Linux provides two virtual devices for this purpose, '/dev/mem' and '/dev/kmem', though many distributions disable them by default for security reasons. '/dev/mem' is linked to the physical system memory, whereas '/dev/kmem' maps to the entire virtual memory space, including any swap. Both devices work as regular files, and can be used with dd or any other file manipulation too

  1. dd On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch:http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").

l.

    1. Second Look This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
    2. Idetect (Linux)
    3. fmem (Linux)
      fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL. download url http://hysteria.cz/niekt0/
    4. Goldfish
      Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
      1. There is also GDB commonly available on most Linuxes.
        And, you are always advised to avoid writing over unknown memory -- it can lead to system corruption.

linux memory dump--http://www.forensicswiki.org/wiki/Tools:Memory_Imaging的更多相关文章

  1. 【转】 Linux Core Dump 介绍

    ===============================================================  Linux core dump的祥细介绍和使用 =========== ...

  2. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  3. Memory Dump 分析器

    Visual Studio 2013 新功能 Memory Dump 分析器   TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 技术大会,了解了 ...

  4. Responder Pro new version could analyze Win10 memory dump

    My friend John acquired a memory dump from Windows 10, but he could analyze this memory dump with an ...

  5. qualcomm memory dump 抓取方法

    Memory dump是系统出现crash时常用的分析故障原因的方法,qualcomm 各子系统运行时,为方便debug,都会开辟ram log和debug variable用于保存各系统运行信息及健 ...

  6. How do I find what queries were executing in a SQL memory dump?-----stack

     https://blogs.msdn.microsoft.com/askjay/2010/10/03/how-do-i-find-what-queries-were-executing-in-a-s ...

  7. Linux core dump file详解

    Linux core dump file详解 http://www.cnblogs.com/langqi250/archive/2013/03/05/2944931.html

  8. 利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题

    利用 Memory Dump Diagnostic for Java (MDD4J) 分析内存管理问题(2) 启动和理解 MDD4J[size=1.0625]为了充分理解如何使用 MDD4J,您需要了 ...

  9. Linux(CentOS 7)命令行模式安装VMware Tools 详解

    本篇文章主要介绍了如何在Linux(CentOS 7)命令行模式安装VMware Tools,具有一定的参考价值,感兴趣的小伙伴们可以参考一下. 本例中为在Linux(以CentOS 7为例)安装VM ...

随机推荐

  1. linux -- ubuntuserver 安装Apache后,修改默认目录和分布式配置文件可执行

    装了apache后,访问出现The requested URL *** was not found on this server,查看了下/etc/httpd/conf/httpd.conf,发现原因 ...

  2. CentOS 7 Minimal编译安装MySQL5.6

    写在前面,编译安装MySQL的优势:平台无关.可设定参数按需安装.安装的MySQL目录独立(方便清楚).更好的平台耦合及运行性能(很多运维的观点):缺点:编译安装较慢. 一.撤换系统防火墙 注:Cen ...

  3. C++多线程环境下注意共享资源的释放顺序

    比如我现在写一个多线程下载程序,包含DownloadTask.HttpDownload两个类. class DownloadTask { //省略n行代码 public: int m_threads; ...

  4. jQuery-处理css样式

    1.css方法 获取匹配元素集合中的第一个元素的样式属性的值 或 设置每个匹配元素的一个或多个CSS属性 1)获取并设置单个css值 jQuery对象.css('css属性'); jQuery对象.c ...

  5. 判断字符串String是否为空问题

    一.判断一个字符串str不为空的方法有: 1.str == null; 2."".equals(str): 3.str.length <= 0; 4.str.isEmpty( ...

  6. NHibernate初学一之简单增删改查

    以前有简单了解NHibernate,但因项目一直没有运用所以也没有机会进行一个详细了解:最近利用一点空闲的时间认真学习它:同样希望把学习过程进行简单记录,今天简单写一个针对MSSQL数据库的增删改查的 ...

  7. 使用 C# 开发智能手机软件:推箱子(二)

    在上篇文章"使用 C# 开发智能手机软件:推箱子(一)"中.我对推箱子程序作了整体介绍.这次,我先介绍 Common/Fcl.cs 源程序文件.  1 using System; ...

  8. hadoop程序MapReduce之DataSort

    需求:对文件中的数据进行排序. 样本:sort.log 10 13 10 20 输出:1 10 2 10 3 13 4 20 分析部分: mapper分析: 1.<k1,v1>k1代表:行 ...

  9. vsftp服务启动失败

    Linux下的服务如果启动失败,一般是看报错和日志进行排查的 报错看不出什么,那么就看下日志记录了什么/var/log/vsftpd.log: 一般是配置文件有问题 /etc/vsftpd/vsftp ...

  10. web基础----->servlet中得到请求的数据

    对tomcat的源码做一些分析,今天我们就开始servlet中的请求分析. form表单中的默认类型 一.在index.jsp中get请求: <form action="Paramet ...