the interpretation of computer memory, its meaning, signs and symbols.
- Dmitry Vostokov @ DumpAnalysis.org -
Suppose we want to send a complete memory dump to a vendor but want to remove certain sensitive details or perhaps the whole process or image from it. In this case we can use f WinDbg command (virtual addresses) or fp (physical addresses) to fill pages with zeroes. Let’s open a complete memory dump and erase environment variables for a process:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffadfe7afd8e0
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0014a000 ObjectTable: fffffa8000000c10 HandleCount: 730.
Image: System
PROCESS fffffadfe6edc040
SessionId: none Cid: 0130 Peb: 7fffffdf000 ParentCid: 0004
DirBase: 34142000 ObjectTable: fffffa80009056d0 HandleCount: 19.
Image: smss.exe
[...]
PROCESS fffffadfe67905a0
SessionId: 0 Cid: 085c Peb: 7fffffd4000 ParentCid: 0acc
DirBase: 232e2000 ObjectTable: fffffa8000917e10 HandleCount: 55.
Image: SystemDump.exe
kd> .process /r /p fffffadfe7287610
Implicit process is now fffffadf`e7287610
Loading User Symbols
kd> !peb
PEB at 000007fffffd4000
[...]
Environment: 0000000000010000
kd> dd 10000
00000000`00010000 004c0041 0055004c 00450053 00530052
00000000`00010010 00520050 0046004f 004c0049 003d0045
00000000`00010020 003a0043 0044005c 0063006f 006d0075
00000000`00010030 006e0065 00730074 00610020 0064006e
00000000`00010040 00530020 00740065 00690074 0067006e
00000000`00010050 005c0073 006c0041 0020006c 00730055
00000000`00010060 00720065 002e0073 00320057 0033004b
00000000`00010070 00410000 00500050 00410044 00410054
kd> f 10000 10000+1000 0
Filled 0x1000 bytes
kd> dd 10000
00000000`00010000 00000000 00000000 00000000 00000000
00000000`00010010 00000000 00000000 00000000 00000000
00000000`00010020 00000000 00000000 00000000 00000000
00000000`00010030 00000000 00000000 00000000 00000000
00000000`00010040 00000000 00000000 00000000 00000000
00000000`00010050 00000000 00000000 00000000 00000000
00000000`00010060 00000000 00000000 00000000 00000000
00000000`00010070 00000000 00000000 00000000 00000000
Now we can save the modified complete dump file:
kd> .dump /f c:\Dumps\SecuredDump.dmp
If we want to find and erase read-write pages, for example, we can use !vad WinDbg command to get the description of virtual address ranges:
kd> !process
PROCESS fffffadfe67905a0
SessionId: 0 Cid: 085c Peb: 7fffffd4000 ParentCid: 0acc
DirBase: 232e2000 ObjectTable: fffffa8000917e10 HandleCount: 55.
Image: SystemDump.exe
VadRoot fffffadfe6f293e0 Vads 65 Clone 0 Private 388. Modified 84. Locked 0.
DeviceMap fffffa80020777c0
Token fffffa80008e5b50
ElapsedTime 00:00:06.265
UserTime 00:00:00.031
KernelTime 00:00:00.062
QuotaPoolUsage[PagedPool] 113464
QuotaPoolUsage[NonPagedPool] 5152
Working Set Sizes (now,min,max) (1429, 50, 345) (5716KB, 200KB, 1380KB)
PeakWorkingSetSize 1429
VirtualSize 61 Mb
PeakVirtualSize 63 Mb
PageFaultCount 1555
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 471
kd> !vad fffffadfe6f293e0
VAD level start end commit
fffffadfe682bdf0 ( 6) 10 10 1 Private READWRITE
fffffadfe73a0e10 ( 5) 20 20 1 Private READWRITE
fffffadfe73a0dd0 ( 4) 30 12f 8 Private READWRITE
fffffadfe71a4770 ( 5) 130 134 0 Mapped READONLY
fffffadfe781bbe0 ( 3) 140 141 0 Mapped READONLY
[…]
fffffadfe772d630 (-2) 7fffffdc 7fffffdd 2 Private READWRITE
fffffadfe788e180 (-1) 7fffffde 7fffffdf 2 Private READWRITE
Total VADs: 65 average level: 66076419 maximum depth: -1
In the output start and end columns refer to virtual page numbers (VPN). To get an address we need to multiply by 0×1000, for example, 7fffffde000.
