RE: Dumping RAM contents on Win NT / 2000

From: George M. Garner Jr. <gmgarner(at)erols.com>
Date: Tue Nov 12 2002 - 14:11:24 EST

Dom,

>>You can write a simple C program that opens the file
\\.\PhysicalMemory
>>and uses the C runtime read() call to read the contents...<<

This statement is not correct. On *nix platforms there is a file object named "/dev/kmem" may be opened to read a logical view of physical memory. The Win32 dd port available at
http://users.erols.com/gmgarner/forensics uses the file object idiom (\\.\PhysicalMemory) in the *presentation* layer because that is what dd users are likely to expect. Physical memory is not accessible via a file object on Windows platforms, however. The kernel-mode object /Device/PhysicalMemory is a section object, not a file object. Section objects may be *mapped* into a process's virtual address space, not read like a file.

This distinction is important because the method has certain known risks and limitations that should be understood before attempting to dump physical memory using my dd port or other tools that dump "physical memory" from a user mode process using the memory or section mapping api's. In particular, you should familiarize yourself with the risks associated with processor TLB corruption on the x86 platform.

Regards,

George.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 12 14:52:20 2002