PMScraper Frequently Asked Questions/Help

What is PMScraper for?

It allows a pentester to search a Windows machine's physical memory and dump any pages that fit certain criteria.

How do I use it?

It runs via the command line, or by making shortcuts to the program, and adding command line switches to control it's operation. This way it can be used easily through a command shell to dump the whole memory of the machine, or just scan for specific pieces of data. Use the 'h' switch to see the command line options. The command line arguments are case sensitive.
All the search flags are listed by typing 'pmscraper h'. It parses and saves memory pages in 4k increments for using a more powerful binary grep on later.

For example:
'pmscraper AU' will search just for ascii user hashes. (Turns off Ascii and Unicode Luhn searches)
'pmscraper Fn1500' will search for memory pages with at least 1500 ascii bytes.
'pmscraper' will search for all pages that contain a sequency of bytes that passes the luhn test in Ascii or in Unicode - or one that has plaintext user hashes stored in memory.
'pmscraper n500' will do the same as the one directly above, but only save the pages that contain at least 500 ascii characters as well.

How could this be beneficial?

There are several ways that it could be useful. For any server or active application setup, things stored in active memory can be captured by malicious software - it is really easy to capture the data, which has lead to the rise of hostile scanning applications. Having a tool that can dump the contents of your own memory, or even selectively capture memory is helpful to see if your own, or your client's product is vulnerable to this sort of attack.

What are the flaws or problems with this?

When searching memory, properly identifying the right memory to grab can be the biggest problem. There are several ways to narrow the searches, but no way to always ensure the data is exactly what you are looking for all the time. When you run it, the main tests are to test sets of 16 characters that are all within 10 of each other and all pass the Luhn test - to identify credit card numbers. However, since the Luhn test boils down to a mod 10 test, it is easy to get many false positives. You can also test for Unicode, which means 32 byte sections. The match only applies to the numbers being within 10 of each other, so binary 0-9 will match, as will Ascii 0-9. Limiting to only Alphanumeric characters can help, as can enforcing a minimum number of alphanumeric characters in the memory page before it passes the test to save the page. Or it can just dump all the memory with the F switch - and you can search through it manually. It can also search for user password hashes that are stored as ascii in memory, but this is not really as important since if you can run the program, you can probably snag the hashes already. Plus text hashes are not normally saved in memory as ascii unless someone has done something that they shouldn't.

Is this the final product?

Nope. I will periodically upgrade and update it. It's really something I threw together for one of my friends, but I thought more people could probably use it.

©2010 NOP Security