Tool to decode page tables and descriptor tables from RAM snapshot
I need a practical way to parse a snapshot of the RAM + registers and easily visualize (not necessarily graphically) the x86 architecture architectures. This will include page tables, interrupt descriptor tables, global descriptor tables, etc.
Please note that I am not interested in OS specific information (e.g. process list, etc.), I am only interested in architectural structures.
Obviously one can just calculate the layout for all these structures (and all versions) from the Intel documentation, but I'm wondering if there is any simple tool out there that decodes them.
source to share
There are several tools for memory forensics analysis listed in the forensicswiki at http://forensicswiki.org/wiki/Linux_Memory_Analysis (part of http://forensicswiki.org/wiki/Memory_analysis , there is a Windows option ). Some of the tools are open and active:
The memory collector output is a memory image that contains the raw physical memory of the system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but a memory analysis tool is required to retrieve state information at a higher level.
Linux memory analysis tools. Active open source projects:
- The Volatility Framework is a set of tools, implemented in Python, for extracting digital artifacts from samples of volatile memory (RAM). See the LinuxMemoryForensics page on the Volatility wiki . (Availability / License: GNU GPL)
- Rekall includes a Python-based analysis framework that forked from Volatility and has since added a number of features as well as its own acquisition tools. It can be used as a library and is used as such in the GRR project for remote live forensics.
- The Red Hat Crash Utility is an extensible Linux kernel dump analysis program. Although it is designed as a debugging tool, it is also used for memory forensics. See, for example, the 2008 DFRWS report from AAron Walters. (Availability / License: GNU GPL)
(Some inactive projects are also listed and there is Bibliography )
For example, Volatility is capable of using kernel and process "DTB (directory database)" (windows), linux process page list ( https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference#process-memory ) and analyze the memory dump in other ways.
[Rekall] also has a GUI: http://www.rekall-forensic.com/pages/at_a_glance.html (pip install rekall-gui) and process search plugins http://www.rekall-forensic.com/docs /Manual/tutorial.html
the crash tool from David Anderson @redhat is not as versatile as the previous two solutions, but still knows how to parse Linux kernel dumps. This is documented in the command line help and in the document: http://people.redhat.com/anderson/crash_whitepaper/ "White Paper: The Red Hat Utility"
The Red Hat Crash Test Tool is loosely based on the UNIX Disaster Recovery command SVR4, but has been greatly enhanced by a complete merge with the GNU gdb debugger. The marriage of the two effectively combines the kernel-specific nature of a traditional UNIX crash utility with source-level debugging capabilities at the gdb level. The utility can be used to investigate: Live Linux systems, Kdump kernel kernel kernel, compressed kernel kernel kernel, ...
source to share