https://github.com/life45/dmpsecurity

Parsing Windows kernel memory dumps for security checks.
https://github.com/life45/dmpsecurity

anticheat antimalware antivirus dmp driver dump integrity kernel memory page pagewalk parse security windows

Last synced: about 1 month ago
JSON representation

Parsing Windows kernel memory dumps for security checks.

• Host: GitHub
• URL: https://github.com/life45/dmpsecurity
• Owner: Life45
• License: mit
• Created: 2025-03-01T19:52:29.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2025-03-22T23:21:33.000Z (about 1 month ago)
• Last Synced: 2025-03-23T00:22:11.819Z (about 1 month ago)
• Topics: anticheat, antimalware, antivirus, dmp, driver, dump, integrity, kernel, memory, page, pagewalk, parse, security, windows
• Language: C++
• Homepage:
• Size: 27.3 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# .dmp Security

A proof-of-concept tool that leverages Windows kernel dump files for enhanced security analysis.

## Overview

**.dmp Security** was created to take advantage of the introduction of full live kernel dumps in Windows 11. It allows you to capture a live snapshot of the kernel memory and perform various security checks entirely from user mode—no kernel driver required.

## Features

- **Live Kernel Dump** (`-ld`):  

  Create a live kernel dump (*requires administrative privileges and Win11*).

- **Pagewalk Analysis** (`-p`):  

  Walk through all kernel pages and trigger two specific callbacks:

  - **Executable Page Callback**: Logs whenever an executable page is found outside the loaded modules.

  - **Page Start Callback**: Logs when a page begins with a DOS header and is outside the loaded modules.  

    *Note: This logs a considerable amount of pages in a normal system as well. Whether it be signature scanning or something else, it's up to your imagination to mitigate.*

- **Driver Extraction** (`-d`):  

  Extract a driver from the dump and save it to a file.

- **Integrity Check** (`-i`):  

  Perform a disk-versus-memory integrity check on a specified driver by:

  - Comparing section headers.

  - Conducting byte/instruction-level comparisons on executable pages.

  - Mitigating false positives (due to factors like Retpoline, import optimization, and KASLR) by skipping mismatched RVAs if a Dynamic Value Relocation Table (DVRT) entry is present.  

    *Note: This is a very simple approach and as you might imagine, it will lead to false negatives if the mismatch happens at one of these locations. Check out the integrity code and [DVRT parser](https://github.com/Life45/dmputils/blob/main/external/dvrtparser/dvrtparser.h) for nuances and workarounds.*

This project was developed over a weekend as a quick proof-of-concept. There is plenty of room for expansion, so feel free to explore additional security checks and improvements.