Windows 8 Open Source Memory Analysis Fail

Wow, spent a lot of time yesterday trying to do some memory analysis on Windows 8 with a couple open source tools…

And completely failed.

I wanted to analyze a suspended Win8 virtual machine’s memory and see what information could be pulled from it. I know VMWare has a “vmss2core” utility that will do the trick. Of course I had Windows 8 in a Virtualbox VM. No problem, I exported and imported to VMWare Workstation with no problems. Okay, it hung up on first boot in VMWare, but a hard reset and everything was right as rain on the next boot.

Next I suspended the VM, grabbed the .vmem and the .vmss suspension files and tried to run it through vmss2core:

C:\VM>vmss2core.exe -W windows8.vmem windows8.vmss
vmss2core version 812388 Copyright (C) 1998-2012 VMware, Inc. All rights reserved.

Unrecognized .vmss file (magic f000ff53).

Unrecognized .vmss file… Okay, not to be deterred, I rebooted the Windows 8 VM and took a snapshot. Vmss2core also works with snapshots!

Same error.

I actually read the help features for Vmss2core and realized that it has a “-W8″ command for Windows 8! Doh!

Used that… Same error…

Okay, bothered now, but still undeterred, I figured I would just boot the system up and run MoonSols DumpIt command to get a copy of the active RAM. Then I can use the memory dump output and feed it into Volatility!

Or so I thought…

DumpIt works great for grabbing a full copy of your active RAM so you can analyze it for artifacts. Simply Download the file, and place it where you want it – USB drive, hard drive etc. Then just run the command, and the full active memory of the system will be saved in the same directory.

I ran DumpIt in Windows 8 and it worked flawlessly:

Yeah! Now all I need to do is take the .raw memory dump file and feed it into the memory analysis program Volatility. And I should be able to see tons of information and artifacts including network connections, users, services and other goodies!  :)

I started out by using the imageinfo command. This command returns the exact operating system level to Volatility so that it correctly maps memory locations with services when you use the more advanced commands.

(I created a whole series on using volatility to perform analysis on Windows 7 last year)

When I ran Volatility, it was unable to determine the OS level. I was using the latest version that just came out this month. A quick search on their website and it looks like Wind0ws 8 functionality will not be out for several more months…

Well, that was the final brick wall for me. I had other things to do and had to walk away from it at that point.

Anyone have any ideas or know of any other open source memory analysis tools like Volatility that will work with Windows 8?

About these ads

~ by D. Dieterle on October 16, 2012.

5 Responses to “Windows 8 Open Source Memory Analysis Fail”

  1. If you search pastebin.com for “Win8M3x86″ you’ll see tests for using volatility with windows 8 developer preview from September 2011. So with the right profile, you can analyze windows 8 – no problem. Getting the profile committed to trunk isn’t the highest priority for us at the moment, but you can always make one yourself…or just continue to fail ;-(

    • Thanks Michael! :)

      Bah, failing is not necessarily a bad thing. In failing we push our boundaries, learn new things about ourselves and our abilities (or lack of!).

      But every once in a while we do need course correction and a nudge from a master. :)

      Thank you, I really appreciate your work!

  2. No problem. The reason for creating an initial profile last September was just to see how much changed since Windows 7 (not much had) and thus determine how much work would be involved in fully implementing it. Once we realized it would be rather easy, we put it on the back burner while linux, mac, and android support are solidified…once that’s done we’ll loop back around to Windows 8 – probably by the time it has been released by Microsoft and a bit more main stream/popular.

  3. Reblogged this on lava kafle kathmandu nepal.

  4. We (IOActive) is hosting a forensics application that may do much of what your looking for. (Windows8.1/2012R2 64bit support)

    The Memory Cruncher is not exactly open source but the specification is open and it’s all based on XML.

    We took a different approach and aim to provide memory integrity assurances for cloud/physical memory. We have just made a few updates that include tools like disassembly (with symbols) but also through our server hosted white-list will generate a road-map report that reduces several orders of magnitude the amount of unknown code loaded (by scanning our white list).

    Try it out and let us know about the features you like and how it works @ https://blockwatch.ioactive.com/

    By the way Windows 9200+ kernels are a lot more secure and we should all be using them ;)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 267 other followers

%d bloggers like this: