Kernel Live Dump Analyzer
Analyzing kernel memory dumps has proven to be one of the most effective ways to uncover traces of bypass techniques, especially those involving command-line execution or fileless methods. However, manually sifting through the vast amount of string data extracted from a dump file (.dmp
) can be time-consuming.
To address this, a specialized tool, the RedLotus Kernel Live Dump Analyzer, has been developed thanks to the significant skill and effort contributed by Spok. This utility dramatically accelerates the analysis process, allowing for checks to be completed in seconds rather than minutes.
The tool operates with a primary funciton and an optional second function:
Automated Keyword Scanning: It performs an initial, rapid scan of the provided kernel dump file (
.dmp
) using a carefully curated list of specific keywords and strings known to be associated with common bypass methods and malicious command-line activity.Manual Keyword Search: It provides an option for the user (the ScreenSharer) to input their own specific keyword or string, which the tool will then search for throughout the entire dump file, allowing for targeted investigation based on suspicions arising during the screenshare.
Capabilities:
This tool is particularly effective at finding command-line evidence related to a wide range of bypass techniques. Needless to say, commands used to perform actions such as:
DLL injections/loading via
Regsvr32.exe
orRunDLL32.exe
.Indicators of Fileless Execution (e.g., PowerShell commands using
iex
,iwr
,encodedcommand
).File Replacement methods utilizing command-line tools like
echo
ortype
.Executions performed via less common vectors like
forfiles.exe
orwmic.exe
.Registry key or value deletions/modifications performed via
reg
commands in CMD or PowerShell.
By automating the search for these critical indicators within the kernel dump, this tool significantly enhances the ability to detect sophisticated bypass attempts quickly and efficiently during a screenshare. (Note: Availability details to be provided upon release/publication).
How to Use
Create a Kernel Live Dump: You first need to generate the kernel memory dump file (
.dmp
). There are several ways to do this during a live screenshare:Using System Informer:
Ensure System Informer is running with administrator privileges.
Navigate to the main menu: Hacker -> Create kernel memory dump.
Select Live kernel dump.
System Informer will generate the
.dmp
file. Take note of the location where it is saved (it often defaults to a path like%LOCALAPPDATA%\Microsoft\Windows\TaskManager\LiveKernelDumps\
but might prompt you to save elsewhere).
Using Windows Task Manager (Alternative):
Open Task Manager (Ctrl+Shift+Esc) and go to the "Details" tab (you might need to click "More details").
Locate the System process (PID typically 4).
Right-click on the "System" process.
Select Create memory dump file. Note: While simpler, Task Manager often creates a full memory dump, which is significantly larger and takes much longer than a kernel-focused dump created by System Informer. System Informer's "Live kernel dump" is generally preferred for this tool's purpose due to speed and focus. Verify the type of dump created if using Task Manager.
Place the Tool: Locate the generated kernel live dump (
.dmp
) file. Copy or move the RedLotus Kernel Live Dump Analyzer executable into the exact same folder where the.dmp
file resides. The tool needs to be in the same directory as the dump it's analyzing.Run the Program: Execute the RedLotus Kernel Live Dump Analyzer tool (run as administrator if required by the tool's permissions). The tool will automatically detect the
.dmp
file(s) in its directory and begin the analysis.Analyze the Output: The tool will generate one or more output text files (
.txt
) within the same folder.Carefully open the
.txt
file(s) relevant to the keywords you are interested in (the tool might generate separate files for different keyword categories or allow custom searches).Examine the contents: Look for lines containing suspicious commands, script fragments, paths to known cheats or bypass tools, encoded strings, or any other indicators relevant to the specific bypass method you suspect. The context surrounding the keyword hit is often important.
(Optional) Check the "Results" Folder: The tool might create a subfolder named "Results". This folder typically contains results that have been automatically filtered to remove common, legitimate system strings, aiming to leave only the potentially more relevant or suspicious command lines for easier review.
By following these steps, you can leverage the RedLotus Kernel Live Dump Analyzer to efficiently probe kernel memory for evidence of command-line based bypasses and fileless execution techniques.
Link: coming soon
Last updated