Forensics
Memory dumping with NtSystemDebugControl - caching issues Feb 04 2007 01:21PM
Arne Vidstrom (arne vidstrom ntsecurity nu)
Hi all,

Back in June 2006 I wrote about caching issues when PhysicalMemory is
used for memory dumping
<http://ntsecurity.nu/onmymind/2006/2006-06-01.html>. PhysicalMemory is
not the only option for memory dumping from User Mode though. There is a
system call named NtSystemDebugControl which has a few well known
control codes as well as a few less well known ones. One of the less
well known control codes is number 10, which is used to copy contents
from the physical memory. I believe this technique was first implemented
in a dumping tool called kntlist coded by George M. Garner Jr. some
years ago. Here I will once again investigate possible caching issues,
but this time for NtSystemDebugControl control code 10.

Full text:

http://ntsecurity.nu/onmymind/2007/2007-02-04.html

Regards /Arne Vidstrom

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus