Re: How does /dev/mem work?
Re: How does /dev/mem work?
- Subject: Re: How does /dev/mem work?
- From: Michael Crawford <email@hidden>
- Date: Tue, 10 Mar 2009 02:36:52 -0700
On Tue, Mar 10, 2009 at 1:52 AM, Andreas Fink <email@hidden> wrote:
> As far as I understood, the purpose is to get a snapshot of what's in memory
> for law enforcement purposes.
If that's what you really want, you could do something like disable
interrupts, while you dump the whole contents of memory out over the
network using a polled network driver, or perhaps a polled firewire
driver.
I don't know where it lives, but you could look at the source of the
debugger stub that implements the kernel side of the remote-kdp
two-machine debugger protocol, as well as the source of the
command-line GDB that talks to it.
If you're going to all this trouble, you can also start with the x86
segmentation registers, or their equivalent on PowerPC, to manually
explore the physical to virtual memory mapping. This would only work
for memory that's actually already resident. Extra credit if you spit
the swap file out your polled driver at the same time.
I found the second chapter of Bovet & Cesati's Understanding the Linux
Kernel to be a remarkably lucid explanation of how virtual memory
works on the x86 architecture. The material that is specific to the
processor and not to any particular operating system ought to be
applicable to the xnu virtual memory system.
Best,
Mike
--
Michael David Crawford
mdcrawford at gmail dot com
GoingWare's Bag of Programming Tricks
http://www.goingware.com/tips/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden