Find a string in the whole RAM

Question

How to search a string in the whole RAM? (not only in some processes' allocated memory, but the whole RAM)

Or is there a way to dump the whole RAM into a 4GB or 8GB disk file? Then I could easily do:

grep mypassword c:\ramdump.raw

Usage example: I'd like to know if a password manager stores my master password in plaintext, as found by a security team here.

I'm using Windows 7 x64, as administrator.

---

Note: Unlike How to get complete memory dump in Windows 10? I specifically want to search content in the RAM, and not get information from a memory dump. Moreover this question is unclear: the title doesn't match the content ("Question in title doesn't seem to match the question in the body.")

Answer 1

Here are possible ways to create full memory dumps:

https://support.avast.com/en-eu/article/Windows-complete-memory-dump

https://nvidia.custhelp.com/app/answers/detail/a_id/4641/~/collecting-a-full-memory-dump-in-windows-10

The method is to add this to registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdhid\Parameters]
"CrashOnCtrlScroll"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\i8042prt\Parameters]
"CrashOnCtrlScroll"=dword:00000001

and then to generate a crash:

Manually force a Windows crash by holding down the CTRL key on the right side of your keyboard and pressing the Scroll Lock key twice (right CTRL + 2x Scroll Lock).

I'll try then to search in the dump file with a HEX editor.

Answer 2

How to I find a string anywhere in RAM?

You can use windbg (Download Debugging Tools for Windows - WinDbg - Windows drivers | Microsoft Docs) for this.

Example:

To search for a string (Error: 1002) in memory, we run the following command:

0:000> s -a 0 L?80000000 "Error: 1002"
04b0e06c  45 72 72 6f 72 3a 20 31-30 30 32 00 00 00 00 00  Error: 1002.....

...

Source WinDbg: search for a string – Distributed Services: Notes from the field

---

Further Reading

• s (Search Memory) - Windows drivers | Microsoft Docs

Answer 3

Your best option is to use an Hex editor. Most Hex editors are developed to handle huge files. They can search for either strings or hex sequences.

Some hex editors can also dump the content of RAM, read entire RAW disks or dump them, it depends on the editor.

Have in mind that some RAM areas won't be accessible for obvious security reasons. So if you are trying to hack some password from RAM you probably won't get it. Life is not that easy.

This method is usually used to debug, not to hack.

Answer 4

If this is windows, you can download windbg as noted above and attach to the process you want to search. But, if you have a 64-bit process

s -u 0 L? 7fffffff`ffffffff "find my text"

will take a very long time since most of the memory isn't there.

Do this instead and it will run very fast since it only looks at memory that is there:

!address -f:MEM_COMMIT -c:"s -u %1 %2 \"find my text\""

!address -f:MEM_COMMIT -c:"s -a %1 %2 \"find my text\""

The first command finds unicode strings, the second ascii.

%1 is the start of the block, %2 is the end of the block.

-f:MEM_COMMIT only lists memory that is actually present, check the help for other flags, like -f:image or -f:stack.