minidump icon indicating copy to clipboard operation
minidump copied to clipboard

Published 20 hours ago verified publisher icon skelsec

Editing/Creating minidumps

Open s0i37 opened this issue 5 years ago • 6 comments

Good day. Please tell me how can I create a minidump with your library from scratch? The live case: I need to create a dump of some virtual memory of some process from physical dump. Volatility/rekall provide just flat memory dump + memory mapping. It is very strange that nowadays we have not any ways for creating minidump with third party libraries (not winapi)

s0i37 avatar Sep 13 '19 02:09 s0i37

This sounds like quite some work.

In order to get it done with this library, one would need to at minimum do the following:

  • implement the serialization (to_bytes) function for Memory64ListStream, MemoryInfoListstream, SystemInfoStream, ModuleListStream, (optionally) ThreadInfoListStream and ThreadListStream
  • implement an interface which gathers all required information for the aforementioned streams except for the Memory64ListStream and stores them in memory. Then when all side-info is gathered and serialized the file should be constructed which again requires serialization, finally start reading the memory and immediately appending it to said file, so you'll use the minimum amount of memory for the operation.
  • make this interface as a virtual object, so it can be extendd to support the forensics tool/live system you are using to generate the minidump file
  • (opt) make an interface for changing already existing minidumps, but that would take even more effort

skelsec avatar Sep 13 '19 12:09 skelsec

Also please note that this is the bare minimum to get something working. The resulting image will not be usable for example debugging purposes, as it will be missing exception info/thread info etc. Also note that currently it is not possible to create something which is fully following the standard, as Microsoft "forgot" to document all stream types...

skelsec avatar Sep 13 '19 13:09 skelsec

Sounds sad( By the way, a volatility tools can create minidump and moreover this mdmp is could be opened with windbg. But volatility can not support specify another pid which wasn't actived in moment creating full memory dump.

s0i37 avatar Sep 14 '19 07:09 s0i37

May you please tell me are you plaining to implement this in the nearest time? Or ever?

s0i37 avatar Sep 17 '19 15:09 s0i37

Yes, it is on the roadmap and I started developing it, however I can't say it for sure when it will be ready. I am aiming for this month.

On 17 Sep 2019, at 17:49, s0i37 [email protected] wrote:

May you please tell me are you plaining to implement this in the nearest time? Or ever?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

skelsec avatar Sep 17 '19 22:09 skelsec

@s0i37 I'm making some progress but still not there yet

skelsec avatar Nov 30 '19 22:11 skelsec