Forensics on memory dump.
- kntlist: Tool for acquisition/examination of live Windows system
- Using Computer Forensics When Investigating System Attacks
- memparser: Examination of Windows (2000, 2003, XP) memory dump
- forensic.seccure.net
- Physical memory forenscis: Slides of Mariusz Burdach at Blackhat 2006
- Reconstruct process information with a physical memory dump under linux => blog.zeppoo.net/?p=14
Dump memory (/dev/mem) on Linux 2.6.x
Few Linux distributions as Ubuntu, Fedora, patch the kernel Linux 2.6.x to forbide to read memory after first megabyte. The function devmem_is_allowed() check memory range. But it's possible to replace this function with your function:
- find devmem_is_allowed() address
$ grep devmem /proc/kallsyms c0113fa0 T devmem_is_allowed $ grep devmem_is_allowed /boot/System.map-$(uname -r) c0113fa0 T devmem_is_allowed
- mmap() memory and replace the function with "mov eax, 1; ret" (\xb8\x01\x00\x00\x00\xc3)
More details in this article: Use zeppoo on Redhat (in french).
Organisation of the memory in Linux
Virtual Address Space
- first 3 GB: 0x00000000-0xBFFFFFFF - user memory
- last GB: 0xC0000000-0XFFFFFFFF - linux kernel memory
$ grep '\<zone_table\>' /proc/kallsyms c03ccb04 D zone_table $ grep 'B mem_map' /proc/kallsyms c0453d40 B mem_map
* ZONE_DMA, ZONE_NORMAL, ZONE_HIGH * include/linux/mm.h: extern struct zone *zone_table[]; * include/linux/mm_types.h: struct page {...}; * include/linux/mmzone.h: struct zone {...}; extern struct page *mem_map;
