Using PMDump to Investigate Malware: Practical Examples
Investigating malware often requires analyzing a process’s memory to uncover code, injected modules, decrypted payloads, and runtime indicators not visible on disk. PMDump is a lightweight Windows memory-dump utility focused on capturing process memory quickly and reliably. This article walks through practical examples showing how to use PMDump during incident response and malware analysis, including real-world workflows, command examples, and follow-up analysis techniques.
What PMDump captures
- Process virtual memory: The live address space of a target process (heap, stack, loaded modules, mapped files).
- Runtime data: Decrypted strings, unpacked code, in-memory configuration, and injected DLLs.
- Volatility-friendly output: Dumps compatible with common memory-analysis tools.
Safety and setup
- Run PMDump from an account with sufficient privileges to open the target process (Administrator for most system processes).
- Work on an isolated analysis workstation or a forensic VM to avoid contaminating evidence.
- Make a copy of the dump and work from the copy. Preserve timestamps and capture notes: host, date (February 6, 2026), process name/ID, user, and command used.
Example 1 — Basic process dump
Goal: Quickly capture memory of a suspicious process (e.g., malware.exe PID 4320).
Command (example):
Code
pmdump -p 4320 -o C:\dumps\malware_4320.dmp
Steps:
- Confirm PID with Task Manager, tasklist, or Get-Process in PowerShell.
- Run PMDump with the process ID and output path.
- Verify the dump file exists and record file size and hash (e.g., SHA256).
Follow-up analysis:
- Load the dump in a debugger (x64dbg or WinDbg) or memory analysis tool (Volatility or Rekall).
- Search for ASCII/UTF-16 strings to find URLs, file paths, or C2 domains:
- strings -a -n 6 malware4320.dmp
- Extract suspicious DLLs or modules with volatility plugins (e.g., modules, malfind).
Example 2 — Dumping by process name in automated triage
Goal: Automate dumping for a known malicious process name observed across endpoints.
Command:
Code
pmdump -n malware.exe -o C:\dumps\%COMPUTERNAME%malware.dmp
Steps:
- Use -n to specify process name; PMDump resolves to running PID(s).
- In a script, iterate endpoints and collect dumps to a central collection server.
- Include error handling for permission or process termination.
Follow-up analysis:
- Correlate dumps from multiple hosts to find shared configuration or unique artifacts.
- Use hash-based deduplication to avoid repeated analysis of identical samples.
Example 3 — Targeting a child process or injector
Goal: Capture the injected process instead of the parent dropper (e.g., explorer.exe launching a malicious child).
Workflow:
- Monitor process creation events (Sysmon Event ID 1, Process Monitor) and identify the child PID.
- Immediately run PMDump against the child PID:
Code
pmdump -p 7892 -o C:\dumps\child7892.dmp
- If the child exits quickly, automate triggers to run PMDump on process start.
Follow-up analysis:
- Use malfind (Volatility) or YARA rules to locate injected code and unpacked regions.
- Compare parent and child memory to identify code injected via CreateRemoteThread or SetWindowsHookEx.
Example 4 — Dumping a protected or system process
Goal: Dump a system-level process that resists normal access (e.g., lsass.exe) for credential or token analysis.
Notes:
- Dumping lsass is sensitive and may trigger endpoint protection. Use approved forensic tools and follow legal/policy constraints.
- Run PMDump with elevated privileges and, if needed, use credentialed escalation or a live response capability that supports secure dumping.
Command:
Code
pmdump -p 520 -o C:\dumps\lsass520.dmp –force
(Use the tool’s specific switch to allow protected process access if available.)
Follow-up analysis:
- Use mimikatz or specialized parsers on the dump to extract credentials (only in authorized investigations).
- Verify hashes and secure storage when transferring sensitive dumps.
Example 5 — Integrating PMDump into malware triage pipeline
Goal: Add PMDump to an automated triage pipeline that collects process memory, extracts indicators, and notifies analysts.
Pipeline steps:
- Endpoint sensor detects suspicious behavior and triggers a script.
- Script runs PMDump for relevant processes and uploads the dump to an analysis server.
- Server runs automated tools:
- Strings extraction
- YARA scanning
- Volatility plugins (malfind, procdump, dlllist)
- Extraction of embedded config and IOCs
- Results forwarded to an analyst dashboard with severity scoring.
Example script snippet (PowerShell pseudocode):
Code
\(pid = Get-Process -Name malware | Select-Object -ExpandProperty Id </span>pmdump -p \)pid -o “\server\dumps\\(env:COMPUTERNAME`_\)pid.dmp” Invoke-WebRequest -Uri “https://analysis.local/upload” -Method Post -InFile “\server\dumps...”
Analysis tips and useful tools
- Volatility (2 and 3) and Rekall — memory analysis frameworks with plugins for malfind, strings, and yara.
- YARA — create rules to detect malware families inside dumps.
- binwalk / 7-zip — extract embedded files or archives discovered in memory.
- grep/strings/sr — quick textual indicators.
- Hashing tools — sha256sum for evidence integrity.
Evidence handling and chain of custody
- Record who ran PMDump, why, and on what host/time.
- Calculate and record cryptographic hashes.
- Store originals in read-only archive and analyze copies.
- Follow organizational and legal guidelines for sensitive content (credentials, PII).
Common pitfalls
- Dumps can be large; ensure sufficient storage and transfer bandwidth.
- Endpoint protection may kill dumping attempts or modify process behavior—document such interferences.
- Volatile indicators disappear after process exit; automate to reduce missed captures.
Summary
PMDump is a practical, fast tool for capturing process memory to reveal runtime artifacts critical in malware investigations. Use it with proper authorization, integrate it into automated triage where possible, and follow standard forensic handling to preserve evidence integrity.
Leave a Reply