Matthieu Suiche's blog

Archive for September 17th, 2008

Retrieving MmPhysicalMemoryBlock regardless of the NT version.

September - 17 - 2008

Posted by Matthieu Suiche

Comments Off

Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves. To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() *undocumented* function. This function usage had been [ Read More ]

READ FULL POST

Twitter Updates

New commands in WinDbg 6.2.8102.0 http://t.co/Q91NXKLF # 2011/10/02

RT @joshuamsmith_: MoonSols DumpIt released free of charge. (dd for windows, great for forensics) very cool, thx to @MoonSols http://t.c ... # 2011/08/13

"Interesting Malware Trick" using MoonSols DumpIt http://t.co/ljlGpQJ # 2011/08/13

Remember 5-days private training are also available if you want to learn more. See http://bit.ly/l4RAxc for more information. #BlackHat # 2011/08/01

Second round of training about Advanced Physical Memory Acquisition and Analysis starting today ! #BlackHat #LasVegas # 2011/08/01

Happiness only real when shared.

Archive for September 17th, 2008

Retrieving MmPhysicalMemoryBlock regardless of the NT version.

Twitter Updates

Featured Video

Sponsors

Keep connected

Recent Posts

Categories

Archives