Questions tagged [memory-dump]
The memory-dump tag has no summary.
54 questions
0
votes
0
answers
53
views
I extracted a file from inside the dump that contains the serial number and I need to analyze it
I extracted a file from inside the dump that contains the serial number and I need to analyze it
I want to unpack and compress this encrypted file after modifying it
3
votes
1
answer
284
views
Load process from memory dump
Are there any tools that can "record" the memory space of a process and then be able to restore it from a certain timestamp? As in, the process is recreated in the exact same state as if &...
- 153
1
vote
0
answers
250
views
How do I align a memory dump hex file so that a pointer address matches its location in the memory dump file?
I'm learning C and trying to understand how things like buffer overflows and other memory issues work. I am doing this on Windows for convenience reasons but would have no problem doing it on WSL or a ...
- 111
3
votes
0
answers
59
views
How to patch bootstrap in NAND flash?
I read the layout or my NAND flash and saw that in the beginning of flash there is a bootstrap the the CPU load. That flash has ECC
I read/write that flash.
How can I analyze the bootstrap and change ...
- 291
1
vote
1
answer
313
views
Does opening a crash dump run a file in memory?
I am new to malware analysis, and I'm learning how to detect malware that uses process injection to execute PE files from memory. I chose a ransomware sample that uses process injection to load the ...
- 11
2
votes
0
answers
186
views
Edit Squashfs filesystem in flash memory
I have read Flash memory and analyze with binwalk and find out Squashfs that I can extract with dd and open with unsquashfs .
When I open this FS I want to add some file into this FS and edit some ...
0
votes
1
answer
358
views
Detecting and reading embedded filesystems on desktop Linux
I have some data from a NAND chip, dumped using the built in nanddump utility on the embedded device.
This is the device information: https://openwrt.org/toh/bt/homehub_v5a The NAND chip is 128MiB ...
- 111
0
votes
1
answer
494
views
I have a 16GB memory dump from Belkasoft RAM Capture, what free tools can I use to analyze it?
I have a 16GB memory dump from Belkasoft RAM Capture, what free tools can I use to analyze it?
I have used IDA free version to try to open it and it is showing me an error that it is out of memory and ...
1
vote
1
answer
310
views
Finding mapped memory page flags in Radare2
I have a memory dump of notepad.exe. Radare's iS to print sections gives me the mapped files (executable and it's dll's) as well as the many sections simply marked 'Memory_Section', which from what I ...
- 113
1
vote
1
answer
356
views
How to fix Mach-O headers from a memory-dumped binary to make it usable again?
I am trying to restore a binary from memory. I re-constructed the binary and analyzed it with a disassembler and it looks okay, but when inspecting the headers with otool I'm getting:
truncated or ...
- 143
2
votes
1
answer
272
views
How can you dump the unpacked version of a packed library/plugin from memory on macOS?
I'm dealing with a custom-upx packed library that I'm trying to unpack. System is macOS.
Given it's a library/plugin, it doesn't have a standalone entrypoint. I ran it through a disassembler but wasn'...
- 21
3
votes
1
answer
1k
views
Custom nanddump and nandwrite tools
I am trying to reverse engineer a router's firmware. The device has a NAND chip, and has a cripled version of BusyBox v1.14.1. nanddump command exists but with intresting parameters, as I wasn't able ...
- 31
1
vote
0
answers
111
views
Can i dump dll from pagefile?
Like the title of this question, im trying to dump dll of process but it only return a message Error: Dllbase is paged (pic below)
So is the dll on pagefile and can i extract it from pagefile.sys ?
...
- 67
2
votes
1
answer
839
views
Get NonPagedPool (NPP) Base Address on any Windows OS
Is there a way to get the the base(start) address of the NonPagedPool in Windows ?
I know that it's dynamic for Post windows 7 Operating Systems (Does this include Windows server 2008 ?)
- 131
1
vote
2
answers
1k
views
Using NAND flash dump with OOB data
I have NAND flash memory dump, as a separate MTD partitions copied from NAND flash chip use built-in nanddump commands. I need to reflash some corrupted MTD partitions. In order to reflash partitions ...
- 235
1
vote
0
answers
1k
views
How to Dump a locked PIC
I have tried these few days to read a PIC18F microcontroller which is locked.it says all protected (0000 E0FF 40FF).then i found out that it is possible to bypass the CRP on some of these ...
- 191
3
votes
0
answers
776
views
EEPROM data bytes verification
I'm investigating a tool. I have an section of an eeprom memory dump that this tool uses, shown in the figure below. By my inquiries, the two bytes highlighted in red are based on the bytes ...
- 215
0
votes
1
answer
259
views
Reversing C# exe,Questions.Help
I am trying to debugging c# .NET application which receives a set of doubles and keep it as DataSeries every second.
I want to rewrite its dataseries before the new data comes with my own dataset.
...
- 103
3
votes
2
answers
7k
views
Volatility - manually inspect heap of a process
According to the book The Art of Memory Forensics[1], there is a heaps plugin that can extract out information from the heap memory of a process. I'm using latest version of volatility - 2.6 , but the ...
- 31
2
votes
0
answers
276
views
Unable to use C++ to read memory image file [closed]
I'm using winpmem to create a memory image. I would like to create an interface that would allow a user to search for various patterns in the image. I'm using C++ to open and read the file but I am ...
- 31
2
votes
1
answer
840
views
Dump firmware from MC9S08EL32 MCU
I have a datasheet of the HCS08 micro-controller family from NXP. I have a Raspberry Pi and some time. I admit that this is my first time delving this deep into hardware RE, so be gentle with me.
I ...
- 21
1
vote
0
answers
3k
views
IDA pro dump memory snapshot to file
My question is rather simple, I was analysing a piece of malware packed by some packer in IDA. I have found a memory mapped (via mmap2) region which contains the file I'm interested in. I've created a ...
- 111
4
votes
2
answers
1k
views
What is this hidden stack used by syscalls on Windows?
I've noticed there is a memory region in user mode on Windows 7 x64 WOW64 that changes during syscalls. It is located quite low in the address space and has the characteristics of a stack, i.e. it ...
- 153
1
vote
2
answers
2k
views
Memory dump analysis
I'm trying to learn firmware analysis. The device I chosen was my Motorola SBG901 modem. I managed to dump the memory contents via JTAG using the FlashcatUSB adapter. The memory dump is about 8MB in ...
- 65
0
votes
1
answer
505
views
Save injected code
I am analyzing a binary that is injecting code into another process (i.e., svchost.exe) to make the debugging more tedious. I can attach the new process to a debugger (e.g., ollydbg or the one ...
