Potential support of minidump formats from processes? about volatility3 HOT 8 OPEN

Hi there, volatility doesn't really do memory acquisition, so I assume you're asking about extracting a processes memory and writing it into a valid minidump file? We don't currently have the capability, and we wouldn't have certain information (such as registers or CPU state) that a minidump might otherwise have, but otherwise if the format is well documented it should be possible to do?

from volatility3.

Yes, the acquisition portion would be done using other tools and would create a full dump file of the current physical memory. Would it be possible through volatility or any applicable plugins to search and parse the physical dump file for a specific process memory and output the contents in minidump format? The project I originally discovered that utilized Rekall that achieved this goal would be the following: https://github.com/WithSecureLabs/physmem2profit/

from volatility3.

There are already plugins for interacting with LSASS and dumping credentials? (See windows.hashdump and windows.lsadump) Is there a specific reason for wanting to carve the data out of memory into a minidump file? The project you mentioned essentially reads physical memory, so it might be much easier to adapt that to read from a file dump of physical memory in order to achieve your goal?

from volatility3.

Currently I would like to be able to utilize all of the minidump parsing capabilities of a tool called mimicatz https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/minidump

I do not believe the windows.hashdump/lsadump cover all of the same parsing routines thus leaving out some potential credentials.

I believe in volatility2 there was a community plugin to support these parsing methods potentially? : https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py

Noting the adaptation for phymem2proft that is definitely and option. But I would like to investigate any other options that may be viable before spending the time.

I appreciate the help!

from volatility3.

Ok, that seems a reasonable request then. We'll leave this open but it's quite a niche case and therefore not necessarily a priority for the foundation I'm afraid...

from volatility3.

You can write a plugin to use pypykatz for this specific LSASS scenario. I have one example here that I updated from the pypykatz author himself:

https://github.com/daddycocoaman/volplugins

I'm also interested in getting minidumps out of volatility3. It's definitely possible, as the focus probably won't be on things like CPU state and registers, but more just the memory streams. MemProcFS does this effectively, and I wanted to work on a Vol3 plugin for this last year but got distracted with life. I'll re-add this on my list of things to try to do this year. :)

from volatility3.

Do you know if the plugin you created above would work for my scenario? I briefly looked at pypykatz a couple weeks ago but ended up going down a rabbit hole with WinDBG with no success. I'm really trying to find any easy solution before I dump a bunch of hours into writing new code.

from volatility3.

Also I noticed your dumpscan project it looks awesome.

https://github.com/daddycocoaman/dumpscan

I currently have a couple ways to gather my mem dumps using DFIR tools or windows error reporting but I need to extract that sweet sweet LSASS :)

from volatility3.