this is for holding javascript data
Igor.Korkin deleted file 2.1. Virtual memory dump approaches.tex
over 9 years ago
Commit id: d08dcc2d67be32d80b736d458a61e1e5202b8032
deletions | additions
diff --git a/2.1. Virtual memory dump approaches.tex b/2.1. Virtual memory dump approaches.tex
deleted file mode 100644
index 951c097..0000000
--- a/2.1. Virtual memory dump approaches.tex
+++ /dev/null
...
\subsection{Virtual memory dump approaches}
There are tools that can get a memory dump of the specified process, such as userdump.exe by Microsoft [5], pd.exe by T.Klein [6], pmdump.exe by A.Vidstrom [7], etc., which use OpenProcess and ReadProcessMemory functions or their low-level analogues like KeStackAttachProcess, ZwReadProcessMemory [8]. The review of these tools is outlined in the following papers [9], [10]. The first drawback of these approaches is their vulnerability to malware manipulation which can hinder expected behavior of these functions, for example by hooking them. The second drawback is that a corresponding dump file does not contain enough information for in-depth memory analysis. Some workarounds to solve these problems are presented further in this article.
\subsection{Physical memory dump approaches}
\subsubsection{Kernel Mode Code}
Physical memory dump can be obtained on different levels of execution. There are three popular ways to obtain the dump in kernel mode: ZwOpenSection with ZwMapViewOfSection, MmMapIoSpace and MmMapMemoryDumpMdl.
Based on recently published papers and author’s own reverse engineering research the internal mechanisms of some common commercial and free memory dump tools have been studied (see Table 1 for the listing of examined tools)
