Re: How does /dev/mem work?
Re: How does /dev/mem work?
- Subject: Re: How does /dev/mem work?
- From: Michael Smith <email@hidden>
- Date: Tue, 10 Mar 2009 01:04:04 -0700
On Mar 9, 2009, at 8:15 AM, Hajime Inoue wrote:
Perhaps you could explain what you're trying to do, and we might be
able
to suggest some alternatives.
What I want is a physical memory image for use with forensics tools
(the one
we develop is called Mac Marshal). The actual mechanism, whether
it's temporarily
adding back /dev/mem, or through some other way, isn't important.
With the following caveats understood:
- it's not possible to snapshot physical memory in order to get a
coherent image of the system
- anything you do to get the system into a state where you can
rummage around in physical memory is going to destroy some of that
memory's contents
- the system's physical memory map is not advertised in any
supported way to any layer you have access to
you might consider using the IOMemoryDescriptor method that allocates
a descriptor for a given physical address, and then mapping it and
reading from it.
HTH.
= Mike
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden