Releases: nccgroup/memgrep
Print (n) bytes before and after hit and supply strings in file
This version introduces three new command line options:
- -b - print this number of bytes before the hit when using -x (hex dump)
- -a - print this number of bytes after the hit when using -x (hex dump)
- -f - specify a file from which to read in the strings to search for
In addition to these new options it will also now shows where in memory the page that the string is contained in starts:
C:\Data\NCC\!Code\Git.Public\memgrep\windows\x64\Release>Memgrep.exe -b 20 -a 20 -q -s ninja -x
memgrep - https://www.nccgroup.com/
- https://github.com/nccgroup/memgrep
[i] Will print 20 bytes before hit
[i] Will print 20 bytes after hit
[i] Using the string 'ninja'
[*] Got unicode hit for ninja at 000000001092A52C in Dwm.exe (3444) page starts at 0000000010890000 [rw ] - private
0000 70 00 20 00 36 00 30 00 36 00 34 00 20 00 2d 00 p. .6.0. 6.4. .-.
0010 73 00 20 00 6e 00 69 00 6e 00 6a 00 61 00 20 00 s. .n.i. n.j.a. .
0020 2d 00 78 00 00 00 00 00 15 00 00 00 19 00 00 00 -.x..... ........
0030 ce 23 .#
Specific PID Search and UNICODE Search Fix
This version added a parameter to specify the PID as requested in Reddit:
http://www.reddit.com/r/computerforensics/comments/1o4mcu/windows_memgrep_for_greping_live_process_ram_on/cd2yprm
Also this version fixes a bug in the UNICODE search function
64bit and 32bit release
This version includes both a 64bit version tested on Windows 7 and a statically compiled 32bit version which has been tested on Windows XP SP3.
v1.0 for Microsoft Windows
Initial release of the 64 bit binary for Microsoft Windows. Searches for a command line string across the memory of processes it can access in two ways:
- string ASCII
- unicode
Tested on Windows 7 but should work on all. Let us know via the issue tracker if there is demand for a 32 bit release too.