Wednesday, June 15, 2005

Dumping and analyzing physical memory

Well, my research into dumping and analyzing physical memory is progressing. I can't say that I'm finding a positive answer...all I can say is that the research is going well. ;-)

I got in touch with Joanna Rutkowska over at invisiblethings.org about a presentation she gave in Oct '04, and made reference to dd.exe and memory dumps (i.e., crashdumps) created by Windows tools are not compatible. This has been confirmed via other sources.

MS has a tool called userdump.exe (1, 2) that you can use to collect process memory, but it requires that you run a setup program that installs a kernel-mode driver, so it has to be done ahead of time.

An alternative to this kind of crashdump analysis and debugging is LiveKD.

3 comments:

Anonymous said...

In order to mount a memory dump, you need windbg or kd.

The debugging tools for Windows can be found here: http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Spend lots of time reading the help file!

H. Carvey said...

Well,it really depends on what you mean by "mount a memory dump". If you mean to analyze a crashdump generated by the operating system, you're right. However, as I've been finding (and trying to point out), that using dd.exe to create an image of memory isn't compatible with the Windows crashdump facility and tools.

Anonymous said...

If you can write a paper (or a book) about how to go from a dd image to something sensible, you'll make a mint...