Strings, bstrings and grep

Volatility tools to extract memory:

Memory compression:

from windows 10, memory has been partially compressed. Memory can be decompressed using winmem_decompress.py then analysed using Av scanners or the below methods. This is normally fairly fruitful, and can extract 150% more memory

Strings

-t d #print decimel offset 
-e l #extract Unicode 
-<num> #only strings >= num

# execute the following: 
strings -a -t d [MEM/PROC] > strings.txt
strings -a -t d -e l [MEM/PROC] >> strings.txt 
sort strings.txt > sorted_strings.txt

Bstrings

--lr [ipv4] # search for regex
--ls # search for string
--fs <filename> # list of strings
-m <num> # strings that match a certain len or above

bstrings -f file -m 8
bstrings -f file --ls search_term
bstrings -f file --lr ipv4

Grep

-r # reccurse 
-n # line number 
-w # word 
-i # ignore case 
-B <num> # show number of lines before 
-A <num> # show number of lines after
-f <file> # list of strings
-v # exclude from search 
-o # show only matching output 

grep -rni mimikatz -i ./mem_folder

PreviousTooling NextVolatility

Last updated 1 year ago

hashtagMemory compression:

hashtagStrings

hashtagBstrings

hashtagGrep

Memory compression:

Strings

Bstrings

Grep