Re: Memory, Elephantine

[AAron Walters <awalters () 4tphi net>]

jnf,

It sounds like you have some experience working on this problem that may 
be valuable to the project. When we started the project, we also realized 
that there were a number of things that were "problematic" and we had to 
develop creative ways for solving them, especially when we started going 
through our corpus of images. This is the reason that we decided to build 
an extensible, scriptable framework that provided tools to facilitate 
this. If you have examples of techniques that were problematic in your
experience that you would like to discuss off list, we would be extremely
interested. We should probably start a mailing list for those interested 
in the problem before Dave gets annoyed.

As for the second part of your question regarding problems with the memory
access mechanism, we have not experienced the problem you mentioned.  dd 
is just one mechanism that can be used, but there are others. The current 
focus on our project has not been the access mechanism but the analysis 
once it has been obtained.

AW

On Sat, 4 Mar 2006, jnf wrote:

> I'm curious how this works exactly as I have written a similar but
> probably not as pretty tool, I haven't extended it to read a memory dump
> for anything but a windows box. That said, I focused only on the process
> list (and yes i know it will miss dkom).
>
> I noticed that it was problematic getting most things beyond rudimentary
> informationm, which the PEB being what it is caused some problems as a
> result (i dont track things down in swap).
>
> I also found that as of 2003, a dd of the physical memory object caused
> the pointers in the linked list to get zero'd out, so even though I was
> able to find the correct address of the linked list, I wasn't able to walk
> it.
>
> How has your tool dealt with these and similar issues?
>
> --
>
> There are only two choices in life. You either conform the truth to your desire,
> or you conform your desire to the truth. Which choice are you making?