[Vol-users] Experimenting with notepad.exe

Hi all, I'm hoping for some suggestions around how to find the answer for myself, rather than the actual answer. I'm experimenting with notepad to try and learn more about Windows memory management. Currently I'm trying to see if I can reliably locate what has been typed into a notepad window from a memory capture taken when the notepad window was still open. I can prove my text is present like so: $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 pslist | grep notepad Volatile Systems Volatility Framework 2.3_beta 0x84f08030 notepad.exe 292 1664 2 59 1 0 2013-08-28 20:50:36 UTC+0000 $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 memdump --dump-dir=~/memtest/ -p 292 Volatile Systems Volatility Framework 2.3_beta ************************************************************************ Writing notepad.exe [ 292] to 292.dmp $ strings -e l ~/memtest/292.dmp | grep "i-typed-" i-typed-this-into-notepad (The "-e l" switch is because notepad stores its text in 16-bit little-endian.) Combining the output of memdump and memmap I can see where in physical and virtual memory my string is located. Of course this relies on me knowing the string ahead of time. Do I need to go down the route of disassembling/debugging notepad.exe in order to determine how/when it writes the contents to memory? Or is there another approach that I simply haven't though of? Comments greatly appreciated! Thanks, Adam -- Have you sent me your PGP Public Key yet?