Jump to content
Tuts 4 You

memory file researcher


pusherman

Recommended Posts

Don't know of a tool that will do it all for you easily, but you can either make one or make use of a few separate tools and a bit of work.

For finding things, you can use Cheat Engine: https://www.cheatengine.org/

Scan a programs memory for known patterns of file type headers. For example, PNG's header information can be found here: http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html Knowing the first 8 bytes are always '89 50 4E 47 0D 0A 1A 0A' you can scan for this array of bytes and find matches in a programs memory.

Once found, you can use a tool like 010 Editor: https://www.sweetscape.com/010editor/

You can use this hex editor to remotely open memory of another process and map data structures via templates onto the memory. This can help with finding valid full images, as in this example PNGs, in memory. You can also then use this tool to know how much data to copy out and save to a new file as the templates will hold all the data needed for the PNG to be valid on disk once saved.

Then rinse and repeat for all file types you want to do.

Otherwise, you can make your own app to do all these steps as well:

  • Open a remote target for reading. (OpenProcess)
  • Dump the processes memory to a local buffer for faster scanning. (ReadProcessMemory)
  • Scan for known byte patterns within the dumped data, like above, to find known file types you wish to find.
  • At the start of each found entry, begin reading the file type like any other app would to determine if the full file is there/valid. (Use file header information for known file types and such to know how to read the various files you want to dump.)
  • If a valid file is found, dump it from the local buffer into a new file with just the data needed to make said file valid.

And so on. Rinse and repeat for each file type you want to scan for etc.

  • Like 1
  • Thanks 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...