# Extract JPEG objects from processes memory dumps# (e.g. obtained with memdum

1. # Extract JPEG objects from processes memory dumps
2. # (e.g. obtained with memdump command from volatility)
3.  
4. import sys
5. import mmap
6.  
7. # JPEG header
8. header = reduce(lambda x, y: x+y, map(chr, [0xff, 0xd8, 0xff, 0xe0]))
9. # Other types:
10. # 0xffd8ffdb, 0xffd8ffe1, 0xffd8ffe2, 0xffd8ffe3, 0xffd8ffe8]
11.  
12. # JPEG trailer
13. trailer = reduce(lambda x, y: x+y, map(chr, [0xff, 0xd9]))
14.  
15. def extract_jpg(fname):
16. found_idx = 0
17. with open(fname, "r+b") as f:
18. # memory-map the file, size 0 means whole file
19. fmap = mmap.mmap(f.fileno(), 0)
20.  
21. pos = fmap.find(header)
22. while pos != -1:
23. print "Found possible jpeg header at 0x%x" % (pos)
24. pos_old = pos
25.  
26. pos_tr = fmap.find(trailer, pos + 4)
27. print "Found possible jpeg trailer at 0x%x" % (pos_tr)
28.  
29. # Search for other occurences
30. pos = fmap.find(header, pos + 2)
31.  
32. # Create output file
33. fout = open("out\jpeg" + str(found_idx) + ".jpg", "wb")
34. fmap.seek(pos_old)
35. if pos == -1 :
36. fout.write(fmap.read(pos_tr - pos_old + 2))
37. else :
38. fout.write(fmap.read(min(pos,pos_tr) - pos_old + 2))
39. fout.close()
40. found_idx = found_idx + 1
41.  
42. # close the map
43. fmap.close()
44.  
45. if __name__=="__main__":
46. extract_jpg(sys.argv[1])