Comments (8)
Hi there, volatility doesn't really do memory acquisition, so I assume you're asking about extracting a processes memory and writing it into a valid minidump file? We don't currently have the capability, and we wouldn't have certain information (such as registers or CPU state) that a minidump might otherwise have, but otherwise if the format is well documented it should be possible to do?
from volatility3.
Yes, the acquisition portion would be done using other tools and would create a full dump file of the current physical memory. Would it be possible through volatility or any applicable plugins to search and parse the physical dump file for a specific process memory and output the contents in minidump format? The project I originally discovered that utilized Rekall that achieved this goal would be the following: https://github.com/WithSecureLabs/physmem2profit/
from volatility3.
There are already plugins for interacting with LSASS and dumping credentials? (See windows.hashdump and windows.lsadump) Is there a specific reason for wanting to carve the data out of memory into a minidump file? The project you mentioned essentially reads physical memory, so it might be much easier to adapt that to read from a file dump of physical memory in order to achieve your goal?
from volatility3.
Currently I would like to be able to utilize all of the minidump parsing capabilities of a tool called mimicatz https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/minidump
I do not believe the windows.hashdump/lsadump cover all of the same parsing routines thus leaving out some potential credentials.
I believe in volatility2 there was a community plugin to support these parsing methods potentially? : https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py
Noting the adaptation for phymem2proft that is definitely and option. But I would like to investigate any other options that may be viable before spending the time.
I appreciate the help!
from volatility3.
Ok, that seems a reasonable request then. We'll leave this open but it's quite a niche case and therefore not necessarily a priority for the foundation I'm afraid...
from volatility3.
You can write a plugin to use pypykatz for this specific LSASS scenario. I have one example here that I updated from the pypykatz author himself:
https://github.com/daddycocoaman/volplugins
I'm also interested in getting minidumps out of volatility3. It's definitely possible, as the focus probably won't be on things like CPU state and registers, but more just the memory streams. MemProcFS does this effectively, and I wanted to work on a Vol3 plugin for this last year but got distracted with life. I'll re-add this on my list of things to try to do this year. :)
from volatility3.
Do you know if the plugin you created above would work for my scenario? I briefly looked at pypykatz a couple weeks ago but ended up going down a rabbit hole with WinDBG with no success. I'm really trying to find any easy solution before I dump a bunch of hours into writing new code.
from volatility3.
Also I noticed your dumpscan project it looks awesome.
https://github.com/daddycocoaman/dumpscan
I currently have a couple ways to gather my mem dumps using DFIR tools or windows error reporting but I need to extract that sweet sweet LSASS :)
from volatility3.
Related Issues (20)
- Symbol _ETHREAD not in symbol table/symbol table not found HOT 1
- linux.kmsg.Kmsg returning Page error HOT 24
- Yarascan process_yara_options method needs updating to ensure requirements and processing options remain in sync
- Missing plugins from blog posts from volatility labs HOT 1
- Add support for determining/filtering symbol tables HOT 1
- Duplicate Enum value in `bpf_map_type` HOT 2
- ValueError: negative shift count for volshell.py dt( ps()[0] ) HOT 2
- Linux: Kmsg Unsupported kernel implementation - 3.2 HOT 16
- `kernel_cap_struct` still required despite #997 HOT 1
- Issue with symbol table HOT 1
- Can't find symbols for Windows Sandbox memory image
- Build a UI based way of choosing columns to display
- Not able to download requirements.txt for Volatility 3-1.0.0 HOT 1
- Ubuntu 22.04 Unresolved Reference HOT 7
- linux: `module_layout` is replaced by `module_memory` as of 6.4 HOT 6
- Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected. HOT 26
- PluginRequirements should not be fulfilled unless their PluginRequirements are fulfilled
- windows.handles.Handles not working HOT 5
- syntaxwarning on python 3.12 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility3.