Difference between pages "Memory Imaging" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
+
There are multiple families of executable files:
 +
* Scripts; e.g. shell scripts, batch scripts (.bat)
 +
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
  * EFI fat binary
 +
* ELF
 +
* Mach-O
  
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
+
== External Links ==
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
+
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
 +
* [ftp://ftp.cs.wisc.edu/paradyn/papers/Rosenblum10prov.pdf Extracting Compiler Provenance from Program Binaries], by Nathan E. Rosenblum, Barton P. Miller, Xiaojin Zhu, June 2010
  
== Methods ==
+
=== ELF ===
 +
* [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen
  
=== Reading from the Physical Memory Object ===
+
=== MZ, PE/COFF ===
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
 +
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 +
* [http://msdn.microsoft.com/en-us/magazine/ms809762.aspx Peering Inside the PE: A Tour of the Win32 Portable Executable File Format], by Matt Pietrek, March 1994
 +
* [http://www.microsoft.com/msj/0797/hood0797.aspx Under the Hood], by Matt Pietrek, July 1997
 +
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
 +
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
 +
* [http://ho.ax/posts/2012/02/carving-up-efi-fat-binaries/ Carving up EFI fat binaries], by snare, February 24, 2012
  
=== MmMapIoSpace ===
+
=== DBG, PDB ===
 +
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
 +
* [http://www.debuginfo.com/articles/debuginfomatch.html Matching Debug Information], by debuginfo.com
 +
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [http://web.archive.org/web/20070915060650/http://www.x86.org/ftp/manuals/tools/sym.pdf Internet Archive: Microsoft Symbol and Type Information], by [[Microsoft]]
 +
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
 +
* [http://moyix.blogspot.com/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
  
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
+
=== Minidump ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms680378(v=vs.85).aspx MSDN: MINIDUMP_HEADER structure]
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h], by [[Google]], 2006
 +
* [http://moyix.blogspot.com/2008/05/parsing-windows-minidumps.html Parsing Windows Minidumps], by [[Brendan Dolan-Gavitt]], May 7, 2008
 +
* [http://web.archive.org/web/20110814041817/http://www.stackhash.com/blog/post/Format-of-a-minidump-(mdmp)-file.aspx Format of a minidump (mdmp) file], Internet Archive: StackHash blog, May 16, 2011
  
== Also see ==
+
=== Mach-O ===
* [[Memory analysis]]
+
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
+
  
== External Links ==
+
=== Packers ===
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
+
* [http://www.woodmann.com/crackz/Packers.htm Packers & Unpackers]
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
+
 
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
+
== Tools ==
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
+
 
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014
+
=== MZ, PE/COFF ===
 +
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
 +
 
 +
=== PDB ===
 +
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
  
[[Category:Memory Analysis]]
+
=== Minidump ===
 +
* [http://support.microsoft.com/kb/315271 Dumpchk.exe], by [[Microsoft]]
 +
* [http://amnesia.gtisc.gatech.edu/~moyix/minidump.py minidump.py], by [[Brendan Dolan-Gavitt]]

Revision as of 03:53, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 * EFI fat binary
  • ELF
  • Mach-O

External Links

ELF

MZ, PE/COFF

DBG, PDB

Minidump

Mach-O

Packers

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)

Minidump