Memory-dumper - A tool for dumping files from processes memory

Overview

What is memory-dumper

memory-dumper is a tool for dumping files from process's memory. The main purpose is to find patterns inside the process's memory, which is done by plugins, and dump segments of memory to files.

Why would I use memory-dumper

Virtually memory-dumper can dump anything, it's up to you find it any use. That said, I use it to dump Flash files (SWF). There are many SWF encrypted files that can't be decrypted easily. The only easy way is make them decrypt themself and them dump them directly from memory.

New plugins for dumping any other type of data can be created easily.

How do I compile it?

You'll need meson, python3 and ninja-build. Once you have those, just run:

mkdir build
cd build
meson ..
ninja

How do I use it?

Go to the build directory and run:

sudo ./memory-dumper -p PID

to dump the memory of a process (sudo is required because memory-dumper must read the memory of a process that doesn't own)

or

./memory-dumper -p /path/to/file.ext

to dump the content of a file.

Ok, I'd like to dump XYZ file

You just need to create a plugin! It's that easy. Just look inside the plugin folder. Your plugin should have two main functions. The first one is init which will be used to init the plugin itself and pass it some useful functions; and the second one is match, which is used to pass a memory block to the plugin so it can search and dump it's content.

TO-DO:

  • Currently memory-dumper works only on Linux. Maybe I'll port it to Windows at some point in the future, but I don't want to promise anything. Anyways, I'll accept a patch for this :)

  • I'm planning to write some more plugins. If you want a plugin for some specific file type, use the New issue button :)

  • Write some documentation about how to write a plugin.

Issues
  • toRandFile doesn't seem to

    toRandFile doesn't seem to "work"

    I have successfully built memory-dumper and all plugins except for zwf plugin (couldn't find updated lzma lib, but don't need it anyway). I run the memory dumper targeting my firefox, I get console output of successful matches, however, nothing it put in the ./dumps/ folder as it should.

    https://github.com/alexandernst/memory-dumper/blob/master/plugins/png.cpp#L182

    opened by jalius 4
  • Command ninja: build stopped: subcommand failed

    Command ninja: build stopped: subcommand failed

    In the process of compile memory-dumper, the command ninja returned:

    [0/12] Compiling C++ object '[email protected]/src_MemoryDumper.cpp.o'.
    [1/12] Compiling C++ object 'plugins/[email protected]@[email protected]/zwf.cpp.o'.
    FAILED: plugins/[email protected]@[email protected]/zwf.cpp.o 
    c++ -Iplugins/[email protected]@[email protected] -Iplugins -I../plugins -I../src -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wnon-virtual-dtor -std=c++11 -O2 -g -fPIC  -MD -MQ 'plugins/[email protected]@[email protected]/zwf.cpp.o' -MF 'plugins/[email protected]@[email protected]/zwf.cpp.o.d' -o 'plugins/[email protected]@[email protected]/zwf.cpp.o' -c ../plugins/zwf.cpp
    ../plugins/zwf.cpp:5:10: fatal error: lzma/LzmaDec.c: Arquivo ou diretório inexistente
     #include "lzma/LzmaDec.c"
              ^~~~~~~~~~~~~~~~
    compilation terminated.
    
    [6/12] Compiling C++ object '[email protected]/src_MemoryDumper.cpp.o'.
    ../src/MemoryDumper.cpp: In member function ‘bool MemoryDumper::getChunksFromProcess()’:
    ../src/MemoryDumper.cpp:175:20: warning: format ‘%lx’ expects argument of type ‘long unsigned int*’, but argument 3 has type ‘off64_t*’ {aka ‘long long int*’} [-Wformat=]
       sscanf(line_buf, "%lx-%lx %4s %lx %5s %ld %s", &start, &end, perm, &foo, dev, &inode, mapname);
                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~~~~~
    ../src/MemoryDumper.cpp:175:20: warning: format ‘%lx’ expects argument of type ‘long unsigned int*’, but argument 4 has type ‘off64_t*’ {aka ‘long long int*’} [-Wformat=]
    ninja: build stopped: subcommand failed.
    
    
    opened by ghost 1
  • Improve SWF plugin

    Improve SWF plugin

    Currently the plugin supports SWF files. It would be nice to implement the following options too:

    • [x] - CWS (zlib compressed SWF)
    • [x] - ZWS (lzma compressed SWF)

    Dumping internal data from SWF files won't be done as there are already tools that do that.

    opened by alexandernst 0
  • Warnlevel error while building

    Warnlevel error while building

    Hi, not sure if this repository is still active or not, but I'm having issues installing your application...

    When I type meson .., I get this error result

    The Meson build system
    Version: 0.61.2
    Source dir: /Users/elliot/Documents/alexandernst-memory-dumper-fb8190e
    Build dir: /Users/elliot/Documents/alexandernst-memory-dumper-fb8190e/build
    Build type: native build
    
    ../meson.build:1:0: ERROR: Unknown options: "warnlevel"
    
    A full log can be found at /Users/elliot/Documents/alexandernst-memory-dumper-fb8190e/build/meson-logs/meson-log.txt
    

    And here is the full log

    Build started at 2022-02-25T14:02:32.293235
    Main binary: /opt/homebrew/Cellar/meson/0.61.2/libexec/bin/python3.10
    Build Options: 
    Python system: Darwin
    The Meson build system
    Version: 0.61.2
    Source dir: /Users/elliot/Documents/alexandernst-memory-dumper-fb8190e
    Build dir: /Users/elliot/Documents/alexandernst-memory-dumper-fb8190e/build
    Build type: native build
    
