this is for holding javascript data
Igor.Korkin deleted file 3.2.3. The Acquired Data Processing.tex
over 9 years ago
Commit id: 57eb72bd96ca8e18e39107b503dec8c5fc5baedd
deletions | additions
diff --git a/3.2.3. The Acquired Data Processing.tex b/3.2.3. The Acquired Data Processing.tex
deleted file mode 100644
index 28e6958..0000000
--- a/3.2.3. The Acquired Data Processing.tex
+++ /dev/null
...
\subsubsection{The Acquired Data Processing}
Once ‘dump.log’, ‘struct.log’ and other files are received, they are processed either locally on a current PC or remotely after transferring these files to the remote host.
The main task of the dump analysis is gaining access to the dump data content located on the required virtual address. This operation is hampered in the existing products because there is not enough information about paging: whether virtual addresses correspond to physical addresses.
To achieve the correspondence between virtual addresses in original memory and offsets values in memory dump file we need additional two files - ‘dump.log’ and ‘struct.log’ simultaneously.
We will use the following abbreviations ‘ODUF’, ‘VALF’ and ‘VAOM’. ‘VALF’ means the virtual addresses of the loaded memory dump file, ‘ODUF’ means corresponding offsets in dump file. File ‘struct.log’ contains virtual memory ranges of ‘VAOM’ and corresponding dump file offsets ‘ODUF’. ‘VAOM’ is virtual address of the original memory; its values are used for further search for the structures, which contain the required virtual address.
Making memory dump analysis it is often necessary to use ‘dump.log’ and ‘struct.log’ files simultaneously and convert ‘ODUF’, ‘VALF’ and ‘VAOM’ into each other.
Let us look at this process.
\begin{enumerate}
\item ‘VAOM’ -> ‘ODUF’
As a result of the lookup in the ‘struct.log’ file we find i-entry, which contains virtual memory ranges, so that target value of ‘VAOM’ belongs to its range. ‘ODUF’ is defined in the following way:
ODUF = DumpOffset[i] + (FinishAddr[i] - VAOM).
\item ‘ODUF’ -> ‘VAOM’
As a result of the lookup in the ‘struct.log’ file we find i-entry, so that Offset[i] <= ODUF < Offset[i+1], where Offset[i+1] means Offset of the following (i+1)-entry. ‘VAOM’ is defined in the following way:
VAOM = FinishAddr[i] + (ODUF - Offset[i]).
\item ‘ODUF’ <-> ‘VALF’ and ‘VAOM’ <-> ‘VALF’
Values of ‘ODUF’ and ‘VALF’ are different by the value of starting address of the loaded dump file: VALF = ODUF + LoadAddr and vice versa. Having this equation it is possible to convert ‘VAOM’ <-> ‘VALF’
\end{enumerate}
These operations facilitate the in-depth analysis of the dump. Examples will be given below.
