- SANS Poster 2015-Memory-Forensic2.pdf
- http://www.rekall-forensic.com/posts/2014-02-21-do-we-need-kdbg.html
00392 KDDEBUGGER_DATA64 KdDebuggerDataBlock = 00393 { 00394 {{0}}, 00395 0, 00396 {(ULONG_PTR)RtlpBreakWithStatusInstruction}, 00397 0, 00398 FIELD_OFFSET(KTHREAD, CallbackStack), 00399 FIELD_OFFSET(KCALLOUT_FRAME, CallbackStack), 00400 FIELD_OFFSET(KCALLOUT_FRAME, CBSTACK_FRAME_POINTER), 00401 FALSE, 00402 {(ULONG_PTR)KiCallUserMode}, 00403 0, 00404 {(ULONG_PTR)&PsLoadedModuleList}, 00405 {(ULONG_PTR)&PsActiveProcessHead}, 00406 {(ULONG_PTR)&PspCidTable}, 00407 {(ULONG_PTR)&ExpSystemResourcesList}, 00408 {(ULONG_PTR)ExpPagedPoolDescriptor}, 00409 {(ULONG_PTR)&ExpNumberOfPagedPools}, 00410 {(ULONG_PTR)&KeTimeIncrement}, ... 00555 {(ULONG_PTR)&IopNumTriageDumpDataBlocks}, 00556 {(ULONG_PTR)IopTriageDumpDataBlocks}, 00557 }; |
'Forensic > Theory' 카테고리의 다른 글
| NTFS File System (2) MBR & EBR (0) | 2015.12.29 |
|---|---|
| NTFS File System (1) 개요 (0) | 2015.12.28 |
| [번역] Acquisition and Analysis of Windows Memory (0) | 2015.11.06 |
| How to Use Volatility (0) | 2015.10.14 |
| $UsnJrnl 분석 (1) | 2015.10.09 |