    ../meson.build:1:0: ERROR: Unknown options: "warnlevel"
    

    Thank you for your help

    opened by ECurvat 1
  • Create plugins for common files

    Create plugins for common files

    Those are the plugins that I consider as must-have:

    • [ ] - GIF
    • [ ] - JPEG
    • [x] - PNG
    • [ ] - OGG
    • [ ] - MP3
    • [x] - PDF (raw)
    • [ ] - PDF (linearized)
    • [x] - SWF (raw)
    • [x] - SWF (zlib compressed)
    • [x] - SWF (lzma compressed)
    opened by alexandernst 0
Owner
Alexander Nestorov
I pretend to know what I'm doing while smashing the keys of my keyboard.
Alexander Nestorov
The Hoard Memory Allocator: A Fast, Scalable, and Memory-efficient Malloc for Linux, Windows, and Mac.

The Hoard Memory Allocator Copyright (C) 1998-2020 by Emery Berger The Hoard memory allocator is a fast, scalable, and memory-efficient memory allocat

Emery Berger 882 May 13, 2022
Custom memory allocators in C++ to improve the performance of dynamic memory allocation

Table of Contents Introduction Build instructions What's wrong with Malloc? Custom allocators Linear Allocator Stack Allocator Pool Allocator Free lis

Mariano Trebino 1.2k May 9, 2022
MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

A.P. Jo. 4 Oct 2, 2021
Mesh - A memory allocator that automatically reduces the memory footprint of C/C++ applications.

Mesh: Compacting Memory Management for C/C++ Mesh is a drop in replacement for malloc(3) that can transparently recover from memory fragmentation with

PLASMA @ UMass 1.4k May 7, 2022
Memory instrumentation tool for android app&game developers.

Overview LoliProfiler is a C/C++ memory profiling tool for Android games and applications. LoliProfiler supports profiling debuggable applications out

Tencent 416 May 13, 2022
A tool for tracking memory allocation based ld-preload

libmallocTrace A tool for tracking memory allocation based ld-preload how to build make cd example && make how to use a simple way is to execute some

赵政 1 Mar 12, 2022
Tool for profiling heap usage and memory management

vizzy > ./build/vizzytrace /tmp/heapinfo.trace /bin/find /home/zznop -name vizzy _ _ ____ ____ ____ _ _ ( \/ )(_ _)(_ )(_ )( \/ ) \ /

Brandon Miller 29 Mar 19, 2022
MemoryLeakDetector is a native memory leak monitoring tool developed by Xigua video android team

MemoryLeakDetector is a native memory leak monitoring tool developed by Xigua video android team. It has simple access, wide monitoring range, excellent performance and good stability. It is widely used in native-memory-leak-governance of ByteDance's major apps, and the benefits are significant!

Bytedance Inc. 697 May 13, 2022
STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

memory The C++ STL allocator model has various flaws. For example, they are fixed to a certain type, because they are almost necessarily required to b

Jonathan Müller 1.1k May 9, 2022
Public domain cross platform lock free thread caching 16-byte aligned memory allocator implemented in C

rpmalloc - General Purpose Memory Allocator This library provides a public domain cross platform lock free thread caching 16-byte aligned memory alloc

Mattias Jansson 1.5k May 10, 2022
OpenXenium JTAG and Flash Memory programmer

OpenXenium JTAG and Flash Memory programmer * Read: "Home Brew" on ORIGINAL XBOX - a detailed article on why and how * The tools in this repo will all

Koos du Preez 25 Feb 14, 2022
manually map driver for a signed driver memory space

smap manually map driver for a signed driver memory space credits https://github.com/btbd/umap tested system Windows 10 Education 20H2 UEFI installati

ekknod 71 Apr 9, 2022
A single file drop-in memory leak tracking solution for C++ on Windows

MemLeakTracker A single file drop-in memory leak tracking solution for C++ on Windows This small piece of code allows for global memory leak tracking

null 22 Apr 23, 2022
Dump the memory of a PPL with a userland exploit

PPLdump This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping th

Clément Labro 546 May 14, 2022
Implementation of System V shared memory (a type of inter process communication) in xv6 operating system.

NOTE: we have stopped maintaining the x86 version of xv6, and switched our efforts to the RISC-V version (https://github.com/mit-pdos/xv6-riscv.git)

Viraj Jadhav 5 Feb 21, 2022
An In-memory Embedding of CPython

An In-memory Embedding of CPython This repository contains all the build artifacts necessary to build an embedding of CPython 3.8.2 that can be run en

null 100 Apr 26, 2022
Execute MachO binaries in memory using CGo

Execute Thin Mach-O Binaries in Memory This is a CGo implementation of the initial technique put forward by Stephanie Archibald in her blog, Running E

Dwight Hohnstein 55 Apr 15, 2022
Initialize the 8-bit computer memory with a program to be executed automatically on powering.

Initialize the 8-bit computer memory with a program to be executed automatically on powering. This project is small extension of Ben Eater's computer

Dmytro Striletskyi 62 Dec 13, 2021
Artifacts of that Memory Management Tsoding Session

Artifacts of those Memory Management Tsoding Sessions Quick Start $ make $ ./heap Limitations The pointers to the heap can only be located in the heap

Tsoding 50 Apr 28, 2022