AD Privilege Escalation
  • Iperius Backup Service Privilege Escalation
  • ManageEngine ADSelfService Plus PrivEsc
  • Mimikatz
  • Outlook Reminder Privilege Escalation
  • UAC Windows Privilege Escalation
  • Windows PrivEsc with Kerberos
  • Windows PrivEsc with LocalPotato
  • Windows PrivEsc with Registry Keys
  • Windows PrivEsc with RemotePotato
  • Windows PrivEsc with SeBackupPrivilege
  • Windows PrivEsc with Unquoted Service Path
  • Windows Privilege Escalation
  • Windows Pivoting
  • AD CS (Active Directory Certificate Services) Pentesting
  • Dumping Windows Password Hashes
  • WSL Pentesting
  • Windows Memory Dump Analysis
  • Windows Remote Code Execution from Linux
  • Windows XML EventLog (EVTX)
  • M365 (Microsoft Office 365) Pentesting
  • Microsoft Outlook Message (.msg)
  • Microsoft Word Pentesting
  • Reading OneDrive Logs
Powered by GitBook
On this page
  • Investigation
  • Dump KeePass Master Key (CVE-2023-32784)

Windows Memory Dump Analysis

A memory dump file (.dmp), also called as 'crash dump' is a crash report file.

PreviousWSL PentestingNextWindows Remote Code Execution from Linux

Last updated 1 year ago

file example.dmp
# Output
example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...
Copied!

We can also read contents of this file by usual static analysis such as below.

strings example.dmp
strings example.dmp | grep -i password
# Open pager
strings example.dmp | less

xxd example.dmp
Copied!

  • IDA, ILSpy

  • Visual Studio

This file can also be read with online DMP viewer.

In Windows, run the follwoing command.

git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmp

If the .dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54. is useful to do that.

Investigation
Static Analysis
Using Debugger
Using Online Viewer
Dump KeePass Master Key (CVE-2023-32784)
keepass-password-dumpter
Page cover image