O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Debugger Omission

Whereas some false positives can be considered soft debugger bugs (page 90) false negatives can have more severe impact on software behavior analysis especially in malware analysis. Typical example here is current .imgscan command which according to documentation should by default scan virtual process space for MZ/PE signatures. Unfortunately it doesn't detect such signatures in resource pages (we haven't checked stack regions yet):

 0000000000fd0000 image base SECTION HEADER #4 .rsrc name 6430 virtual size 4000 virtual address 6600 size of raw data 1600 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required