https://github.com/ivan-sincek/memory-dumper
Dump a process memory and extract data based on regular expressions.
https://github.com/ivan-sincek/memory-dumper
bug-bounty c-plus-plus computer-forensics defensive-security dump-memory ethical-hacking incident-response offensive-security penetration-testing red-team-engagement reverse-engineering security threat-hunting windows windows-penetration-testing
Last synced: 2 months ago
JSON representation
Dump a process memory and extract data based on regular expressions.
- Host: GitHub
- URL: https://github.com/ivan-sincek/memory-dumper
- Owner: ivan-sincek
- License: mit
- Created: 2022-03-14T10:46:45.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2023-04-25T18:40:04.000Z (over 2 years ago)
- Last Synced: 2024-10-17T16:21:18.506Z (12 months ago)
- Topics: bug-bounty, c-plus-plus, computer-forensics, defensive-security, dump-memory, ethical-hacking, incident-response, offensive-security, penetration-testing, red-team-engagement, reverse-engineering, security, threat-hunting, windows, windows-penetration-testing
- Language: C++
- Homepage:
- Size: 288 KB
- Stars: 3
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Memory Dumper
Dump a process memory and extract data based on regular expressions. Tool uses multithreading.
Dump and inspect a process memory:
* during inactivity in an application,
* after locking an application,
* after logging out from an application.
Garbage cleaners might not free the unused memory immediately, but should do so after 5-10 minutes after the last action.
CPU and RAM consumption, as well as duration heavily depends on:
* number of memory dump files,
* size of each memory dump file,
* number of regular expressions and their complexity.
* occurrence of each regular expression.
Built with Visual Studio Community 2019 v16.10.2 (64-bit) and tested on Windows 10 Enterprise OS (64-bit).
Made for educational purposes. I hope it will help!
## Table of Contents
* [How to Run](#how-to-run)
* [Manual Memory Dumping](#manual-memory-dumping)
* [Manual Memory Inspection](#manual-memory-inspection)
* [rabin2](#rabin2)
* [strings](#strings)
* [Images](#images)
## How to Run
Run MemoryDumper_x86.exe (32-bit) or MemoryDumper_x64.exe (64-bit).
Check the example file with regular expressions [here](https://github.com/ivan-sincek/memory-dumper/blob/main/files/expressions.txt).
## Manual Memory Dumping
To manually dump a process memory, open Task Manager -> right click on the desired process -> click on `Create dump file`.
## Manual Memory Inspection
The following was tested on Kali Linux v2023.1 (64-bit).
Install the required tools on your Kali Linux:
```bash
apt-get -y install strings radare2 grep
```
I prefer using `rabin2` over `strings`.
### rabin2
Inspect memory dump, binary, executable, or any other files:
```bash
rabin2 -zzzqq somefile | grep -Pi '(keyword-1|keyword-2|keyword-3)'
rabin2 -zzzqq somefile | sort -uf > strings.txt
```
Automate file inspection from the current directory:
```bash
IFS=$'\n'; for file in $(find . -type f); do echo -n "\nFILE: \"${file}\"\n"; rabin2 -zzzqq "${file}" 2>/dev/null | grep -Pi '(keyword-1|keyword-2|keyword-3)'; done
IFS=$'\n'; for file in $(find . -type f); do rabin2 -zzzqq "${file}" 2>/dev/null; done | sort -uf > strings.txt
```
### strings
Inspect memory dump, binary, executable, or any other files:
```bash
strings somefile | grep -Pi '(keyword-1|keyword-2|keyword-3)'
strings somefile | sort -uf > strings.txt
```
Automate file inspection from the current directory:
```bash
IFS=$'\n'; for file in $(find . -type f); do echo -n "\nFILE: \"${file}\"\n"; strings "${file}" 2>/dev/null | grep -Pi '(keyword-1|keyword-2|keyword-3)'; done
IFS=$'\n'; for file in $(find . -type f); do strings "${file}" 2>/dev/null; done | sort -uf > strings.txt
```
## Images
Figure 1 - Run