Linux provides two virtual devices for this purpose, '/dev/mem' and '/dev/kmem', though many distributions disable them by default for security reasons. '/dev/mem' is linked to the physical system memory, whereas '/dev/kmem' maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. download url http://hysteria.cz/niekt0/
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.

linux memory dump--http://www.forensicswiki.org/wiki/Tools:Memory_Imaging的更多相关文章

  1. 【转】 Linux Core Dump 介绍

    ===============================================================  Linux core dump的祥细介绍和使用 =========== ...

  2. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  3. Memory Dump 分析器

    Visual Studio 2013 新功能 Memory Dump 分析器   TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 技术大会,了解了 ...

  4. Responder Pro new version could analyze Win10 memory dump

    My friend John acquired a memory dump from Windows 10, but he could analyze this memory dump with an ...

  5. qualcomm memory dump 抓取方法

    Memory dump是系统出现crash时常用的分析故障原因的方法,qualcomm 各子系统运行时,为方便debug,都会开辟ram log和debug variable用于保存各系统运行信息及健 ...

  6. How do I find what queries were executing in a SQL memory dump?-----stack

     https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-s ...

  7. Linux core dump file详解

    Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

  8. 利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题

    利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题(2) 启动和理解 MDD4J[size=1.0625]为了充分理解如何使用 MDD4J,您需要了 ...

  9. Linux(CentOS 7)命令行模式安装VMware Tools 详解

    本篇文章主要介绍了如何在Linux(CentOS 7)命令行模式安装VMware Tools,具有一定的参考价值,感兴趣的小伙伴们可以参考一下. 本例中为在Linux(以CentOS 7为例)安装VM ...

随机推荐

  1. par函数fg参数-控制前景色

    fg参数用来控制前景色,其实指的就是x轴和y轴的轴线和刻度线的颜色 在R语言中,会根据fg, col 任何一个参数的值,自动的将两个参数的值设置为相同的值,举个例子: par(fg = "r ...

  2. wcf实体和ef实体冲突。。。

    指定的架构无效.错误: CLR 类型到 EDM 类型的映射不明确,因为多个 CLR 类型与 EDM 类型“agentinfo”匹配.以前找到的是 CLR 类型“chanchengFlow.Models ...

  3. php date strtotime的用法

    1.上个月第一天及最后一天. echo date('Y-m-01', strtotime('-1 month')); echo strtotime(date('Y-m-01 0:00:00', str ...

  4. unity3d中的DontDestroyOnLoad来回切换出现多个实例问题

    在用Unity3D开发游戏中,我们会经常创建多个场景,但是在场景过度的时候,通常场景中的对象会被删除.所以Unity3D给了我们一个不删除前一个 场景中的某一个对象或者脚本的API,那就是“DontD ...

  5. 在loadrunner中使用winsocket协议编写脚步三部曲

    这两天写了一个winsocket的脚本,没有通过录制的方式,是直接手写的.下面贴出来和大家分享: 脚本的写法很简单,大体说来,就像把大象放进冰箱一样,总共分三步: 第一步:把冰箱门打开. //建立到服 ...

  6. java文件读写工具类

    依赖jar:commons-io.jar 1.写文件 // by FileUtilsList<String> lines = FileUtils.readLines(file, " ...

  7. 感恩节MathType公式编辑器6折优惠启动

    MathType是由美国Design Science公司开发功能强大的公式编辑器,专门用来对数学公式的编辑,与常见的文字处理软件和演示程序配合使用,能够在各种文档中加入复杂的数学公式和符号.感恩节期间 ...

  8. GIS-ArcGIS 与 ThreeJs交互联动

    一.从GIS触发Three场景 MapFeatureLayer.on("click", function (evt) { graphicsLayerOfMouse.clear(); ...

  9. 当div没有设置宽度,使用width的fit-content和margin:auto实现元素的水平居中

    当我们做水平居中的时候,会有许多方法,margin:0 auto,或者test-align:center,以及flex布局.当元素的width不固定的时候,我们如何实现水平居中呢,代码如下: < ...

  10. AndroidのUI布局之layout weight

    <?xml version="1.0" encoding="utf-8"?> <LinearLayout xmlns:android=&quo ...