The release of Dmp2Json & Querying Memory Images through JSON format

TL;DR: Go on https://my.comae.io — Create an account, download the latest version of our toolkit, play with Dmp2Json.

Scripting and open-formats have long been a very critical part of the security community, enabling researchers to search, for example, for Indicator of Compromise (IOC). This is why we decided to make Dmp2Json available for all as part of the Comae Toolkit available through Comae Stardust Platform.

Dmp2Json as described in our User-Guide allows users to convert a Crash Dump (*.dmp) generated by either Microsoft Windows during BSOD or by Comae DumpIt into a series of multiple JSON files for the different artifacts contained inside the image (objects, drivers, processes, dlls, services, etc.).

We generally refer to the memory image generated with DumpIt as a “dump” and the output archive produced by Dmp2Json as a “snapshot”. Again, this is for Microsoft Crash Dump format, which is the default output format for DumpIt. We do not support other third-party tools, and strongly encourage DFIR analysts/operators to use Microsoft Crash Dump format over raw format as it omits very important data needed for analysis and rules out interoperability with Microsoft WinDbg and therefore the usage of advanced extensions such as SwishDbgExt.

One of the benefits of Dmp2Json is the ability to provide the address of your symbol server. And if you use the flag /archive, all the JSON files will be compressed into a single ZIP Archive which you can upload to Comae Stardust web interface. This is particularly, useful for cases where you can not upload an entire memory image for compliance or bandwidth reasons.

You can refer to the below examples for the user through the command-line or the PowerShell interface available on GitHub.

We hope this will encourage more SecOps people to either write scripts and ease integration with data ingesters such as Splunk or Humio, although if you needed analysis capabilities Comae Stardust would provide you more features for the desired task. We will also provide more public documentation on the JSON data format soon.

If you have any questions, comments or feedback do you hesitate to contact us over Twitter or e-mail at stardust@comae.com.

Dmp2Json in Command-Line

Dmp2Json.exe /Y srv*C:\Symbols*http://msdl.microsoft.com/download/symbols /Z C:\FileName.dmp /C "/all /datetime /archive /snapshot C:\Snapshots\Snapshot"

PowerShell Interface

An interface is also available and can be found on GitHub at the following address: https://github.com/comaeio/Stardust-PowerShell

Get Started

Import-Module .\Comae.ps1

Convert-DumpFileToSnapshot

Convert-DumpFileToSnapshot -FilePath “TEST-MEMORY.dmp” -Directory “C:\Comae-Snapshots”

DumpFileToSnapshot -FilePath “TEST-MEMORY.dmp” -Directory “C:\Comae-Snapshots” -SymbolPath “C:\Symbols” -SymbolServer https://msdl.microsoft.com/download/symbols

Get-ChildItem -Path “C:\DumpFiles” -File | ForEach-Object { ConvertDumpFileToSnapshot -FilePath $_.FullName -Directory “C:\Snapshots” }