deletions | additions       diff --git a/2.1. Virtual memory dump approaches.tex b/2.1. Virtual memory dump approaches.tex  index 9b32932..951c097 100644  --- a/2.1. Virtual memory dump approaches.tex  +++ b/2.1. Virtual memory dump approaches.tex 
...
\subsection{2.1. Virtual \subsection{Virtual  memory dump approaches} There are tools that can get a memory dump of the specified process, such as userdump.exe by Microsoft [5], pd.exe by T.Klein [6], pmdump.exe by A.Vidstrom [7], etc., which use OpenProcess and ReadProcessMemory functions or their low-level analogues like KeStackAttachProcess, ZwReadProcessMemory [8]. The review of these tools is outlined in the following papers [9], [10]. The first drawback of these approaches is their vulnerability to malware manipulation which can hinder expected behavior of these functions, for example by hooking them. The second drawback is that a corresponding dump file does not contain enough information for in-depth memory analysis. Some workarounds to solve these problems are presented further in this article.  \subsection{2.2. Physical \subsection{Physical  memory dump approaches} \subsubsection{2.2.1. Kernel \subsubsection{Kernel  Mode Code} Physical memory dump can be obtained on different levels of execution. There are three popular ways to obtain the dump in kernel mode: ZwOpenSection with ZwMapViewOfSection, MmMapIoSpace and MmMapMemoryDumpMdl.   Based on recently published papers and author’s own reverse engineering research the internal mechanisms of some common commercial and free memory dump tools have been studied (see Table 1 for the listing of examined tools)