this is for holding javascript data
Igor.Korkin edited 2.1. Virtual memory dump approaches.tex
over 9 years ago
Commit id: 9afc975d8b94f174f6c8d3efcdd2b1fe8c0080a0
deletions | additions
diff --git a/2.1. Virtual memory dump approaches.tex b/2.1. Virtual memory dump approaches.tex
index 9b32932..951c097 100644
--- a/2.1. Virtual memory dump approaches.tex
+++ b/2.1. Virtual memory dump approaches.tex
...
\subsection{2.1. Virtual \subsection{Virtual memory dump approaches}
There are tools that can get a memory dump of the specified process, such as userdump.exe by Microsoft [5], pd.exe by T.Klein [6], pmdump.exe by A.Vidstrom [7], etc., which use OpenProcess and ReadProcessMemory functions or their low-level analogues like KeStackAttachProcess, ZwReadProcessMemory [8]. The review of these tools is outlined in the following papers [9], [10]. The first drawback of these approaches is their vulnerability to malware manipulation which can hinder expected behavior of these functions, for example by hooking them. The second drawback is that a corresponding dump file does not contain enough information for in-depth memory analysis. Some workarounds to solve these problems are presented further in this article.
\subsection{2.2. Physical \subsection{Physical memory dump approaches}
\subsubsection{2.2.1. Kernel \subsubsection{Kernel Mode Code}
Physical memory dump can be obtained on different levels of execution. There are three popular ways to obtain the dump in kernel mode: ZwOpenSection with ZwMapViewOfSection, MmMapIoSpace and MmMapMemoryDumpMdl.
Based on recently published papers and author’s own reverse engineering research the internal mechanisms of some common commercial and free memory dump tools have been studied (see Table 1 for the listing of examined tools)