Windows Memory Dump Analysis

Last modified: 2024-08-20

A memory dump file (.dmp), also called as 'crash dump' is a crash report file.

Investigation

file example.dmp
# Output
example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...

Static Analysis

We can also read contents of this file by usual static analysis such as below.

strings example.dmp
strings example.dmp | grep -i password
# -A 5: Display 5 lines starting from the matched line.
# -B 5:Display 5 lines before the matched line.
strings example.dmp | grep -i password -A 5 -B 5
# Open pager
strings example.dmp | less

xxd example.dmp

# Credential dumping
pypykatz lsa minidump example.dmp
pypykatz lsa minidump example.dmp -o output.txt

Dynamic Analysis

WinDbg
Visual Studio
IDA
ILSpy

Online Viewer

This file can also be read with online DMP viewer. However, be careful if it contains sensitive information that should not be known outsiders.

Dump KeePass Master Key (CVE-2023-32784)

If the .dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54. keepass-password-dumpter is useful to do that.

In Windows, run the follwoing command.

git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmp

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique