Dumpit

From aldeid
Jump to: navigation, search

Description

What is dump it.exe?

This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines. The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.

Environment

Dumpit has been remotely started from a Windows XP machine on a Windows 7 machine, using PsExec from the Sysinternals pstools suite.

Installation

Go to http://www.moonsols.com/ressources/ and download dump it.exe:

Dumpit-download.png

Once downloaded, uncompress the DumpIt.zip archive in the directory of your choice (let's take C:\remote_tools\ in our example).

Usage

Simple call dump it as follows:

C:\remotetools> dumpit.exe

Dumpit-02.png

It creates a raw file that you will be able to analyze with volatility or any other tool able to read memory dump files.