CN102279877B - Physical memory mirror image file analyzing method of Mac OS system - Google Patents
Physical memory mirror image file analyzing method of Mac OS system Download PDFInfo
- Publication number
- CN102279877B CN102279877B CN 201110209546 CN201110209546A CN102279877B CN 102279877 B CN102279877 B CN 102279877B CN 201110209546 CN201110209546 CN 201110209546 CN 201110209546 A CN201110209546 A CN 201110209546A CN 102279877 B CN102279877 B CN 102279877B
- Authority
- CN
- China
- Prior art keywords
- image file
- kernel
- address
- physical memory
- memory image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a physical memory mirror image file analyzing method of a Mac OS system, which comprises the following steps: a, judging the system version information, and determining a pointer pointing to the highest page table of the address space of kernel process; b, obtaining a kernel symbol table and a string table, finding the kernel symbol table and the string table from the copy of the kernel image file in the physical memory mirror image file, and obtaining the system configuration information, mounted file system information, process information and driver information included in the physical memory mirror image file; and c, obtaining a pointer pointing to the highest page table of each task in the system. In the step b, the symbol table and string table are obtained by analyzing the copy of the kernel image file in the physical memory mirror image file. The method disclosed by the invention overcomes the shortcomings of complicated obtaining method of kernel image file, unreliable address conversion method and incomprehensive information obtaining in the prior art, is easy to obtain the information such as process, driver, mounted file system and the like, and is beneficial to the research on memory evidence obtaining of Mac OS system computer.
Description
Technical field
The present invention relates to the physical memory image file analytical approach of a kind of Mac OS system, in particular, relate in particular to a kind of pointer that points to highest page table in the kernel process address space that uses and carry out kernel virtual address obtains the Mac OS system of Kernel Symbol Table and string table information again by physical memory image file analytical approach from the method to physical address translations.Present technique will be applied to the computer forensics field, be mainly used in the investigation and evidence collection of information security events and all kinds of computer crime cases.
Background technology
A. relate to concept and technical term
A-1. physical memory image file
The physical memory image file refers to the information in the physical memory in the computing machine that is moving is at present shone upon out the file that forms according to the mode of the corresponding bit of a bit, in this document in the position of data and the physical memory position of data be one to one.In the vmware virtual machine, can operate to obtain the physical memory image file by carrying out snapshot, this document is exactly to carry out the file take .vmem as extension name that produces after the snapshot operation; In physical computer, can obtain its corresponding physical memory image file by software such as dd.
A-2. task
The abstract definition of Mach contains virtual address space and port name word space.Task itself is not done any operation, but provides context environmental for thread.
A-3. process
Among the BSD to the abstract definition of working procedure.Process resource comprises virtual address space, thread and filec descriptor.In Mac OS X, process is based on a Mach task and one or more Mach thread.
A-4. kernel spacing
Kernel spacing, the address space of kernel process operation.
A-5. kernel is videoed
The code of kernel and data just are kernel reflection (Kernel Image).
B. research background
For advancing the development of physics memory analysis technology, DFRWS(Digital Forensic Research Workshop) released the activity that is called " Forensics Challenge " in 2005, movable theme is exactly the physical memory analysis.From then on, for the analysis of physical memory with obtain the study hotspot that becomes computer forensics.2008 and 2009, company and government department all was placed on research emphasis the physical memory of Windows operating system has been analyzed, and has obtained certain development.But the these years physical memory analysis for Mac OS system never relates to basically.2010, Matthieu Suiche proposed the physical memory analytical approach of Mac OS first, and this also is the present physical memory analytical approach of disclosed unique a kind of Mac OS.The method is at first obtained Kernel Symbol Table and is reached corresponding with it string table; Then from Kernel Symbol Table, obtain the value of IdlePDPT, IdlePDPT64, IdlePML4, four kernel variables of IdlePTD, realize that according to these values kernel virtual address is to the conversion of physical address; At last, on the basis of address translation and kernel symbolic variable, a series of information such as the file system of analysis process, carry, subsystem call table, kernel extensions.Its detailed process is as follows:
B-1. Kernel Symbol Table obtains
Windows operating system compiler generally is stored in symbol in the external file take PDB as extension name.In Mac OS X operating system, compiler symbol file leave in the kernel executable file _ _ LINKEDIT joint in.This joint has comprised the skew of string table (depositing the kernel symbolic name) with symbol table (depositing the kernel value of symbol corresponding with the kernel symbolic name).To the physical memory analysis of the Mac OS basis that is retrieved as with symbol table.The basic step of obtaining symbol table is at first to obtain the file content of kernel mirror image file in internal memory according to FAT file layout and Mach-O file layout; Then, this document is analyzed, read _ _ LINKEDIT joint in the value that is offset of string table skew and symbol table; Resolve at last, _ _ the content obtaining Kernel Symbol Table of LINKEDIT.The concrete data structure that relates to and the concrete finding method of symbol table are as follows:
#define?FAT_MAGIC?0xBEBAFECA
Typedef?struct?_FAT_HEADER
{
ULONG?magic;
ULONG?nfat_arch;
}FAT_HEADER,?*PFAT_HEADER;
Can find file header according to FAT_MAGIC.From the position of file header, add that sizeof (FAT_HEADER) just can find first file structure, is defined as follows:
Typedef?struct?_FAT_ARCH
{
cpu_type_t?cputype;
cpu_subtype_t?cpusubtype;
ULONG?offset;
ULONG?size;
ULONG?align;
}FAT_ARCH,*PFAT_ARCH;
Mach-O file header reference position=FAT file header reference position+offset.Its structure is as follows:
#define?MH_MAGIC?0xfeedface
Typedef?struct?_MACH_HEADER
{
ULONG?Magic;
cpu_type_t?cputype;
cpu_subtype_t?cpusubtype;
ULONG?filetype;
ULONG?ncmds;
ULONG?sizeofcmds;
ULONG?flags;
}?MACH_HEADER,?*PMACH_HEADER;
Wherein 0xfeedface can be regarded as the mark that a Mach-O file begins.The MACH_HEADER structure is afterwards followed by being first command entry.Its general structure is as shown below.
