TABLE OF CONTENTS During incident response activities, the responder may opt to dump the contents of physical memory, or RAM, from a Windows system. This is done to preserve the contents of physical memory for later use and examination, and as stated by Aaron Walters and Nick Petroni during their Black Hat DC 2007 [6] presentation, to answer new questions later. In some cases, the examiner has run strings.exe against the resulting file to attempt to locate passwords or other unique strings, or used regular expressions (regex s) to locate IP addresses, email addresses, etc. However, these simple searches constitute only the most rudimentary activities that can be performed when analyzing memory dumps. For example, we can extract a list of active processes from the memory dump, including the process memory and the executable image file for each (this is extremely useful when performing dynamic malware analysis).
Lsproc.pl is a Perl script I wrote in order to parse through a RAM dump from a Windows 2000 system and locate the remnants of processes that were running, or had exited, on the live system. Lsproc.pl is based in part on the original ptfinder.pl script written by Andreas Schuster and posted on his blog. [7]
#! c:\perl\bin\perl.exe#--------------------------------------------------------------# lsproc.pl - parse Windows 2000 phys. memory/RAM dump,# looking for processes.## Version 0.1_2K 20060524# Usage: lsproc## copyright 2007 H. Carvey, keydet89@yahoo.com#--------------------------------------------------------------use strict;print "lsproc - list processes from a Win2K dd-style RAM Dump (v.0.1_2K 20060524)\n";print "Ex: lsproc \n";print "\n";my...
