Winpmem - Mild mannered memory aquisition tool??

Published: 2013-11-19
Last Updated: 2013-11-19 03:08:10 UTC
by Mark Baggett (Version: 1)
5 comment(s)

There should be little argument that with today's threats you should always acquire a memory image when dealing with any type of malware.  Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine.   Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible.  Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want to share with the ISC readers.  It is called winpmem.   It is written by Michael Cohen.  It is free and it is available for download here.  Here is a look at it.  

After downloading and expanding the zip file you will see the following components:

You can see there are two executables.  They are named winpmem_1.4.exe and winpmem_write_1.4.exe.  I'll come back to winpmem_write_1.4.exe later.  There is also a "binaries" directory that includes a couple of device drivers and a Python script.   That sounds like fun!   I'll come back to that one later as well.  For now, lets talk about winpmem_1.4.exe.  If you run it without any parameters you will get a help screen.   It looks like this:

If you want to use winpmem to acquire a raw memory image, all you have to do is provide it with a filename.  A copy of all the bytes in memory will be saved to that file.  For example:

c:\> winpmem_1.4.exe memory.dmp

This will create a raw memory image named "memory.dmp" suitable for analysis with Volatility, Mandiants Redline and others.   The tool can also create a crash dump that is suitable for analysis with Microsoft WinDBG.   To do so you just add the "-d" option to your command line like this:

c:\> winpmem_1.4.exe  -d crashdump.dmp

Now, some of you may be thinking, "So what!  I can already dump memory with dumpit.exe, Win32dd.exe, win64dd.exe and others."  Well, you are right.  But if you have malware that is looking for those tools, now you have another option.   While winpmem might look like a mild mannered memory acquisition tool, it actually has super powers.   The BEST part of winpmem (IMHO) is in those components that I conveniently glazed over.   I'll take a look at winpmem_write_1.4.exe and, better yet, that Python script in my next journal entry.

Interest in Python?   Check out SANS SEC573.  Python for Penetration testers!  I am teaching it in Reston VA March 17th!

Click HERE for more information.

Follow me on twitter?  @MarkBaggett

Keywords: forensics
5 comment(s)
ISC StormCast for Tuesday, November 19th 2013 Compromise - Possible 0-day

Published: 2013-11-19
Last Updated: 2013-11-19 02:05:30 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Earlier today, was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.

If you run vBulletin:

  • carefully watch your logs.
  • ensure that you apply all hardening steps possible (anybody got a good pointer to a hardening guide?)
  • keep backups of your database and other configuration information
  • if you can: log all port 80 traffic to your bulletin.

If you had an account on, make sure you are not reusing the password. The attackers claimed to have breached as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.

Any other ideas?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: vbulletin
1 comment(s)


Published: 2013-11-19
Last Updated: 2013-11-19 01:26:18 UTC
by Jim Clausing (Version: 1)
0 comment(s)

I exchanged some e-mail today with reader, Curtis and as result have fixed a typo and added some error checking to handle a problem that he was seeing (though I didn't, I suspect it has to do with different installed versions of some of the Perl packages, so I'll continue to look into the problem and will probably release another update in the next few days).  Version 1.5.1 can  be found here:

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: dns IPv6 tools
0 comment(s)


Diary Archives