powershell memory dumper
Branch: master
Clone or download
Latest commit 3e53058 Dec 14, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Added License Nov 15, 2018
README.md Update README.md Dec 14, 2018
power_dump.py woops Nov 15, 2018
screenshot.PNG screen Nov 15, 2018

README.md

Power Dump

Power Dump takes a 64 bit Windows 10 powershell process dump made using procdump and retrieves powershell blocks and variables from memory. Basically its strings on steroids with a little extra logic built-in for finding powershell. Only tested and built out right now for/on Windows 10 64 bit Intel.

alt text

Pre Reqs:

Download procdump from sysinternals:

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

Usage:

  1. git clone https://github.com/chrisjd20/power_dump.git
  2. Have a powershell scrip running. Take its process ID and run the following:
    • procdump64.exe -ma <pid>
  3. py -2 power_dump.py <-- Windows (if Py2 and py3 are installed)
  4. python power_dump.py <-- Linux
  5. Select option 1
  6. ld powershell.exe_mem_dump1928461283
  7. Select option 2 (wait for it to process)
  8. Select option 3 or 4 to perform filter searching

License: MIT License

Test on: Windows 10 64 bit Intel

Todo:

Needs some cleaning up. Expand this out for all Windows OS dumps and architectures. Also add different payload searches other than powershell.