Filling memory with zeroes to hide data with subsequent saving of a modified crash dump is applicable to user dumps too. Please also check for additional security-related flags in .dump command:
Another application for data hiding and modification could be the creation of the customized crash dumps for digital forensics exercises and contests.
- Dmitry Vostokov @ DumpAnalysis.org -
My friend was typing a long message in IE to one of his old schoolmates that he had just found on Internet. He spent about an hour writing and rewriting and when finally hit the Send button he got a page saying that connection was probably lost. Going back in URL history brought the empty edit box and all data was lost. Or was it? He called me and I immediately advised him to save a crash dump of iexplore.exe using Task Manager (Vista). I also asked him for a word he used to start his message. It was “Hello” in Russian. I got his dump file and opened it in WinDbg. Because the language of his message was Russian I assumed that it was still there in local buffers or heap entries in UNICODE format so I typed “ello” in Notepad and saved this in a Unicode text file. Loading it in a binary editor (I used Visual C++) showed the following sequence of bytes:
40 04 38 04 32 04 35 04 42 04
Then I did a search in WinDbg for this sequence from the first loaded module address till the end of user space:
0:000> lm
start end module name
003c0000 0045b000 iexplore
[...]
0:000> s 003c0000 L?7FFFFFFF 40 04 38 04 32 04 35 04 42 04
[...]
048971e4 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ...
[...]
08530fe4 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ...
[...]
201ea65c 40 04 38 04 32 04 35 04-42 04 2c 00 20 00 1c 04 @.8.2.5.B.,. ...
[...]
The number of found entries was big and I decided to output every entry into a file using the following script:
.foreach ( address { s-[1]b 003c0000 L?7FFFFFFF 40 04 38 04 32 04 35 04 42 04 }) {.writemem c:\dmitry\ieout${address}.txt ${address}-10 ${address}+1000}
I got numerous files:
C:\dmitry>dir ieout*.txt
[...]
09/06/2008 08:53 4112 ieout0x048971e4.txt
09/06/2008 08:53 4112 ieout0x0489784c.txt
09/06/2008 08:53 4112 ieout0x0489b854.txt
09/06/2008 08:53 4112 ieout0x0489bc5c.txt
[...]
I combined all of them into one big file and sent it to my friend:
C:\dmitry>type ieout0x*.txt >ieoutall.txt
The file contained not only the final message but all intermediate typing histories too. He was very happy.
- Dmitry Vostokov @ DumpAnalysis.org -
Following the introductory division of memory analysis into two broad categories I decided to plan yet another book with the following title and preliminary product details:
As you might have noticed, I prefer to put 128, 256 or 512 pages in my book announcements. What that would say about the author’s background? 
I would like to set 1024 pages for my memory dump analysis anthology series but 740 or 800 pages is the limit for POD technology I use.
- Dmitry Vostokov @ DumpAnalysis.org -
Recently being interested in forensic science and intelligence I decided to elaborate on memory analysis classification and came up with the following division:
- Memory Analysis Forensics
Answering questions related to a committed computer crime. The suspect may be a human or a software / hardware component. Incident response, troubleshooting and debugging belong to this category. Postmortem memory analysis is usually analysis of dump files saved and detached from the original system or operating conditions.
- Memory Analysis Intelligence
Monitoring memory state for behavioural and structural patterns to prevent certain events from occurring. Usually done in situ. However digital dumpster divers and spies may also collect and analyze memory data that was detached from the original computer system.
Each category can be further subdivided into:
– Functional Memory Analysis
Tracing of events.
Analysis of memory states and their evolution.
The latter can be subdivided into:
— Static Memory Analysis
Traditional memory dump analysis.
— Dynamic Memory Analysis
Live debugging.
- Dmitry Vostokov @ DumpAnalysis.org -