this is for holding javascript data
Igor.Korkin edited 3.2.1. Basics.tex
over 9 years ago
Commit id: 407552fdd2b3563afec80380da58e52ecd18de39
deletions | additions
diff --git a/3.2.1. Basics.tex b/3.2.1. Basics.tex
index b21fe4e..bd37b98 100644
--- a/3.2.1. Basics.tex
+++ b/3.2.1. Basics.tex
...
3.2.1. Basics \subsubsection{3.2.1. Basics}
It is suggested to launch one of the common processes or choose an already running one to analyze kernel mode memory. One of the possible scenarios may be the following: run notepad.exe, attach to it and dump memory, detach from it and terminate. When low level protected analogues of functions ZwCreateProcess and KeAttachProcess were developed, they were based on [70, 71, 72].
As a result of memory dumping two files will be created: the first file with memory pages ‘dump.log’ and the second one ‘struct.log’ with information about page virtual addresses and their offsets in ‘dump.log’. Additional information about structures addresses, which are necessary for analysis, for example, EPROCESS list, KDBG, KPCR and etc. are saved into separate files. Examples of these files for analysis will be discussed later.
During dumping the content of each valid memory page is saved into ‘dump.log’ after buffering. Additional data is saved into ‘struct.log’, which includes virtual addresses of the pages beginning and end, offsets in ‘dump.log’ up to the beginning of the copied page. With the help of ‘struct.log’ and ‘dump.log’ it is possible to read page content, which corresponds to known virtual addresses and vice versa. Handling of these file is described in section 3.2.3.
