Physical memory mirror image document analysis method of Linux system

A technology of physical memory and image files, applied in the direction of file system, file/folder operation, electronic digital data processing, etc., can solve problems such as complicated operation steps and inability to handle

Active Publication Date: 2015-12-16
SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
View PDF4 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] (3) The operation steps of the tools implemented by the current analysis method are relatively complicated. Taking VolatilityFramework, which is currently widely used, as an example, the following configuration needs to be done before use:
If given a physical memory image file of unknown operating system version, it will not be processed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Physical memory mirror image document analysis method of Linux system
  • Physical memory mirror image document analysis method of Linux system
  • Physical memory mirror image document analysis method of Linux system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0063] The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

[0064] Such as figure 1 Shown, provide the flow chart of the Linux system physical memory image file analysis method of the present invention, it is realized through the following steps:

[0065] 1. Operating system version judgment and page directory address acquisition;

[0066] When the system is initialized, the crash_save_vmcoreinfo_init function initialization function is called, which will initialize the content of vmcoreinfo_data, which is the desc information of the PT_NOTE structure in the ELF file. The information format is as follows figure 2 As shown, part of the data content of vmcoreinfo_data in the memory image file of the present invention is provided.

[0067] from figure 2 It can be seen that if vmcoreinfo_data can be obtained, the operating system version and the values ​​of kernel symbols _stext and swapper_pg_dir can be obtain...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a physical memory mirror image document analysis method of a Linux system. The physical memory mirror image document analysis method of the Linux system comprises the following steps: a) judging the version of an operating system and obtaining a page directory address; b) carrying out address conversion; c) recovering a stored system kernel symbol table in a database; d) recovering system kernel symbols which are not stored in the database; e) obtaining system key information; and f) obtaining a module exporting symbol table. The step c) comprises the following steps: c-1) obtaining a number of kernel symbols; c-2) obtaining the types and the names of the kernel symbols; and c-3) obtaining the virtual addresses of the kernel symbols. The step e) comprises the following steps: e-1) obtaining process information and document information; e-2) obtaining loaded module information; and e-3) obtaining a network, a CPU (Central Processing Unit), a log and debugging information. The analysis method exhibit general applicability, breaks through boundedness that a traditional method must know internal system version information and additional kernel symbol table documents, provides the general analysis method for the memory of the Linux system, and has outstanding beneficial effects.

Description

technical field [0001] The present invention relates to a kind of Linux system physical memory image file analysis method, more specifically, relate to a kind of Linux system physical memory image file that can restore kernel variable symbol table from physical memory image without knowing the version information of operating system Analytical method. Background technique [0002] In 2002, Kornblum of the U.S. Air Force Special Investigations Office published a theme report titled "Preservation of Fragile Digital Evidence by First Responders" in DFRWS (Digital Forensic Research Workshop), in which he proposed the need to investigate volatile memory information to obtain comprehensive and accurate evidence of cyber attacks and cyber crimes . In order to promote the development of physical memory analysis technology, DFRWS launched a memory forensic analysis challenge for Windows systems in 2005, aiming to extract hidden processes and their Stealth method; DFRWS launched a m...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F17/30
CPCG06F16/16
Inventor 张淑慧王连海徐丽娟杨淑棉刘广起
Owner SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap