Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Imaging memory on Win7 64bit
From: Josh Little <josh () zombietango com>
Date: Fri, 17 Sep 2010 16:01:47 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
On 9/17/2010 2:33 PM, Carlos Perez wrote:
http://moonsols.com/blog/9-moonsols-windows-memory-toolkit

this should help you,

for the previous ones you used If you have UAC running you will
have to use psexec -s to run the imager as System


Thanks, that worked. It took a bit of tweaking to get it running
remotely, as I don't have hands on the box, but I got it to dump. For
the record, I ended up having to:

1. Copy win64dd.exe and win64dd.sys to system32.
2. Use psexec to spawn a cmd as system from the remote box.
3. Run win64dd.exe /r /a /f name.img

Trying to run the dump direct from a remote psexec session kept
throwing errors, as did running it through a shuttled cmd from another
place on the file system.

The next "D'oh" is that Audit Viewer/Memoryze isn't 64-bit aware yet.
Should have thought of that before this. I think I have a Volatility
build somewhere, but not sure if that is 64-bit aware yet or not.

ZT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iF4EAREIAAYFAkyTySkACgkQMRelb3QdcMcgtQD/Ti4hh7IneV+ric5gQABLatjn
DBRA0rnvYzcit+OPyjUA/ivwhUMU/EqF5RPJ7vT3Yxr/+QHN2YM4yNq6gaMovL08
=EIM7
-----END PGP SIGNATURE-----

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]