PTFinder - find processes and threads in a Microsoft Windows memory dump.
ptfinder.pl [options] file
Memory dump file to analyze.
Turns on/off support for systems booted with the /3GB switch. Default: OFF.
Enforce an alignment of n bytes. Default: 8.
This parameter also controls the stepwidth of the scanner, so it has a great impact on performance.
Turns on/off coloring of dot(1) graphs. Default: ON.
PTFinder will generate a graph description in a format sufficient for dot(1).
Prints the full help text and exists.
When active, PTFinder will print a listing of processes and threads as it works its way through a memory dump.
A file where PTFinder will document all process and thread candidates it finds, the checks performed and the final decission made. This file is mainly used for debugging purposes.
Applies proper alignment checks on saved CR3 values (PDBA in non-PAE mode and PDP in PAE mode). Default: OFF.
Includes/excludes processes in the generated output. Turning this option off may lead to cluttered graphs. Default: ON.
Skips over the first n bytes of the dump file. This option can be used to adopt to really strange dump formats.
Includes/excludes threads in the generated output. Including threads may lead to large graphs. Default: ON.
Suppresses/accepts duplicate processes and threads based on the object's MD5 hash. Default: ON (suppress duplicates).
Prints a brief help message and exits.
Display version and exit.
Reports all processes and threads in a XML formatted file. This should facilitate import into other tools and the comparison with results obtained from other tools. The format is supported by GMG Systems, Inc. KnTList.
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. At this it uses signatures based on the _DISPATCHER_HEADER structure declared in the Windows DDK (Ntddk.h and wdm.h). Some functional checks are also applied.
The dump file may have been created in several ways:
in a traditional way with dd: dd bs=4096 if=\\Device\Physicalmemory of=dumpfile,
in-vivo using Sysinternal's LiveKd and a debugger,
post-mortem as described in Microsoft Knowledge Base article no. 244139,
by pausing a VMware session (go for the .vmss file on VMware 4.x and the .vmem file on VMware 5.x)
PTFinder can output its findings in a format sufficiently for dot(1). Dot calculates graphs, whereas processes and threads are the nodes and edges indicate a "created-by" relationship.
The lastest version of this program, information on the underlying principles as well as usage examples are available at:
http://computer.forensikblog.de/en/topics/windows/memory_analysis/
If your German is better than the author's English please consider visiting the main site where you'll find lots of additional information:
http://computer.forensikblog.de/
Look for the section entitled "Speicheranalyse".
ptfinder.pl mymem.dmp
ptfinder.pl --nothreads mymem.dmp
ptfinder.pl --nothreads --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --skip 1048576 --dotfile mymem.dot mymem.dmp
This version will work only on dumps of systems running Microsoft Windows XP SP2 (build 5.1.2195.2180).
It assumes a 32bit architecture.
It can't handle dump files larger than 2 GiB.
Also, the code needs some cleanup and restructuring badly.
Beside this, no bugs are known yet.
Please send bug reports and suggestions to <bugs-ptfinder@forensikblog.de>.
Written by Andreas Schuster <a.schuster@yendor.net>
Copyright (c) 2006-2007 by Andreas Schuster.
PTFinder may be redistributed under the GNU General Public License.
dd(1), dot(1), zgrviewer(1)