Thomas,
Reading through some of your comments, as well as reading through the man pages for Wietse's memdump, it would appear that there was a huge disconnect when you replied to the original post, particuarly with regards to the "for windows" part of it.
> You can use 'dd' for some memory, but not all
You gave no clarification as to what types of memory you're referring to, but the 'dd' that I provided a link for has been used quite successfully by myself and others to dump the contents of \\.\PhysicalMemory. If you read George Garner's page, you'll see quite clearly that that's what it's designed to do. As you said, it's written for that purpose.
The man page for memdump (from Wietse's site) states that too large values for various switches will cause holes or parts of memory to be missed on various *nix-like and *BSD systems. However, there is no direct correlation to this on Windows.
> I have used memdump compiled for Windows as well (DOS version) in
> addition to a proprietary dumper, one page at a time.
Two questions for comparison sake, what was the "proprietary dumper", and how do you know that the dumping was performed one page at a time?
Thanks,
Harlan
Does it have to be the entire memory or Open Source? If neither are necessarily required, then here is a not-quite-complete-cause-I-can't-remember-them-all list.
Everyone already knows about
There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on "Finding Digital Evidence in Physical Memory." His website is located at
Memdump was mentioned but there are at least two different versions for Windows that I know of. The one mentioned previously by APsoft and another from the Metasploit project.
MEMDUMP/386 for DOS Version 2.00 - Release 15-Jun-2005
(C) Copyright 1993-2005 by APSoft (http//
All rights reserved. Disassembly or decompilation prohibited.
This program dumps or copy any part of 4GB memory address space of your system.
For proper access to hardware registers, memory can be read with BYTE, WORD or
Double WORD granularity.
Syntax MEMDUMP [/H|?]
[/D[B|W|D][Address[,Length]]]
[/Ffilename|none]
[/Bfilename]
where /H - Print this text
/D[B|W|D][Address[,Length]]
- Dump <Length> number of memory bytes from specified
linear <Address> as bytes (DB), words (DW) or
double words (DD) correspondingly.
/Ffilename - Output file for the dump (Default console)
Use /Fnone to completely suppress dump
/Bfilename - Output file for the binary contents of memory
Notes Both 'Address' and 'Length' can be expressed in hexadecimal format
with '0x' prefix. The 'Length' field can be also expressed in decimal
Examples
MEMDUMP /DW0x100000,0x100000 /F2ndMB.dmp - dump second MB to file
MEMDUMP /DB0x100000,128 - dump 128 Bytes to CON
MEMDUMP /D0,0x100 /Fnone /BIntTB.bin - copy INT table to file
If dump or binary file exists, MEMDUMP unconditionally overrides it.
If you are using WORD or DWORD access 'Length' parameter should be
multiple of 2 or 4 correspondingly.
Please remember that if the memory manager (such as EMM386.EXE) is
loaded, MEMDUMP will read linear address rather as physical address.
There is almost no help for the
C\>y\memdump.exe
Usage y\memdump.exe pid [dump directory]
C\>y\memdump.exe 2796
[*] Creating dump directory...2796
[*] Attaching to 2796...
[*] Dumping segments...
[*] Dump completed successfully, 49 segments.
Then, there is
pmdump 1.2 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
- http//
Usage pmdump <pid> <filename>
- dumps the process memory contents to a file
pmdump -list
- lists all running processes and their PID's
Microsoft has several versions of userdump but I think the latest is
User Mode Process Dumper (Version 8.0.2826.0)
Copyright (c) 1999-2005 Microsoft Corp. All rights reserved.
userdump -p
Displays a list of running processes and process IDs.
userdump [-k] <ProcessSpec> [<TargetDumpFile>]
Dumps one process or processes that share an image binary file name.
-k optionally causes processes to be killed after being dumped.
<ProcessSpec> is a decimal or 0x-prefixed hex process ID, or the
base name and extension (no path) of the image file used to create
a process.
<TargetDumpFile> is a legal Win32 file specification. If not specified,
dump files are generated in the current directory using a name
based on the image file name.
userdump -m [-k] <ProcessSpec> [<ProcessSpec>...] [-d <TargetDumpPath>]
Same as above, except dumps multiple processes.
-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is the current directory.
userdump -g [-k] [-d <TargetDumpPath>]
Similar to above, except dumps Win32 GUI apps that appear hang.
userdump -I [-d <TargetDumpPath>]
To change just in time debugger to UserDump.
This command will not actually start UserDump.
If you don't setup userdump, please copy userdump.exe to %windir%\system32.
-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is a current directory of the target process.
That's it that I can think of for now. I will probably remember the other one or two tonight. Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area.
X-ways Capture http//
The original request was for Open Source software to image RAM. The list I provided may not have all been Open Source but they were all free. X-Ways Capture is neither, and for an imager, it is a little pricey (EUR 249.90 / USD 313).
Sorry, didn't read the question!
Mariusz Burdach has recently released a public version of Windows Memory Forensic Toolkit (WMFT), currently only available from
Make sure you read his paper and BlackHat presentation linked in my earlier post.
Have you tried using the WMFT yet?
Harlan
Yes, unfortunately, I can't go into detail right now as I am on an afternoon break at a SANS conference. Hopefully, tonight, I will have time to give you more details.
On a related note, I just saw
TRUMAN is a pretty darn cool framework for creating sandnets for malware analysis. I highly recommend checking it out so you don't run into the pitfalls of malware recognizing you are running inside a virtual machine.
BTW, if any of you have not heard of Joe Stewart, he is by far one of the best malware analyst out there.