RAMイメージをクラッシュダンプにコンバート
mddやwin32ddでダンプしたメモリイメージを、クラッシュダンプ形式にコンバートすることができた気がしたのですが、どのツールが対応していたのかを失念...思い出した、Volatility Framework に含まれる raw2dmp ですね。
昨年末に試していて手元ではうまく動いてくれなかった気がするので再度試してみなければ。
ということで、まずは win32dd でメモリをダンプ。
[win32dd] Lets dump it!
[win32dd] Destination: \??\C:\temp\win32dd.1.2.20081105\physmem.bin
[win32dd] Processing.... Done.
[win32dd] Physical memory dumped.
Time elapsed is 861 seconds.
[win32dd] Leaving...
なんか妙に時間がかかっているところが気になるわけですが、それは置いておいて raw2dmp でコンバートを開始。
C:\>c:\temp\Volatility-1.3_Beta\volatility raw2dmp -f c:\temp
\win32dd.1.2.20081105\physmem.bin -o c:\temp\physmem.dmp
c:\temp\Volatility-1.3_Beta\forensics\win32\crashdump.py:31: DeprecationWarning:
the sha module is deprecated; use the hashlib module instead
import sha
Convert: 100% |||||||||||||||||||||||||||||||||||||||||||||||||| Time: 00:01:28
うまくコンバートできた様子なので、これを WinDBG で読み込ませてみてどうなるかですね。
Loading Dump File [C:\case\Evidence\physmem.dmp] Kernel Complete Dump File: Full address space is available Symbol search path is: SRV*c:\WINDOWS\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Machine Name: Kernel base = 0x804d9000 PsLoadedModuleList = 0x8055e700 Debug session time: Tue Jan 6 11:12:00.687 2009 (GMT+9) System Uptime: 0 days 20:42:33.372 WARNING: Process directory table base 0A480380 doesn't match CR3 00AD7000 WARNING: Process directory table base 0A480380 doesn't match CR3 00AD7000 Loading Kernel Symbols ............................................................... ............................................... Loading User Symbols ........... Loading unloaded module list .......... Unknown exception - code 00000000 (first/second chance not available) ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. *** ERROR: Module load completed but symbols could not be loaded for win32dd.exe ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* Probably caused by : win32dd.exe ( win32dd_400000+10400 ) Followup: MachineOwner
んーなんか WARNING メッセージの部分とか気になるのがありますが、WinDBG へのロード自体は可能な様子ですね。