Getting started with ramparser
3 min read
ramparser is a Volatility-style memory forensics tool that runs entirely in the browser. The image you select never leaves the device: no upload, no server-side parsing, no telemetry. The reason for that design is practical, not ideological — a RAM dump from a real incident contains plaintext credentials, session tokens, decrypted documents and PII, and those are not artefacts you ship to a third party.
How it actually works
- You pick a raw memory image with the file picker.
- A Web Worker loads a Rust engine compiled to WebAssembly.
- The engine reads the dump in 4 KiB pages via
FileReaderSync, so a 32 GB image is processed without ever loading it into memory. - The OS is auto-detected: the Linux kernel banner
Linux versionfor Linux, the first validated_EPROCESS(with itsRSDSCodeView record) for Windows. - Every applicable plugin runs automatically, each streaming its own progress and rendering its own table.
Plugins
| Plugin | OS | What it does |
|---|---|---|
psscan | Windows | Pool-tag scan for _EPROCESS allocations |
pslist | Windows | Walk ActiveProcessLinks from the System process |
psxview | Windows | psscan vs pslist diff — flags HIDDEN rows |
pstree | Windows | Parent / child hierarchy from psscan |
cmdline | Windows | Process command line via the PEB |
dlllist | Windows | Loaded modules via the PEB loader data |
modscan | Windows | Pool-tag scan for kernel modules (MmLd) |
netscan | Windows | Network objects pool scan (experimental) |
taskscan | Linux | Heuristic task_struct scan (experimental) |
Comparing pslist against psscan is the classic way to spot
processes a rootkit has DKOM-unlinked. See
pslist vs psscan vs psxview.
pslist, modscan, and netscan resolve kernel virtual addresses
through the System process (PID 4) DTB.
Address translation, briefly
cmdline and dlllist translate each process PEB through its own page
tables. ramparser implements x64 4-level address translation (PML4 →
PDPT → PD → PT, including 1 GiB and 2 MiB large pages), so user-space
memory reads work correctly without symbols.
Windows: psscan internals
The Windows analyzer is a psscan-style pool-tag scanner. It looks for
_POOL_HEADER allocations tagged Proc and validates each candidate
_EPROCESS with structural heuristics: plausible PID, printable image
name, page-aligned DirectoryTableBase, canonical kernel list pointer.
Struct offsets are build-dependent. The defaults target Windows 10/11
x64 (~build 19041). For older or unusual builds, offsets can be
overridden via WinProfile in the engine. The
ntoskrnl PDB is
fetched (its GUID + age only) so pslist and friends use exact offsets
for that build.
Linux: taskscan
The Linux analyzer is an experimental task_struct scan anchored on
the comm field. Kernel layouts vary widely across distributions and
versions, so treat results as a starting point rather than ground truth
until a proper kernel profile is supplied.