Dom, >>You can write a simple C program that opens the file \\.\PhysicalMemory >>and uses the C runtime read() call to read the contents...<< This statement is not correct. On *nix platforms there is a file object named "/dev/kmem" may be opened to read a logical view of physical memory. The Win32 dd port available at http://users.erols.com/gmgarner/forensics uses the file object idiom (\\.\PhysicalMemory) in the *presentation* layer because that is what dd users are likely to expect. Physical memory is not accessible via a file object on Windows platforms, however. The kernel-mode object /Device/PhysicalMemory is a section object, not a file object. Section objects may be *mapped* into a process's virtual address space, not read like a file. This distinction is important because the method has certain known risks and limitations that should be understood before attempting to dump physical memory using my dd port or other tools that dump "physical memory" from a user mode process using the memory or section mapping api's. In particular, you should familiarize yourself with the risks associated with processor TLB corruption on the x86 platform. Regards, George. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 11:52:24 PST