O'Reilly logo

Memory Dump Analysis Anthology, Volume 8a by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Tampered Dump

The availability of direct dump modification raises the possibility of such memory dumps specifically modified to alter structural and behavioral diagnostic patterns. For example, to suppress certain module involvement or introduce fictitious past objects and interaction traces such as Execution Residue (Volume 2, page 239) and Module Hints (Volume 6, page 92). There can be 2 types of such artifacts: strong tampering with new or altered information completely integrated into memory fabric and weak tampering to confuse inexperienced software support engineers and memory forensics analysts.

For example, in one such experimental process memory dump we see Exception Stack Trace (Volume 4. Page 337) pointing to a problem in calc

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required