1

I am new to malware analysis, and I'm learning how to detect malware that uses process injection to execute PE files from memory. I chose a ransomware sample that uses process injection to load the actual payload in memory and took a crash dump at the point where the executable is loaded into memory. Is it safe to open (and not run) the crash dump file in WinDbg in a trusted environment? I will be using WinDbg commands to list peb, TIDs etc.

Improve this question

1 Answer 1

Reset to default
1

In short, yes it is safe. The debuggers won't map crash dumps into executable memory, and extensions such as .call only work in live debugging.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.