top of page
Search

Extracting Memory Objects with MemProcFS/Volatility3/Bstrings: A Practical Guide

  • Apr 23
  • 5 min read
ree

----------------------------------------------------------------------------------------------------

I have already article related to MemProcFS, Bstring, Voaltility3 in depth, Do check those out to learn tool in depth! Link below

Volatility 3

Strings/Bstrings

----------------------------------------------------------------------------------------------------

Today we will discuss kind a comparison lets get started

------------------------------------------------------------------------------------------------------------


When analyzing a system’s memory, you’re often looking for key artifacts like suspicious processes, DLLs, drivers, or even cached files. These could be crucial for forensic investigations, malware analysis, or troubleshooting.

With MemProcFS, extracting these objects becomes incredibly simple—just like browsing files in a regular folder

------------------------------------------------------------------------------------------------------------


MemProcFS

Why Extract Memory Objects?

Think of RAM as a goldmine of real-time data. Anything that has happened on a system—running programs, opened documents, registry changes, and even deleted files—can still be floating around in memory.


If you know where to look, you can extract critical pieces of evidence, such as:


  • Running processes and their memory sections

  • Loaded DLLs and executables

  • Cached documents and registry hives

  • The NTFS Master File Table (which contains a list of all files on disk)

  • Active Windows services


With MemProcFS, all of these objects can be accessed like regular files, making extraction quick and hassle-free.


------------------------------------------------------------------------------------------------------------


Navigating Memory Objects in MemProcFS

MemProcFS organizes memory data in a virtual folder structure, making it intuitive to browse and extract files. Here’s how you can locate key objects:

ree

  • Processes and Memory Sections

    • You can find process-related data under:


      • M:\name\powershell.exe-5352\ (organized by process name)

        ree

      • M:\pid\7164\ (organized by process ID)

        ree

    • These folders contain everything from heaps and memory dumps to loaded DLLs.


  • DLLs and Executables

    • The modules folder holds DLLs and executables loaded into memory.

    • Each DLL or executable is stored as pefile.dll, allowing you to extract and analyze it.

      ree

  • Tracking Memory Sections

    • The vmemd folder helps you track specific memory regions linked to suspicious activities.

      ree

    • The heaps folder is useful for finding private memory allocations, where processes store sensitive data.

      ree

    • The minidump folder provides a snapshot of process memory, including both code and data.

      ree

  • Drivers and System Modules

    • Most kernel drivers can be found under the System process folder (M:\pid\4\modules\).

      ree

    • Some graphics drivers (Win32k) reside in the CSRSS.exe process, though they’re rarely useful for most investigations.


------------------------------------------------------------------------------------------------------------


Extracting and Analyzing Memory Objects

MemProcFS makes extraction as simple as copying a file. You can:


  • Open memory sections in a hex editor for low-level analysis.

  • Extract strings from executables to identify potential malware behavior.

  • Upload a suspicious DLL or EXE to VirusTotal for threat intelligence.

  • Open DLLs in a disassembler to inspect their functionality.

  • Run an antivirus scan—though it’s best to copy the file first, as security tools may quarantine it.


Pro Tip: If a tool fails to open a virtual file, try copying it to a local folder first.

------------------------------------------------------------------------------------------------------------


Handling Terminated Processes


Not seeing a process under M:\name or M:\pid?

It might have exited before you started your analysis. By default, MemProcFS doesn’t display terminated processes since their memory can be incomplete or corrupted. However, you can enable this feature by modifying:

M:/config/config_process_show_terminated.txt
ree

Change the value to 1, and MemProcFS will attempt to reconstruct folders for terminated processes.


------------------------------------------------------------------------------------------------------------


Volatility3

You might be wondering why the dedicated dumping plugins disappeared in Volatility 3.

The truth is—they haven't!

The functionality is still there; it's just been integrated into the standard plugins with an additional --dump option.


Key Changes in Volatility 3

  • The --dump option: If a plugin supports dumping memory objects, you'll see this option in the plugin help.


