INTRODUCTION This is a collection of tools for analyzing Windows memory dumps. The tools available are: - vadwalk.py : walk the Virtual Address Descriptor tree of a process and print it out as a table, an ASCII tree, or write it to a GraphViz file. - vadinfo.py : get detailed information about nodes in the Virtual Address descriptor tree, including associated Control Areas and File Objects (eg, files mapped into the process's address space, such as loaded DLLs). - vaddump.py : extract the memory regions described by the VAD tree and write them to disk. This should be an accurate and fairly compact representation of the process's address space. - procdump.py : rebuild an executable (DLL, EXE) from a memory image and save it to disk. - listdll.py : walk the _LDR_MODULE_LIST structure in a process's PEB (Process Environment Block) and print out a list of all loaded modules (DLLs). REQUIREMENTS * All tools require Python 2.4 or higher. * You will need a memory dump in some format that preserves physical addresses. VMWare's .vmem files and images obtained with dd will both work. Microsoft memory dump (.DMP) files are not yet supported. * procdump.py requires the pefile module to parse the PE file structure. pefile is available from http://dkbza.org/pefile.html * FTimes with XMagic support is needed to make use of the _EPROCESS signatures in the magic directory. If you have some alternate means of finding _EPROCESS structures in windows memory dumps, such as ptfinder, you can use those instead. WORKFLOW In general, ftimes is first used with the appropriate xmagic from the magic subdirectory to generate a list of all _EPROCESS (the Windows kernel structure that represents a process) structures in the memory dump. Each tool takes at least two arguments: the name of the memory dump and the offset to an _EPROCESS structure. Additional help for each specific tool is available via the --help option. CAVEATS * The tools are pretty young, and error handling isn't implemented everywhere. Partially corrupt/invalid structures in memory may cause the tools to crash. * memutil.py assumes a naive memory model and ignores any page table entries marked as invalid. As Jesse Kornblum has shown, much better results can be obtained by adding support for transitional and prototype PTEs. LICENSE All tools are released into the public domain, in the hope that someone will find them useful. AUTHOR Brendan Dolan-Gavitt