Linux provides two virtual devices for this purpose, '/dev/mem' and '/dev/kmem', though many distributions disable them by default for security reasons. '/dev/mem' is linked to the physical system memory, whereas '/dev/kmem' maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. download url http://hysteria.cz/niekt0/
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.

linux memory dump--http://www.forensicswiki.org/wiki/Tools:Memory_Imaging的更多相关文章

  1. 【转】 Linux Core Dump 介绍

    ===============================================================  Linux core dump的祥细介绍和使用 =========== ...

  2. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  3. Memory Dump 分析器

    Visual Studio 2013 新功能 Memory Dump 分析器   TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 技术大会,了解了 ...

  4. Responder Pro new version could analyze Win10 memory dump

    My friend John acquired a memory dump from Windows 10, but he could analyze this memory dump with an ...

  5. qualcomm memory dump 抓取方法

    Memory dump是系统出现crash时常用的分析故障原因的方法,qualcomm 各子系统运行时,为方便debug,都会开辟ram log和debug variable用于保存各系统运行信息及健 ...

  6. How do I find what queries were executing in a SQL memory dump?-----stack

     https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-s ...

  7. Linux core dump file详解

    Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

  8. 利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题

    利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题(2) 启动和理解 MDD4J[size=1.0625]为了充分理解如何使用 MDD4J,您需要了 ...

  9. Linux(CentOS 7)命令行模式安装VMware Tools 详解

    本篇文章主要介绍了如何在Linux(CentOS 7)命令行模式安装VMware Tools,具有一定的参考价值,感兴趣的小伙伴们可以参考一下. 本例中为在Linux(以CentOS 7为例)安装VM ...

随机推荐

  1. perl chomp 函数的真正作用

    之前一直以为chomp函数只是去掉字符串末尾的\n, 但是今天写程序遇到一个bug,最后的原因就处在chomp上: 读取fasta文件,内容如下: >1 ATGCTAGCTACGTACGTACG ...

  2. 【Java面试题】53 能不能自己写个类,也叫java.lang.String?

    可以,但是即使你写了这个类,也没有用. 这个问题涉及到加载器的委托机制,在类加载器的结构图(在下面)中,BootStrap是顶层父类,ExtClassLoader是BootStrap类的子类,ExtC ...

  3. Spring-DispatcherServlet说明

    使用spring MVC,配置DispatcherServlet是第一步. DispatcherServlet是一个Servlet,所以可以配置多个DispatcherServlet. Dispatc ...

  4. tarcert

     前言:今天在阅读“Web性能权威指南”这本书的时候,发现 tracert 这个命令挺有意思的,在分析网络性能瓶颈的时候也能使用的到,在此就小记一笔以备后用. 1:作用 tracert 是一个简单的网 ...

  5. MVC4 Controller 与 WebApi 的 Session 传值问

    在MVC以后,Session方式可能已经不太常用,但偶尔还是会用到,比如页面验证码之类的.例如登录页面使用的验证码通过Controller提供一个View来实现,可以使用Session来存储这个值.但 ...

  6. C语言中文件目录(一正二反)斜杠

    正斜杠unix“/” linux,安卓,苹果都是 windows是两个反斜杠“\\”,但现在也兼容了可以使用正斜杠“/”

  7. 用ADO操作数据库的方法步骤

    用ADO操作数据库的方法步骤 学习ADO时总结的一些经验 - 技术成就梦想 - 51CTO技术博客 http://freetoskey.blog.51cto.com/1355382/989218   ...

  8. android开发源代码分析--多个activity调用多个jni库的方法

    android开发源代码分析--多个activity调用多个jni库的方法 有时候,我们在开发android项目时会遇到须要调用多个native c/jni库文件,下面是本人以前实现过的方法,假设有知 ...

  9. Maven------pom.xml自动加载各种类库代码

    转载: http://lavasoft.blog.51cto.com/62575/1388866/ 一般要加<type>jar</type> <dependency> ...

  10. quick-cocos2d-x游戏开发【10】——触摸捕获事件 cc.NODE_TOUCH_CAPTURE_EVENT

    假设看过sample中touch的代码,你会发现演示样例中有一个cc.NODE_TOUCH_CAPTURE_EVENT事件.它和cc.NODE_TOUCH_EVENT触摸事件一样,是引擎级别的事件,我 ...