Home - Blog - Advisories - Research - Papers - Books - Presentations - Tools - About

Memory Parser

Memory Parser (MMP) is able to parse the meta information stored within process dumps made with Process Dumper (pd) and extract the different process mappings to disk. After the different mappings are extracted, Memory Parser can be used as a central workspace for further analyses.

What's new in version 0.2

Process environment and state: Memory Parser now shows additional information about the environment and state of the dumped process. For example the opened file descriptors, the CPU register values, list of all threads (with CPU register values), process environment variables, process creation time and more.

Search for cryptographic material: Memory Parser now supports the possibility to search for RSA keys and certificates in the different mappings of a process dump.

Hash check of code mappings: It is now possible to compare the code mappings of a process dump with an arbitrary list of known good or bad hashes of executables. This feature is currently only supported with dumps of Windows processes.

Requirements

Memory Parser needs Microsoft .NET Framework Version 2.0.

The new version 0.2 can only be used to analyse process dumps made with Process Dumper (pd) version 1.1.

Documentation

Process Dump Analyses

Download

Memory Parser is freeware but not open source.

Get the latest Windows version (2006/07/20, version 0.2)

Related Download

MMP Hash v0.2

:: Copyright (c) 2000-2010 Tobias Klein. All rights reserved. ::