Volatility procexedump, procmemdump and memdump

Difference between memdump, procexedump and procmemdump command in volatality:

When executables are loaded from the disk, Windows uses the PE header to determine how many pages, and with which permissions, will be allocated for each section. The header describes the size and location of each section on the disk and its size and location in memory. Because the sections needs to page aligned in memory, but not on the disk, this generally results in some space being added between the sections when they're loaded into memory. There are also changes made in memory due to relocations and imported functions.

During recovery of the executables from the memory, there are certain limitations of the recovery tool such as pages of the executable could have been paged out to pagefile.sys, or are invalid, or are never loaded in the first place.

procmemdump:

One can recover the in-memory representation of the executable. That means, in the files generated by this plugin the pages are memory aligned, not disk aligned.

Syntax:

$ python vol.py -f ~/Downloads/unknown.img procmemdump -p 1440 -D ~/Downloads/memf/ 

procexedump :

One can recover the executable again, but this time realigning the sections back to how they were there on the disk. This is done by parsing the PE header in memory and using it to undo some of the changes made when it was loaded.

Syntax:
$ python vol.py -f ~/Downloads/unknown.img procexedump -p 1440 -D ~/Downloads/memf/
Options:
f= path of memory image which have been acquired for analysis
p= process id whose executable needs to be dumped
D= specifies the directory where executable needs to be dumped.
Note: p and D options are optional ... if you don't specify p option, procexedump will dump all the processes executable in the specified directory.
If you don't specify D option it will dump the process's executable in the current directory.

Fig. 1

From the above fig. the rebuilt(on disk) will be the result of procexedump module and for procmemdump the slack space(unused space) will be retained in rebuilt(on disk) file.

memdump:

This command not only dump the executable but also all the process's contents of virtual address space present in memory. For example  process address space contents includes all the dll's,which are associated with process, files,which process has opened.
The volatality tool allows us to capture the memory associated with a particular process so that we can then inspect its contents.

Syntax:
$ python vol.py -f ~/Downloads/unknown.img memdump -p 1440 -D ~/Downloads/memf/

Options:
f= path of memory image which have been acquired for analysis
p= process id whose executable needs to be dumped
D= specifies the directory where executable needs to be dumped.

Note: p and D options are optional ... if you don't specify p option, memdump will dump all the processes' address space in the specified directory.
If you don't specify D option it will dump the process's address space in the current directory.
memdump command dumps all addressable memory in a process's address space. Memdump brute forces address translation across the virtual memory range of 0 to 4GB. Kernel addresses  are global for the most part across all processes, and since kernel memory typically starts at virtual address 0x80000000 on 32-bit systems, memdump acquires all the global kernel memeory pages that translate in the context of the process specified.
memdump techniques can be generalized into one method:
1. Start with a virtual base address and a size.

• Parsing the PE header of the first page to determine the virtual addresses of the subsequent pages is a derivation of this technique.

• Brute forces translation across all possible virtual addresses is also a derivation where the base address is 0 and the size is 4GB.

2. Translate every address to the corresponding physical page.

Issues with memdump:

1. Translating virtual addresses across a range of memory ignores the structures the Windows operating system uses to represent files, FileObjects. 
2. The second issue deals with attribution. If a tool performs a brute force translation of every address in the range of a process' memory, it will undoubtedly attribute certain kernel pages as belonging to the process, when in reality they do not.

Ref:

https://media.blackhat.com/bh-us-11/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf

http://jessekornblum.livejournal.com/294997.html