VAD Tools Code
Status: Beta
Brought to you by:
moyix
Menu
▾
▴
Tree [r77] / docs / History
| File | Date | Author | Commit |
|---|---|---|---|
| README | 2007-04-12 | moyix | [r65] Basic documentation on the tools. |
| dolangavitt2007vad.pdf | 2007-05-18 | moyix | [r75] Fixed miscapitalization, added Acknowledgements |
| dolangavitt2007vad.tex | 2007-05-18 | moyix | [r75] Fixed miscapitalization, added Acknowledgements |
| memory-analysis.bib | 2007-04-09 | moyix | [r60] Incorporated AAron Walters' comments. Added ref... |
| notepad_VAD.pdf | 2007-05-16 | moyix | [r74] Necessary to compile PDF |
| outline.txt | 2007-03-29 | moyix | [r38] Initial commit |
| vad_ref.txt | 2007-03-29 | moyix | [r36] Final move, hopefully. |
Read Me
INTRODUCTION
This is a collection of tools for analyzing Windows memory dumps. The
tools available are:
- vadwalk.py : walk the Virtual Address Descriptor tree of a process
and print it out as a table, an ASCII tree, or write
it to a GraphViz file.
- vadinfo.py : get detailed information about nodes in the Virtual
Address descriptor tree, including associated Control
Areas and File Objects (eg, files mapped into the
process's address space, such as loaded DLLs).
- vaddump.py : extract the memory regions described by the VAD tree
and write them to disk. This should be an accurate and
fairly compact representation of the process's address
space.
- procdump.py : rebuild an executable (DLL, EXE) from a memory image
and save it to disk.
- listdll.py : walk the _LDR_MODULE_LIST structure in a process's PEB
(Process Environment Block) and print out a list of
all loaded modules (DLLs).
REQUIREMENTS
* All tools require Python 2.4 or higher.
* You will need a memory dump in some format that preserves physical
addresses. VMWare's .vmem files and images obtained with dd will both
work. Microsoft memory dump (.DMP) files are not yet supported.
* procdump.py requires the pefile module to parse the PE file
structure. pefile is available from http://dkbza.org/pefile.html
* FTimes with XMagic support is needed to make use of the _EPROCESS
signatures in the magic directory. If you have some alternate means
of finding _EPROCESS structures in windows memory dumps, such as
ptfinder, you can use those instead.
WORKFLOW
In general, ftimes is first used with the appropriate xmagic from the
magic subdirectory to generate a list of all _EPROCESS (the Windows
kernel structure that represents a process) structures in the memory
dump. Each tool takes at least two arguments: the name of the memory
dump and the offset to an _EPROCESS structure.
Additional help for each specific tool is available via the --help
option.
CAVEATS
* The tools are pretty young, and error handling isn't implemented
everywhere. Partially corrupt/invalid structures in memory may cause
the tools to crash.
* memutil.py assumes a naive memory model and ignores any page table
entries marked as invalid. As Jesse Kornblum has shown, much better
results can be obtained by adding support for transitional and
prototype PTEs.
LICENSE
All tools are released into the public domain, in the hope that someone
will find them useful.
AUTHOR
Brendan Dolan-Gavitt