Support Forums

Like several other tools (dd.exe in particular), ProDiscover IR allows you to dump the contents of memory from a remote system.  This can be very useful...if you know how to parse it for information.  If you go to my blog (link below), you'll find a link to my SourceForge.net site where I have several scripts for doing so.  The scripts are designed to be platform independant (they'll run on Linux and MacOSX) so you won't have any problems with MS APIs.

Right now, the primary tools available are a series of scripts for parsing Windows 2000 RAM dumps (lsproc.pl, lspd.pl, lspi.pl, and lspm.pl) for process lists, as well as for getting details about a process.  Lspi.pl, for example, will attempt to extract and reassemble the binary image file from the RAM dump.

Again, these scripts are for Windows 2000 only.  Covering other OSs is a work in progress.

Also, there are two Perl scripts available for identifying the operating system from a RAM dump.  One works by locating the SYSTEM and Idle processes, the other works by locating the kernel image base, and parsing the VS_VERSIONINFO structure for the PE file located there (if there is one).

Thanks.  If you have any questions about these, please contact me.

Harlan


Blog site
http://windowsir.blogspot.com

Harlan,

Thanks for the posts. Looks like some very useful scripts, I'll check them out.