Windows Memory Dump Analysis

A memory dump file (.dmp), also called as 'crash dump' is a crash report file.

Investigation

file example.dmp
# Output
example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...
Copied!

Static Analysis

We can also read contents of this file by usual static analysis such as below.

strings example.dmp
strings example.dmp | grep -i password
# Open pager
strings example.dmp | less

xxd example.dmp
Copied!

Using Debugger

IDA, ILSpy
Visual Studio

Using Online Viewer

This file can also be read with online DMP viewer.

Dump KeePass Master Key (CVE-2023-32784)

If the .dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54. keepass-password-dumpter is useful to do that.

In Windows, run the follwoing command.

git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmp

PreviousWSL Pentesting NextWindows Remote Code Execution from Linux

Last updated 2 years ago

hashtagInvestigationarrow-up-right

hashtagStatic Analysisarrow-up-right

hashtagUsing Debuggerarrow-up-right

hashtagUsing Online Viewerarrow-up-right

hashtagDump KeePass Master Key (CVE-2023-32784)arrow-up-right

Investigation

Static Analysis

Using Debugger

Using Online Viewer

Dump KeePass Master Key (CVE-2023-32784)