O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

String Hint

This pattern covers traces of ASCII and UNICODE strings that look suspicious such as website, password and HTTP forms or strange names that intuitively shouldn't be present according to the purpose of a module or its container process (example is taken from Victimware presentation case study25):

 0:005> s-sa 00040000 L1d000 0004004d "!This program cannot be run in D" 0004006d "OS mode." 00040081 "3y@" 000400b8 "Rich" 000401d0 ".text" 000401f7 "`.rdata" 0004021f "@.data" 00040248 ".reloc" [...] 00054018 "GET /stat?uptime=%d&downlink=%d&" 00054038 "uplink=%d&id=%s&statpass=%s&comm" 00054058 "ent=%s HTTP/1.0" 000540ac "%s%s%s" 000540d8 "ftp://%s:%s@%s:%d" 000540fc "Accept-Encoding:" 00054118 "Accept-Encoding:" 00054130 "0123456789ABCDEF" ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required