We'd love to hear about it! Click here to go to the product suggestion community
Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper.
Well, how about the following workflow:
Note: It's worth being a little careful as to what process you're dumping as it will suspend the process temporarily, plus depending on the modules loaded, the resultant dump file can be quite large - think working set.
The file could then be zipped up or maybe written directly to a filer location and analyzed at your local machine.
Analysis might include using Windbg either classic found in say the SDK or the new WindDbg Preview available in the Microsoft Store.
If you wanted to consider the modules loaded in the exe at the time the dump was created, I would first recommend downloading the MEX Windbg extension from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=53304. Then having unpacked the mex.dll (same bit-ness as the WinDbg version) to for example, C:\temp\mex.dll. You can load this in Windbg using the command:
Mex has the command "writemodule" such that you can then run:
This will dump all the loaded modules to disk, by default to %temp%\MexEmbeddedResources\GUID\
At this point, you should be mindful that these files could be malicious, but you now have some useful data to perhaps progress your investigation.
I hope it helps.
Great stuff, really helpful. Thanks JAK!