  • Output folder (-o) parameter: This replaces Volatility 2’s --dump-dir= and is crucial when extracting drivers, DLLs, and other artifacts to keep things organized.


  • Parameter Order Matters: Unlike Volatility 2, where things were more flexible, Volatility 3 requires -o to come before the plugin, while plugin-specific options like --pid and --dump come after.


Extracting Executables

To extract suspicious processes from memory, use the windows.pslist --dump plugin.

By default, it dumps all processes in the EPROCESS list, but you can narrow it down using --pid.


Commands:

python3 vol.py -f memory.img -o output-folder windows.pslist --dump

For terminated or unlinked processes, use windows.psscan --dump, which replaces the old procdump plugin in Volatility 2.


Extracting DLLs

If you need to pull DLLs from memory, windows.dlllist --dump is your go-to plugin.

It extracts all DLLs by default, but filtering by --pid is a good practice to avoid unnecessary files.


Commands:

python3 vol.py -f memory.img -o output-folder windows.dlllist --pid 1040 --dump

The equivalent Volatility 2 plugin was dlldump.



Extracting Drivers

When analyzing potentially malicious drivers, use windows.modules --dump.

If you need to go deeper and retrieve unloaded or unlinked drivers, windows.modscan --dump is the way to go.


Commands:

python3 vol.py -f memory.img -o output-folder windows.modules --dump

In Volatility 2, this was handled by moddump.



Important Notes:

  • No Guarantees on Data Availability: Some memory objects might be paged out, making extraction incomplete.

  • Including Page Files Helps: If possible, analyze the page file to recover missing artifacts.


Process Memory Extraction

Dumping process memory is trickier than extracting files. Process memory contains both code (executable sections) and data (buffers, command-line inputs, PowerShell scripts, etc.).



Tools for Dumping Process Memory:

  • windows.pslist --dump: Extracts executable code, similar to Volatility 2’s procdump.


  • windows.memmap --dump: Dumps all memory-resident pages, capturing both code and data (like Volatility 2’s memdump).


  • MemProcFS: Creates a pefile.dll representing the executable part of a process and a minidump.dmp file containing key process memory sections.


------------------------------------------------------------------------------------------------------------

Strings/Bstrings

Searching for Artifacts in Memory Dumps

One of the most effective forensic techniques is string searching, which helps identify artifacts like IP addresses, domains, malware commands, and user credentials.

Here’s how to do it:


Using strings (Linux)

strings -a -t d memory.img > strings.txt
strings -a -t d -e l memory.img >> strings.txt
sort strings.txt > sorted_strings.txt

Using grep (for targeted searches)

grep -i "search_term" sorted_strings.txt

Using bstrings.exe (Windows/Linux)

Eric Zimmerman's bstrings is a great alternative that extracts ASCII and Unicode strings simultaneously and even performs initial searches.


Commands:

bstrings -f memory.img -m 8  # Extracts strings of length 8+
bstrings -f memory.img --ls search_term  # Searches for a specific term
bstrings -f memory.img --lr ipv4 (use a regex to find IP version 4 addresses)

------------------------------------------------------------------------------------------------------------


MemProcFS vs. Volatility

While MemProcFS makes memory analysis incredibly convenient, it’s not a one-size-fits-all solution. Volatility is another powerful tool that provides more in-depth forensic capabilities, such as:


  • Advanced memory carving techniques

  • More detailed malware analysis

  • Reconstruction of deleted or hidden processes


For best results, combine both tools—use MemProcFS for quick and easy extraction, and Volatility for deeper analysis.

------------------------------------------------------------------------------------------------------------

Wrapping Up

Memory forensics can be overwhelming, but tools like MemProcFS simplify the process. By treating memory like a file system, it allows you to quickly extract key artifacts, analyze suspicious activity, and uncover critical forensic evidence. Whether you’re investigating malware, troubleshooting system crashes, or performing digital forensics, MemProcFS gives you the power to dig deep into memory with ease.


---------------------------------------------Dean----------------------------------------------



 
 
 

Comments

bottom of page