Live-Off-the-Land Memory Dumping

## **Overview** While there are many open source and commercial level tools that can be used to dump process memory, there exists mechanisms to dump memory via native LOLB's on Windows Systems. Comsvcs.dll is a system library found within C:\Windows\System32 that contains an API called MiniDump. When invoked, .dmp files can be created containing a snapshot of a processes memory at a specific point in time. Those using maliciously, will often be after things such as hashes, kerberos tickets, and plaintext passwords within the dump. From a defensive standpoint, this .dmp file can be used to hunt for shellcode and loaders within memory. While tools like Volatility and MemProcFS exist to analyze complete memory dumps of a system, it sometimes isn't possible to transfer an entire memory dump from a remote system back into your environment for analysis. Comsvcs.dll provides a way to dump memory from a specific PID, and as a bonus lives on all Windows systems. This allows responders to extract the memory dumps in instances where limited bandwidth exists or external tooling is not able to be dropped onto the system. ### **Dumping PID Memory** ``` rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <Process_ID> <Output_Path> full ``` Process memory can be dumped utilizing rundll32.exe to invoke the MiniDump API from the comsvcs.dll library. ### **Contents of DMP Files** Using any hex editor, the dmp can be analyzed to reveal the structure and many of the sensitive contents inside. 010 Hex Editor simplifies this by applying a template to the dmp showing at a high level the header, directory, and the various streams. ![[Pasted image 20260111164309.png]] At a high level overview Process dumps contain: - **Header** - Denoted by Hex **4D 44 4D 50**, (MDMP). This can be thought of as the cover of a book and tells us this is a minidump. Most importantly is the variable **'StreamDirectoryRva'** which is a pointer to the Directory. - **Directory** - Similar to a table of contents, the directory contains a list of the streams and the location of them within the file. - **Streams** - Can be thought of as chapters within a book. The streams are the raw data contents within the file. This contains the information for the threads, modules loaded, and the contents of the memory. These contents can include things such as usernames, passwords, and even raw shellcode. ### **Stream Types** Stream types are denoted by a 4 byte integer seen in the table below. Each stream serves a different function for the types of data being stored within the memory dump. From an analysis standpoint, a few of the more important streams can be seen below. For a complete list of Stream Types and their codes refer to the [minidumpapiset.h MSDN Documentation](https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/ne-minidumpapiset-minidump_stream_type) | Stream Type | ID | Description | | -------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------- | | UnusedStream | 0 | Reserved / Empty. | | ThreadListStream | 3 | A list of all threads running in the process (Process IDs, Thread IDs, Registers). | | ModuleListStream | 4 | A list of all DLLs and executables loaded (e.g., ntdll.dll, kernel32.dll). Critical for finding where code lives. | | MemoryListStream | 5 | (Legacy) Contains snapshots of memory ranges. Usually used for smaller "mini" dumps. | | ExceptionStream | 6 | If the dump was created due to a crash, this tells you why (e.g., Access Violation). | | SystemInfoStream | 7 | Metadata about the machine: OS version, Service Pack, CPU architecture (x64 vs x86). | | Memory64ListStream | 9 | (Full Dump Standard) The actual raw content of the memory. This is used when "Full Memory" is requested. | | MemoryInfoListStream | 16 | Contains the memory protections over the regions(Ex - PAGE_EXECUTE_READWRITE). This does not appear to be within dumps made with comsvcs.dll. | When hunting for shellcode and other sensitive information, the Memory64ListStream contains this information. ### **Creating a Script to Enumerate Streams** Utilizing the Python library minidump, a script can be created to recreate these same streams. ![[Pasted image 20260111164557.png]] When ran, this gives the following output: ![[Pasted image 20260111164650.png]] These streams can be compared against the output from 010. Most notably, it can be seen when analyzing in Python there is additional streams identified related to streams 21, 22, and 24. I'm unsure why, but when looking back within the Directory within 010 the streams were identified, but were not Named. ![[Pasted image 20260111164707.png]] Seeing the python script matches what is seen in 010, it can be presumed we have a good starting point to start parsing through the data.