Log in

Dumping Raw Kernel Memory - A Geek Raised by Wolves [entries|archive|friends|userinfo]

[ website | My Website ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Links:| Browse by Tag LiveJournal Portal Update Journal Logout ]

Dumping Raw Kernel Memory [Mar. 21st, 2013|09:22 pm]
[Tags|, , ]

"A good plan violently executed now is better than a perfect plan executed next week." — General George S. Patton

"DONE IS BETTER THAN PERFECT." — Ben Barry, via Facebook

A recent post on the Volatility™ users mailing list [1] asked for help dumping out a kernel driver from a Microsoft Windows system.

It turns out the standard plugin for dumping kernel modules, moddump, is based on the procexedump plugin. That plugin, in turn, does a number of sanity checks on the PE executable it is attempting to extract. Although good in theory, it was preventing the poster from getting any data at all.

To help him out, I wrote two plugins. The first is modmemdump. It's the same code as moddump, but based on procmemdump instead of procexedump. (English translation: this plugin attempts to dump out the raw memory of the module without attempting to modify it--or perform sanity checks.) The usage/command line flags are the same as moddump.

$ python vol.py -f xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 modmemdump --dump-dir=output
Volatile Systems Volatility Framework 2.3_alpha
Module Base Module Name          Result
----------- -------------------- ------
0x0804d7000 ntoskrnl.exe         OK: driver.804d7000.sys
0x0806ec000 hal.dll              OK: driver.806ec000.sys
0x0f87d9000 PartMgr.sys          OK: driver.f87d9000.sys
0x0f849c000 atapi.sys            OK: driver.f849c000.sys
0x0f5e22000 NAVENG.sys           OK: driver.f5e22000.sys
0x0f8931000 watchdog.sys         OK: driver.f8931000.sys
0x0f8551000 isapnp.sys           OK: driver.f8551000.sys

The second plugin is rawmoddump. This plugin allows you to dump out a section of kernel memory. There are no safety checks of any kind. You simply specify a base virtual address, number of bytes to dump, and an output directory. The plugin performs the read, padding with zeros where data is unavailable, and writes it out.

$ python vol.py -f xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 rawmoddump --dump-dir=output --base=0x804d7000 --size=0x214100
Volatile Systems Volatility Framework 2.3_alpha
Wrote 0x214100 bytes to output/module-804d7000-00214100.sys
$ xxd -a output/module-804d7000-00214100.sys | head -n 10
0000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
0000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 e800 0000  ................
0000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468  ........!..L.!Th
0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f  is program canno
0000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
0000080: ce0d 2de1 8a6c 43b2 8a6c 43b2 8a6c 43b2  ..-..lC..lC..lC.
0000090: 4963 1eb2 8d6c 43b2 8a6c 42b2 de6c 43b2  Ic...lC..lB..lC.

Here's the code for these plugins:


To use them, save these files to the volatility/plugins directory in your Volatility™ source code tree. Let me know if you have any problems or questions.

Happy memory forensics!

[1] http://lists.volatilesystems.com/pipermail/vol-users/2013-March/000828.html.

Volatility™ is a trademark of Verizon. Jesse Kornblum is not sponsored or approved by, or affiliated with Verizon.