"PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process."
By taking a snapshot of a running process, PMDump allows us to evaluate the memory contents of any particular process. This becomes especially useful when dealing with malware or code that injects itself into a running process rather than creating filesystem residue.
If little is known about the machine it's probably best to grab all the volatile information that you can. In this case dumping all PIDs. PMDump has the ability to display running processes and to dump a single a PID, so in order to this we turn to scripting.
I'm using VBScript only because of how widespread it is. Modifying what's installed on the box simply isn't an option when performing a live response. Depending on your environment, a language like Perl, Ruby, or Python might be better suited.
So lets automate!
computer = "."
Set shell = CreateObject("wscript.Shell")
set objWMI = GetObject("winmgmts:\\" & computer & "\root\cimv2")
set processes = objWMI.InstancesOf("Win32_Process")
for each process In processes
if process.ProcessID > 4 then
WScript.Echo "Dumping : " & process.ProcessID & " - "& process.Name
shell.Run "pmdump.exe " & process.ProcessID & " " & process.Name & "-" & process.ProcessID & ".dump",0,True
end if
next
WScript.Echo "Dump Complete!"
The script is pretty straight forward. It loops through the PID's and runs PMDump on each one. The result is a directory full of .dump files.
To run the code remember that you can invoke the scripting engine with cscript. If all goes well, the results will get echoed to STDOUT and look something like this.
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Dumping : 1424 - csrss.exe
Dumping : 1452 - winlogon.exe
Dumping : 1496 - services.exe
Dumping : 1508 - lsass.exe
Dumping : 1664 - svchost.exe
Dumping : 1756 - svchost.exe
Dumping : 1808 - svchost.exe
Dumping : 1876 - svchost.exe
......
Dump Complete!
One thing to keep in mind is that this does generate a lot of data. (Up to about 2 gigs on my personal machine) So if this is getting run over a network, special consideration may be needed. I'd personally recommend dumping directly to an external drive.
0 comments: