Memory Parser

Latest Version: v0.2 from 2006 — Current Status: Not further maintained.

Memory Parser (MMP) can be used to parse the meta-information stored within process dumps made with Process Dumper (pd). MMP extracts the different process mappings to disk and can then be used as a central workspace for further analyses.


What's new in Version 0.2

Process environment and state: Memory Parser now shows additional information about the environment and the state of the dumped process. For example the opened file descriptors, the CPU register values, a list of all threads (with CPU register values), the process environment variables, the process creation time and more.

Search for cryptographic material: Memory Parser now supports the possibility to search for RSA keys and certificates in the different mappings of a process dump.

Hash check of code mappings: It is now possible to compare the code mappings of a process dump with a list of hashes of known good or bad hashes. This feature is currently only supported with dumps of Windows processes.


Requirements

Memory Parser requires Microsoft .NET Framework Version 2.0.

The new version 0.2 can only be used to analyze process dumps made with Process Dumper (pd) version 1.1.


Documentation

Process Dump Analyses


Download

Memory Parser is freeware but not open source.

Get the latest Windows version 0.2 (20 July 2006)
SHA-256: D2E5A8F4C7F4AA164B0DA9A7DD788DF53A9F7EEF73E26D5631F3E0F69695744D


Related Download

MMP Hash v0.2
SHA-256: E980EF6924CA2F12B10A834C09CB953EFF1AC28C4094703282D87905858A2DA0


Citations

The tool is cited in various academic journals and books.