You are right...I was thinking of the work we just did to read raw physical *drives*, which do have a file object mapping. Indeed the physical memory device needs to be memory mapped and is subject to the conditions you mention. My bad. Dom ----- Original Message ----- From: "George M. Garner Jr." <gmgarnerat_private> To: <forensicsat_private> Sent: Tuesday, November 12, 2002 11:11 AM Subject: RE: Dumping RAM contents on Win NT / 2000 > Dom, > > >>You can write a simple C program that opens the file > \\.\PhysicalMemory > >>and uses the C runtime read() call to read the contents...<< > > This statement is not correct. On *nix platforms there is a file object > named "/dev/kmem" may be opened to read a logical view of physical > memory. The Win32 dd port available at > http://users.erols.com/gmgarner/forensics uses the file object idiom > (\\.\PhysicalMemory) in the *presentation* layer because that is what dd > users are likely to expect. Physical memory is not accessible via a > file object on Windows platforms, however. The kernel-mode object > /Device/PhysicalMemory is a section object, not a file object. Section > objects may be *mapped* into a process's virtual address space, not read > like a file. > > This distinction is important because the method has certain known risks > and limitations that should be understood before attempting to dump > physical memory using my dd port or other tools that dump "physical > memory" from a user mode process using the memory or section mapping > api's. In particular, you should familiarize yourself with the risks > associated with processor TLB corruption on the x86 platform. > > Regards, > > George. > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 13:23:55 PST