deletions | additions       diff --git a/3.2.2. Memory Dump Approach1.tex b/3.2.2. Memory Dump Approach1.tex  index f355bd1..832042c 100644  --- a/3.2.2. Memory Dump Approach1.tex  +++ b/3.2.2. Memory Dump Approach1.tex 
...
\end{enumerate}  Saving of each page is performed with buffering instead of getting copied directly into the file as it is done in a number of other tools. When the buffer is full, its content is being archived and encrypted and after that the results are saved into the ‘dump.log’. Buffering helps to prevent these pages from modifying and increases the overall program performance [23].  Main features of the memory dump approach:  \begin{itemize}  \item • The walk through the pages tables has to be done from high addresses up to low ones to exclude loading of empty pages. While walking from the first to the last entry CPU loads a lot of empty pages. Walking has to be started from the last entry to avoid this.  \item • The walk has to be implemented at PASSIVE_LEVEL IRQL, because only at this level accessing a page which is swapped to HDD means that its content is automatically loaded into memory.  \item • When we access a memory page related to device direct memory access (DMA) buffer system crash occurs in Windows Vista, 7 and 8. These critical exceptions cannot be caught by try and except. To prevent the crash these memory pages have to be ignored, see the details below.  \end{itemize}  Technique of ignoring memory pages of DMA devices  According to specification for PCIe (PCI) devices (for example modern network devices, video cards and others) they are able to directly access RAM. While we walk through virtual addresses OS functions allow getting physical addresses ranges of devices. To deal with this it is necessary to use Page Frame Number (PFN), which is a part of Page Table or Page Directory entries. The corresponding physical address is defined in the following way: PFN*0x1000. On the other hand virtual memory page address is determined with the help of indexes in Page Table and Page Directory.   To check whether this virtual memory page corresponds to the pages of DMA devices, the following steps have to be performed:  \begin{enumerate}  \item 1. With the help of library functions exported from Setupapi.lib and Cfgmgr32.lib get the ranges of physical addresses which correspond to PCI devices (‘prohibited list’).  \item 2. While walking through Page Table and Page Directory check each entry whether corresponding physical address belongs to ‘prohibited list’. Once it does, skip this entry and check another one according to the algorithm.   \item 3. If it does not, save the corresponding page according to the algorithm.   \end{enumerate}  This technique has been successfully tested on several computers with different hardware and equipment. Access to the following PCI devices buffers (see Table 3) caused a system crash as described above.