Windows Memory Dump Analysis
Last modified: 2023-09-01
A memory dump file (.dmp), also called as 'crash dump' is a crash report file.
file example.dmp # Output example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...
We can also read contents of this file by usual static analysis such as below.
strings example.dmp strings example.dmp | grep -i password # Open pager strings example.dmp | less xxd example.dmp
- IDA, ILSpy
- Visual Studio
This file can also be read with online DMP viewer.
.dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54.
keepass-password-dumpter is useful to do that.
In Windows, run the follwoing command.
git clone https://github.com/vdohney/keepass-password-dumper.git cd keepass-password-dumper dotnet run example.dmp