«PrtScn»

When we think about how we investigate RAM using RAMalyzer, we tend to think in terms of finding the right process as a target (even if we want to look at several processes we will look at each, one at a time). We will then investigate that process’ memory, by looking at the VMA’s and where we want to target our investigation, finally we will run some form of regular expression and find the user data as required for the investigation. Having found an item we are looking for; we will probably want to look at that item in some more detail. Perhaps we have been looking for the text portion of an SMS, and now we would like to construct the rest of the SMS from the data around it. In the earlier version of RAMalyzer we would have to dump the process and look for the file offset reported by the regex command to find that particular instance of the item we were looking for.

Since we reviewed RAMalyzer and its operation, we looked at what else would improve the user experience. Dumping a whole process to check on an instance of a search hit, while not difficult to do, seemed like a waste of resources and time for a simple check. We decided that we could improve our search results by giving the virtual address for the search hit. This can be used when dumping the process to find the data, since when a process is dumped, we dump each virtual memory area by address. An example is demonstrated below along with the command line argument that was used.

ramalyzer regex –pattern “[{][\»][a-zA-z]+[\»][:].+[}]” –pid 32451 –file Osaka.xry

Figure 1.0

In the regex search above we are looking for instances of JSON within a sandboxed instance of googles chrome. We can see three separate hits for the search as shown in Figure 1.0 with the first being at 0x0000000200b0c7e4, the second being at 0x0000007a52ff8d13 and the third being at 0x0000007a52ff9008. It would be a simple matter to now dump the process and find the data using this address.

But, what if we could just use that address and look at the memory page in the task, without the need to dump the whole task? For this, we can use the new “page” command as shown below:

ramalyzer page –address 0x0000007A52FF9008 –pid 32451 –file Osaka.xry

Figure 2.0

Figure 2.0 shows the search at the address 0x0000007a52ff9008 as indicated in our search. We can also see that offset 8 in the page is where the JSON opening brace is. The search hit before this is at 0x0000000200b0c7e4, and looking at offset 0x7E4 for that page we find what is shown in Figure 3.0:

Figure 3.0

Where we can see that the JSON has a length field before it (the 0xDB at offset 0x7E0) which may be a part of a structure that describes how this JSON was being used.

Please join the conversation on the MSAB Forum in our dedicated RAMalyzer section, looking for tips? Want to share some interesting insights with fellow examiners? Head to the forum now!

Customer Forum 

If you want to learn more or have any questions, don’t hesitate to get in touch with us.   

Contact us 

About the author:
Dave Lauder is a Security Researcher at MSAB.