Re: [Vol-users] Windows Server 2008
2 Jul
2012
2 Jul
'12
5:51 p.m.
Windbg is a valuable resource for sure, one of the main reasons we
brought back the raw2dmp plugin [1]. Sometimes its not practical to
install Debugging Tools for Windows on a suspect machine in order to
dump memory with livekd, so in those cases you can acquire with KntDD
and either analyze with volatility, KnTList, or convert to MS
crashdump with raw2dmp then use WinDbg on your analysis machine.
Everyone has their favorite methods ;-)
MHL
[1]. https://code.google.com/p/volatility/wiki/CommandReference21#raw2dmp
On Mon, Jul 2, 2012 at 4:06 PM, Troy Larson (NETSEC)
<troyla(a)microsoft.com> wrote:
George,
I will often use livekd -o for generating memory dumps. If I want to get a clean kernel
dump, then I use livekd -m -o.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilesystems.com] On Behalf Of George M. Garner Jr.
Sent: Monday, July 02, 2012 10:45 AM
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an essential tool if you
want to get serious about memory analysis. But then you need to be able to convert your
memory dumps to MS crashdump format.
While I am on the subject, the version of Windbg that ships with w8 RC WDK includes a
.segmentation command which is useful when using Windbg to analyze 64-bit memory images.
Basically, you enter the following two commands after opening a 64-bit crashdump and all
will be joy (with Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users