How to find and analyze information in RAM

When searching for information on a computer, you need to remember that it is located not only in data storage devices (solid state drives, hard drives, removable media, etc.), but also in RAM, in the processes.

Information when located on the hard disk and in RAM is not the same:

  • it can be encrypted on the hard drive, but not in RAM (example: a VeraCrypt encrypted drive contains a text file with passwords that is opened in a text editor – in this case, the passwords from this file will be in plain text in the RAM)
  • information can be created in the process of computing, or obtaining data from the network (in this case, the source information is not available in storage devices)

Analysis of the contents (dump) of a running process is often used in reverse engineering when the source file is encrypted: to execute the file, it still needs to be in decrypted form in the RAM, so analyzing the running process makes reverse engineering easier.

You can come up with other ways of skill analysis and search by RAM:

  • identify applications that monitor the clipboard
  • assessment of the quality of programs intended for storing passwords – if in a running form such programs contain passwords in RAM in the form of plain text, then it is strongly not recommended to use such programs
  • search for an application containing specific strings or connecting to a specific host

In this article I will talk about the mXtract program – it is an offensive tool for penetration testing, its main goal is to scan RAM in search of private keys, IP addresses and passwords using regular expressions.

That is, this program can be used both as a tool for subsequent operation to search for sensitive data in RAM on compromised systems, and for the purposes of analysis, evaluation of applications on your own computer.

This program:

  • searches in running processes for regular expression strings. You can specify multiple regular expressions at once
  • you can search in one process or all running processes at once
  • shows the found results in an understandable manner

To install mXtract on Kali Linux, run the following commands:

git clone https://github.com/rek7/mXtract
cd mXtract && sh compile.sh
sudo mv bin/mxtract /usr/bin/
sudo mkdir -p /usr/share/doc/mxtract/
mv example_regexes.db /usr/share/doc/mxtract/

To install mXtract on BlackArch, run the following command:

sudo pacman -S mxtract

The mXtract program has options, one of the two is mandatory: -r= or -wm. If you want to search for specific lines in the RAM, you need to use the -r= option, after which you need to specify the path to a file containing one or more regular expressions. If you want to write down all the information that the process has in RAM, then use the -wm option. These options can be used at the same time, then a search will be performed, and dumps of all processes will be saved (even not matching the search conditions).

So, let's start by searching for strings in processes. The example_regexes.db file is supplied with the program, which contains the following regular expression:

(\d{1,3}(\.\d{1,3}){3})

It roughly corresponds to IPv4 addresses.

Run the search:

sudo mxtract -wr -e -i -d=/tmp/output/ -r=/usr/share/doc/mxtract/example_regexes.db

In this command, the meaning of the options is as follows:

  • -r=/usr/share/doc/mxtract/example_regexes.db – path to the file with regular expressions
  • -e means scan the files of the working environment of the process
  • -i needed to display detailed information about the Process/User
  • -d=/tmp/output/ - user output directory. When using the -wm option, process dumps are saved in it. It also saves the results file if the -wr option is used.
  • -wr is needed to record found matches to a file (appears in the Output Directory)

Example output when running the program:

These are the IP addresses that the NetworkManager process contains:

These IPs are from the Writer process of the LibreOffice office suite (although this does not mean that the program is connected to at least one of them):

As a result of running the previous command, the file /tmp/output/regex_results.txt will be created with the found line matches.

Your results are only as good as your regexes.

Let's look at a few scenarios that I could come up with to use the search by RAM. If you have your own ideas, then share them in the comments.

Evaluation of the quality of programs designed to store passwords

Programs can store passwords as their main function (different password managers), or store passwords for user convenience (FTP clients, web browsers, etc.). You can also test various ways of storing passwords (for example, in a simple text file, but on an encrypted drive).

Instead of regular expressions, you can specify literal strings to search for. You can write several passwords as these lines. Each regular expression must be on separate lines. For example, you can create a passwords.db file and write it there:

password1
password2
password3

By the way, with regard to letters of national alphabets (everything except English letters), most likely, they are processed by a computer in one or another encoding, so it is unlikely to find a literal match for strings – first you need to write the strings as a sequence of characters in the desired encoding).