Typedef?struct?_LOAD_COMMAND?{
ULONG?cmd;
ULONG?cmdsize;
}?LOAD_COMMAND,?*PLOAD_COMMAND;
Wherein, cmd is command type, and Cmdsize is order length.Important command type is following two.
#define?LC_SEGMENT?0x1
#define?LC_SYMTAB?0x2
Different according to command type, concrete imperative structures are not identical yet.Below be that command type is the imperative structures of LC_SYMTAB:
Typedef?struct?_SYMTAB_COMMAND
{
ULONG?cmd;
ULONG?cmdsize;
ULONG?symoff;
ULONG?nsyms;
ULONG?stroff;
ULONG?strsize;
}?SYMTAB_COMMAND,?*PSYMTAB_COMMAND;
Wherein, the skew hereof of symoff is-symbol table, symbol table is the data of a nlist structure (as follows); The item number of nsyms is-symbol table; Stroff is string table skew hereof; Strsize is the length of string table.
Typedef?struct?_NLIST
{
ULONG?n_strx;
UCHAR?n_type;
UCHAR?n_sect;
USHORT?n_desc;
ULONG?n_value;
}?NLIST,?*PLIST;
Wherein, n_strx refers to the skew of variable name corresponding to current sign list item in string table.N_value refers to variate-value.
Offset+the symoff of the address of symbol table=from structure _ FAT_ARCH, obtain;
Offset+the stroff of the address of string table=from structure _ FAT_ARCH, obtain;
Can obtain kernel designation and value thereof according to these two tables at last.
B-2. address translation
Address conversion method depends on the value of IdlePDPT, IdlePDPT64, IdlePML4, four kernel variables of IdlePTD.By traveling through variable name and the corresponding value thereof in the Kernel Symbol Table that obtains, can obtain the value of above four variablees, adopt PML4(Page Map Level 4) paging method, can realize address translation.
B-3. acquisition of information
By the variable in the Kernel Symbol Table, obtain filesystem information, progress information and the activation bit of system configuration information, carry.
In the physical memory analytic process to the Mac machine of reality, we find, more than this analytical approach have certain problem, be mainly manifested in following four aspects: the obtain manner of (1) kernel image file is very complicated comparatively.This is because there is the file of a lot of FAT file layouts in the physical memory image file, can not determine which is the head that has pointed to our needed kernel image file.(2) in the physical memory of Mac OS X 10.5 and Mac OS X 10.6 operating systems is analyzed, according to _ _ that the LINKEDIT joint is resolved the method for symbol table content is infeasible.Be mainly manifested in according to this kind method find _ _ LINKEDIT joint after, its virtual address can't convert effective physical address (namely not in physical memory) to.(3) address conversion method is unreliable.For the different mac machines that the same operation system version has been installed, the value of its kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD might be different.That is to say that for a certain concrete operating system version, the value of its kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD is uncertain, therefore, before the executive address conversion, need to from Kernel Symbol Table, obtain the value of these four variablees.Yet by analyzing as can be known in (2), above Kernel Symbol Table acquisition methods is infeasible, so the value of kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD can't be obtained, thereby can't carry out the memory analysis operation.(4) acquisition of information is not comprehensive.Can not obtain thread information that the details, process of process open and operating system version information etc.; Can not carry out address translation to the data that are positioned at the process address space.
Summary of the invention
The present invention is in order to overcome the shortcoming of above-mentioned technical matters, provide a kind of pointer that points to the highest page table of kernel process address space according to Mac OS system to realize that kernel virtual address is to the method for physical address translations, and on address translation basics, from the physical memory image file, obtain Kernel Symbol Table and string table information, further obtain the pointer of the highest page table of each task in the pointing system and the method for thread details.
Virtual address adopts 4 grades of paging methods to the mapping of physical address in the Mac OS system.Describe as can be known according to the method, just can realize that virtual address is to the conversion of physical address as long as obtained the position of highest page table in the physical memory image file.Therefore in the analytic process of physical memory image file, virtual address can realize by the pointer that obtains the highest page table of sensing to the translation function of physical address.
