Imaging physical memory
I got a message from a buddy of mine last night asking me about imaging physical memory (RAM) on Windows systems. The "how" of this is pretty simple...just jump on over to George Garner's site and grab a copy of dd.exe. The command you use to image RAM is even listed on George's site.
Okay, so you have a copy of RAM...what next? This is the kicker, IMHO. Say you have 512MB of RAM...you'll get an image file around that size. So what do you do with it? Well, you could run strings on it, but what would that give you? How would you associate information you find with tools such as strings, with specific processes? Consider that the memory used by processes is fragmented across both RAM and the swap file...so imaging RAM is only going to give you a partial view of what's going on on the system.
In the absence of adequate tools to parse an image of RAM, another approach is to use tools such as pmdump.exe to dump the contents of process memory, both RAM and swap file. At least in this manner, you can associate anything you find with a specific process, even though more comprehensive tools for parsing this information don't seem to be available.
Thoughts?
Okay, so you have a copy of RAM...what next? This is the kicker, IMHO. Say you have 512MB of RAM...you'll get an image file around that size. So what do you do with it? Well, you could run strings on it, but what would that give you? How would you associate information you find with tools such as strings, with specific processes? Consider that the memory used by processes is fragmented across both RAM and the swap file...so imaging RAM is only going to give you a partial view of what's going on on the system.
In the absence of adequate tools to parse an image of RAM, another approach is to use tools such as pmdump.exe to dump the contents of process memory, both RAM and swap file. At least in this manner, you can associate anything you find with a specific process, even though more comprehensive tools for parsing this information don't seem to be available.
Thoughts?