Easymode Memory Dumps

In my day job at a security consultancy, one of the more interesting initiatives I’ve been involved in is the concept of “Funtime”. For three out of four weeks every month, we hold one of these “funtimes”, where we talk about some cool hacking projects we’ve done, and discuss internal ~issues~ and address them quickly (given the benefits, I’m surprised this isn’t standard practice among every small-medium tech company).

As part of this programme, I recently talked about a cross-platform pure-python memory dumping thingy I built for convenience a while back. It’s nothing fancy, just a duct-taped tool which helps search, filter (think Cheat Engine) and dump to file a process’ memory across Linux and Windows. It’s a hell of a lot less messy than WinDbg’s syntax (which I can never remember. Yes, I know you can do it with Olly, and the less said of GDB’s magnum opus of a user interface, the better).

I’ve been playing around with it for fun while I keep developing this tool’s actual capabilities, and it’s always surprising what you can find, with just this and ‘strings’:

  • A bunch of (nicely formatted, easily searchable) private keys
  • Post-authentication credentials
  • Tons of information about back-end services
  • Credit card information lying around after a purchase (!)

The code is a work-in-progress, but I think it’s in a state where it might be useful to some people, so here it is:

https://github.com/CreateRemoteThread/markerlight

(While you’re there, maybe check out https://github.com/owasp-syd/bogomuppet)

It primarily relies on Python(2), ctypes (Windows) and files (Linux), so it shouldn’t require you to install any thing. The GUI is made in Tkinter:

processSearchWindow

There’s also a basic command-line UI if you just need to quickly dump memory. You can invoke it as follows:

./crisis.py [processName] d:[fileName]

This lets you select a process by PID, then dumps as much of process memory as it can to fileName.bin (binary blob) and fileName.tbl (file which tells you which part of the blob is which part in memory).

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s