TSEC NEWS: 06.05.21 Cron-Job Fehlerhaft nach PHP Update + PWA mobile + Desktop / 04.05.21 - Android App von TSECURITY 28.04.21 - NEUER SERVER // 26.04.21 ++ Download the Electron-App für tsecurity.de // Über 550 Feed-Quellen


❈ WinPmem - The Multi-Platform Memory Acquisition Tool

IT Security Nachrichten feedproxy.google.com


The WinPmem memory acquisition driver and userspace

WinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository.


Copyright

This code was originally developed within Google but was released under the Apache License.


Description

WinPmem is a physical memory acquisition tool with the following features:

  • Open source

  • Support for WinXP - Win 10, x86 + x64. The WDK7600 can be used to include WinXP support. As default, the provided WinPmem executables will be compiled with WDK10, supporting Win7 - Win10, and featuring more modern code.

  • Three different independent methods to create a memory dump. One method should always work even when faced with kernel mode rootkits.

  • Raw memory dump image support.

  • A read device interface is used instead of writing the image from the kernel like some other imagers. This allows us to have complex userspace imager (e.g. copy across network, hash etc), as well as run analysis on the live system (e.g. can be run directly on the device).

The files in this directory (Including the WinPmem sources and signed binaries), are available under the following license: Apache License, Version 2.0


How to use

There are two WinPmem executables: winpmem_mini_x86.exe and winpmem_mini_x64.exe. Both versions contain both drivers (32 and 64 bit versions).

The mini in the binary name refers to this imager being a plain simple imager - it can only produce images in RAW format. In the past we release a WinPmem imager based on AFF4 but that one is yet to be updated to the new driver. Please let us know if you need the AFF4 based imager.


The Python acquisition tool winpmem.py

The python program is currently under construction but works as a demonstration for how one can use the imager from Python.


winpmem_mini_x64.exe (standalone executable)

This program is easiest to use for incident response since it requires no other dependencies than the executable itself. The program will load the correct driver (32 bit or 64 bit) automatically and is self-contained.


Examples:

winpmem_mini_x64.exe physmem.raw

Writes a raw image to physmem.raw using the default method of acquisition.

winpmem_mini_x64.exe

Invokes the usage print / short manual.

To acquire a raw image using specifically the MmMapIoSpace method:

winpmem.exe -1 myimage.raw

The driver will be automatically unloaded after the image is acquired!


Experimental write support

The WinPmem source code supports writing to memory as well as reading. This capability is a great learning tool since many rootkit hiding techniques can be emulated by writing to memory directly.

This functionality should be used with extreme caution!

NOTE: Since this is a rather dangerous capability, the signed binary drivers have write support disabled. You can rebuild the drivers to produce test signed binaries if you want to use this feature. The unsigned binaries (really self signed with a test certificate) can not load on a regular system due to them being test self signed, but you can allow the unsigned drivers to be loaded on a test system by issuing (see https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option:

Bcdedit.exe -set TESTSIGNING ON

and reboot. You will see a small "Test Mode" text on the desktop to remind you that this machine is configured for test signed drivers.

Additionally, Write support must also be enabled at load time:

winpmem.exe -w -l

This will load the drivers and turn on write support.


Acknowledgments

This project would also not be possible without support from the wider DFIR community:

  • We would like to thank Emre Tinaztepe and Mehmet GÖKSU at Binalyze.

Our open source contributors:

  • Viviane Zwanger
  • Mike Cohen


...


Kompletten Artikel lesen (externe Quelle: http://feedproxy.google.com/~r/PentestTools/~3/rzKTy8tqRPs/winpmem-multi-platform-memory.html)

Zur Startseite

➤ Weitere Beiträge von Team Security | IT Sicherheit (tsecurity.de)

WinPmem - The Multi-Platform Memory Acquisition Tool

vom 564.15 Punkte
The WinPmem memory acquisition driver and userspaceWinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository. CopyrightThis

MemProcFS - The Memory Process File System

vom 389.39 Punkte
The Memory Process File System is an easy and convenient way of accessing physical memory as files a virtual file system.Easy trivial point and click memory analysis without the need for complicated commandline arguments! Access memory content and artifacts via

Azure Marketplace new offers – Volume 37

vom 272.88 Punkte
We continue to expand the Azure Marketplace ecosystem. For this volume, 163 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications Accela Civic Platform and Civic Applications: Accela's fast-

Creating .NET Core global tools on macOS

vom 271.37 Punkte
One of the really cool aspects about .NET Core is the support for global tools. You can use global tools to simplify common tasks during your development workflow. For example, you can create tools to minify image assets, simplify working with source contro

Some-Tools - Install And Keep Up To Date Some Pentesting Tools

vom 241.42 Punkte
Some-ToolsWhyI was looking for a way to manage and keep up to date some tools that are not include in Kali-Linux. For exemple, I was looking for an easy way to manage privilege escalation scripts. One day I saw sec-tools from eugenekolo (which you can see at the bottom of the page) and it gave me the motivation to start working on mine right away.But keep in mind that is different. I built this for people that are working with Kali. Should work on others d

Malcolm - A Powerful, Easily Deployable Network Traffic Analysis Tool Suite For Full Packet Capture Artifacts (PCAP Files) And Zeek Logs

vom 159.09 Punkte
Malcolm is a powerful network traffic analysis tool suite designed with the following goals in mind: Easy to use – Malcolm accepts network traffic data in the form of full packet capture (PCAP) files and Zeek (formerly Bro) logs. These artifacts can be

Phantom Evasion - Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

vom 145.33 Punkte
Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate (almost) FUD executable even with the most common 32 bit msfvenom payload (lower detection ratio with 64 bit payloads). The aim of this tool is to make antiviru

Phantom Evasion - Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

vom 145.33 Punkte
Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate (almost) FUD executable even with the most common 32 bit msfvenom payload (lower detection ratio with 64 bit payloads). The aim of this tool is to make antiviru

Multi-Juicer - Run Capture The Flags And Security Trainings With OWASP Juice Shop

vom 144.38 Punkte
Running CTFs and Security Trainings with OWASP Juice Shop is usually quite tricky, Juice Shop just isn't intended to be used by multiple users at a time. Instructing everybody how to start Juice Shop on their own machine works ok, but takes away too much

Tool-X - A Kali Linux Hacking Tool Installer

vom 135.59 Punkte
What is Tool-X ?Tool-X is a kali linux hacking Tool installer. Tool-X is Developed By Rajkumar Dusad. with the help of Tool-X you can install best hacking tools in Rooted or Non Rooted Android devices. In the Tool-X there are almost 240 hacking tools availa

How-to deploy TensorFlow 2 Models on Cloud AI Platform

vom 131.39 Punkte
Posted by Sara Robinson, Developer AdvocateGoogle Cloud’s AI Platform recently added support for deploying TensorFlow 2 models. This lets you scalably serve predictions to end users without having to manage your own infrastructure. In this post, I’l

Azure Marketplace new offers – Volume 39

vom 130.98 Punkte
We continue to expand the Azure Marketplace ecosystem. For this volume, 136 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications ACR Lift & Shift: Stratum ACR Lift and Shift is an enter

Team Security Diskussion über WinPmem - The Multi-Platform Memory Acquisition Tool