PTFinder - find processes and threads in a Microsoft Windows memory dump.
ptfinder.pl [options] file
Memory dump file to analyze.
Turns on/off support for systems booted with the /3GB switch. Default: OFF.
Enforce an alignment of n bytes. Default: 8.
This parameter also controls the stepwidth of the scanner, so it has a great impact on performance.
Turns on/off coloring of dot(1) graphs. Default: ON.
PTfinder will generate a graph description in a format sufficient for dot(1).
Prints the full help text and exists.
When active, PTFinder will print a listing of processes and threads as it works its way through a memory dump.
A file where PTFinder will document all process and thread candidates it finds, the checks performed and the final decission made. This file is mainly used for debugging purposes.
Includes/excludes processes in the generated output. Turning this option off may lead to cluttered graphs. Default: ON.
Skips over the first n bytes of the dump file. This option can be used to adopt to really strange dump formats.
Includes/excludes threads in the generated output. Including threads may lead to large graphs. Default: ON.
Suppresses/accepts duplicate processes and threads based on the object's MD5 hash. Default: ON (suppress duplicates).
Prints a brief help message and exits.
Display version and exit.
Reports all processes and threads in a XML formatted file. This should facilitate import into other tools and the comparison with results obtained from other tools. The format is supported by GMG Systems, Inc. KnTList.
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. At this it uses signatures based on the _DISPATCHER_HEADER structure declared in the Windows DDK (Ntddk.h and wdm.h). Some functional checks are also applied.
The dump file may have been created in several ways:
in a traditional way with dd: dd bs=4096 if=\\Device\Physicalmemory of=dumpfile,
in-vivo using Sysinternal's LiveKd and a debugger,
post-mortem as described in Microsoft Knowledge Base article no. 244139,
by pausing a VMware session (go for the .vmss file on VMware 4.x and the .vmem file on VMware 5.x)
=head2 Visualization
PTfinder can output its findings in a format sufficiently for dot(1). Dot calculates graphs, whereas processes and threads are the nodes and edges indicate a ``created-by'' relationship.
The lastest version of this program, information on the underlying principles as well as usage examples are available at:
http://computer.forensikblog.de/en/topics/windows/memory_analysis/
If your German is better than the author's English please consider visiting the main site where you'll find lots of additional information:
http://computer.forensikblog.de/
Look for the section entitled ``Speicheranalyse''.
ptfinder.pl mymem.dmp
ptfinder.pl --nothreads mymem.dmp
ptfinder.pl --nothreads --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --dotfile mymem.dot mymem.dmp
ptfinder.pl --nothreads --nolisting --skip 1048576 --dotfile mymem.dot mymem.dmp
=head1 BUGS
This version will work only on dumps of systems running Microsoft Windows 2000 (build 5.0.2195.7045).
It assumes a 32bit architecture and disabled PAE.
Also, the code needs some cleanup and restructuring badly.
Beside this, no bugs are known yet.
Please send bug reports and suggestions to <bugs-ptfinder@forensikblog.de>.
=head1 AUTHOR
Written by Andreas Schuster <a.schuster@yendor.net>
=head1 COPYRIGHT
Copyright (c) 2006 by Andreas Schuster.
PTfinder may be distributed under the GNU General Public License.
=head1 SEE ALSO
dd(1), dot(1), zgrviewer(1)