After that, you can run a search on the contents of the processes in RAM:

sudo mxtract -wr -e -i -d=/tmp/output/ -r=passwords.db

For example, the passwords in an open text file, even if it is stored on an encrypted volume, are perfectly found using this method.

How to find programs that have access to the clipboard

First, you need to remember that data that is copied to the clipboard is often available in plain text (although it depends on the programs). Secondly, in this way you can find a program that, without your knowledge, monitors the clipboard.

Create a clipboard.db file and write any unique line into it, for example:

fghfgjhgfhkgjlbnmnvbregfghdgfjgch

Copy it to the clipboard and start scanning processes:

sudo mxtract -wm -wr -e -i -d=/tmp/output/ -r=clipboard.db

You can find programs that contain this line (in the screenshot there is a legitimate program – I took it just as an example):

Search for passwords and keys in running processes (code editors, web server)

In the recently reviewed article “How to find all passwords and keys in a large number of files” using the DumpsterDiver program, among a huge number of lines, we looked for those that have high entropy and which, therefore, may turn out to be passwords, keys, and other secrets.

You can combine the work of these two programs. Make mXtract extract almost all the lines, for this we create the strings.db file and copy the following into it:

[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=]{30,}

In square brackets are characters that can occur in a string (edit according to your conditions), and in curly brackets is the minimum size of a string (also edit if necessary). We launch:

sudo mxtract -wr -e -i -d=/tmp/output/ -r=strings.db

And now with the help of DumpsterDiver we are looking for lines with the required level of entropy:

python3 DumpsterDiver.py -p /tmp/output/ --entropy 5.3

This is a very crude concept; in a real situation, a finer tuning of the DumpsterDiver is needed.

How to find out which program connected to a specific host

Using different utilities you can check what ports are listened and what programs are bind to them. You can also see all current network connections.

But what if a suspicious connection to a specific host is found after its completion (for example, in a file with saved network packets)? In this case, the port is already closed, but if the process is still running, there is a chance to catch it. To do this, enter the host name or IP address of interest as a search string.

How to find a program containing certain data

The technique described above can be used not only for network addresses, but also for any lines. Thus, you can find a program that saves certain files, shows windows with certain lines, etc.

Extract clipboard contents

Depending on the software used, you may find a program that stores the clipboard (copied text) in plain text. Using the -p= option, you can specify the identifier (PID) of one process for scanning. If you properly configure regular expressions, you can extract the contents of the clipboard.

For a detailed analysis of the contents of the process, the -wm option is useful – when specified, the raw data of the full contents of each process will be saved. Or one process if the -p= option is specified.

How to find the identifier of a process of interest

By the way, if you want to scan a specific process, then you can find its PID number with commands of the form:

ps a | grep -E 'cli(p)board'
ps a | grep -E 'libre(o)ffice'

Pay attention to the brackets – they do not change anything in essence, but thanks to them, the process with grep does not fall into the displayed list.

To get only the PID number, you can run like this:

ps a | grep -E 'cli(p)board' | awk '{print $1}'

mXtract options

Usage:

mxtract [args]

Options

General:
	-v	Enable Verbose Output
	-s	Suppress Banner
	-h	Help
	-c	Suppress Colored Output
Target and Regex:
	-i	Show Detailed Process/User Info
	-a	Scan all Memory Ranges not just Heap/Stack
	-e	Scan Process Environment Files
	-w	Check if Memory Range is Writable
	-r=	Regex Database to Use
	-p=	Specify Single PID to Scan
Output:
	-x	Format Regex Results to XML
	-r	Format Regex Results to an HTML Document
	-wm	Write Raw Memory to File Default Directory is: 'pid/'
	-wi	Write Process Info to Beginning of File (Used in Conjunction with -wm)
	-wr	Write Regex Output to File (Will Appear in the Output Directory)
	-f=	Regex Results Filename Default is: 'regex_results.txt'
	-d=	Custom Ouput Directory

Conclusion

When you start a process scan, sometimes mXtract freezes and stops working normally until the next reboot of the system.

When compiling regular expressions using wildcards (dot and asterisk), I get a ‘segmentation error’.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.