INTRODUCTION

This is a collection of tools for analyzing Windows memory dumps. The
tools available are:
  - vadwalk.py : walk the Virtual Address Descriptor tree of a process
                 and print it out as a table, an ASCII tree, or write
                 it to a GraphViz file.
  - vadinfo.py : get detailed information about nodes in the Virtual
                 Address descriptor tree, including associated Control
                 Areas and File Objects (eg, files mapped into the
                 process's address space, such as loaded DLLs).
  - vaddump.py : extract the memory regions described by the VAD tree
                 and write them to disk. This should be an accurate and
                 fairly compact representation of the process's address
                 space.
  - procdump.py : rebuild an executable (DLL, EXE) from a memory image
                 and save it to disk.
  - listdll.py : walk the _LDR_MODULE_LIST structure in a process's PEB
                 (Process Environment Block) and print out a list of
                 all loaded modules (DLLs).

REQUIREMENTS

* All tools require Python 2.4 or higher.
* You will need a memory dump in some format that preserves physical
  addresses. VMWare's .vmem files and images obtained with dd will both
  work. Microsoft memory dump (.DMP) files are not yet supported.
* procdump.py requires the pefile module to parse the PE file
  structure. pefile is available from http://dkbza.org/pefile.html
* FTimes with XMagic support is needed to make use of the _EPROCESS
  signatures in the magic directory. If you have some alternate means
  of finding _EPROCESS structures in windows memory dumps, such as
  ptfinder, you can use those instead.

WORKFLOW

In general, ftimes is first used with the appropriate xmagic from the
magic subdirectory to generate a list of all _EPROCESS (the Windows
kernel structure that represents a process) structures in the memory
dump. Each tool takes at least two arguments: the name of the memory
dump and the offset to an _EPROCESS structure.

Additional help for each specific tool is available via the --help
option.

CAVEATS

* The tools are pretty young, and error handling isn't implemented
  everywhere. Partially corrupt/invalid structures in memory may cause
  the tools to crash.
* memutil.py assumes a naive memory model and ignores any page table
  entries marked as invalid. As Jesse Kornblum has shown, much better
  results can be obtained by adding support for transitional and
  prototype PTEs.

LICENSE

All tools are released into the public domain, in the hope that someone
will find them useful.

AUTHOR

Brendan Dolan-Gavitt