The physical memory image file analytical approach of Mac OS of the present invention system, its special feature is, may further comprise the steps: a. is from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used for realizing that kernel virtual address is to the conversion of physical address; B. obtain Kernel Symbol Table and string table, find the virtual address of Kernel Symbol Table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry; C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task that herein obtains not only can be realized kernel process address space virtual address to the conversion of physical address, can also realize that other process address space virtual addresses except kernel process are to the conversion of physical address.Among the step a, from the memory mirror file, obtain operating system version information, in order to determine to carry out kernel virtual address to the pointer of the highest page table of the needed sensing kernel process of physical address translations address space according to this version information.Among the step b, by the copy analysis to kernel image file in the physical memory image file, obtain kernel Kernel Symbol Table and string table, and then obtain kernel variable name and corresponding variate-value thereof, finally realize the obtaining of filesystem information, progress information and activation bit of system configuration information, carry.Among the step c, the pointer of the highest page table by each task of obtaining is realized corresponding process address space virtual address to the conversion of physical address, and then is realized obtaining corresponding progress information.The pointer of the highest page table of step a by pointing to the kernel process address space is realized kernel virtual address to the conversion of physical address, pointed herein be the reference position of highest page table in the physical memory image file of kernel process address space.Among the step b, on the basis of having realized address translation, from the memory mirror file, find kernel image file copy, and therefrom obtain Kernel Symbol Table and the reference position of kernel string table in the physical memory image file, analyze these two tables and obtain kernel variable name and variate-value, and then obtain filesystem information, progress information and the activation bit of system configuration information, carry.Among the step c, obtain pointer and the thread details of the highest page table of each task in the pointing system, realized that analysis is more fully analyzed to the internal memory image file.
The physical memory image file analytical approach of Mac OS of the present invention system, among the described step a, because operating system version information leaves in the file of SystemVersion.plist by name, therefore according to file characteristic, search the physical memory image file, from the physical memory image file, find the file of SystemVersion.plist by name, therefrom obtain system version information; Be the operating system of Mac OS X 10.5 for version, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, and namely the highest page table in the kernel process address space is arranged in the skew 0x104800 place of physical memory image file; Be the operating system of Mac OS X 10.6 for version, its pointer value of pointing to the highest page table of kernel process address space is 0x100000, and namely the highest page table of kernel process address space is positioned at the skew 0x100000 place of physical memory image file.
The physical memory image file analytical approach of Mac OS of the present invention system, obtaining of Kernel Symbol Table among the step b and string table, may further comprise the steps: b-1. determines the position of kernel image file in the physical memory image file, be the operating system of Mac OS X 10.5 for version, the kernel image file is arranged in the skew 0x111000 place of physical memory image file; Be the operating system of Mac OS X 10.6 for version, the kernel image file is arranged in the skew 0x200000 place of physical memory image file; B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to record in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek by the following method the position of copy in the physical memory image file of kernel image file: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and copies this section content; Then from the memory mirror file, seek the position that this section content occurs again downwards; The position that this section content occurs again namely is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step; B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read record in the kernel image file copy _ vmaddr and these two corresponding values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the corresponding values of variable of stroff that record in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of Kernel Symbol Table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates respectively the virtual address of Kernel Symbol Table and kernel string table; At last, utilize the pointer of the highest page table of the kernel process address space that obtains among the step a to realize that kernel virtual address to the conversion method of physical address, obtains the physical address of symbol table and the physical address of string table.Among the step b-1, be the physical memory image file of Mac OS X 10.5 for operating system version, its kernel image file is positioned at the skew 0x111000 place of physical memory image file, be the physical memory image file of Mac OS X 10.6 for operating system version, the position of its kernel image file is arranged in the skew 0x200000 place of physical memory image file; For different versions, find the kernel image file at the diverse location of physical memory image file.Among the step b-2, by the relation between kernel image file and the kernel image file copy, obtain the position of kernel image file copy in the memory mirror file; Among the step b-3, by reading vmaddr, fileoff, the value of symoff and stroff, obtain the virtual address of Kernel Symbol Table and kernel string table, the pointer of the highest page table of the kernel process address space that obtains among the recycling step a realizes that kernel virtual address is after the conversion method of physical address, Kernel Symbol Table and kernel string table ground virtual address are converted into physical address, can obtain kernel variable name and corresponding variate-value thereof, to system configuration information, the filesystem information of carry, progress information and activation bit read and analyze.
The physical memory image file analytical approach of Mac OS of the present invention system, obtaining successively of the pointer of the highest page table of each task may further comprise the steps in the pointing system described in the step c: the Kernel Symbol Table that obtains among the c-1. finding step b, therefrom find the corresponding value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data namely are the virtual addresses that is arranged in the proc structure of first process of system; Be physical address with this address translation, and be designated as lastProcAddr, the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of first process in the system; C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure; C-3. the virtual address that obtained in the upper step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data that are comprised of four bytes, and these data are the virtual address of vm_map structure; C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure; C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value that forms with four bytes at the skew 0x54 place of this structure, this value namely is to point to the pointer that runs on the highest page table of the corresponding task of this process in the system; C-6. return the physical address lastProcAddr of the process proc structure of obtaining, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system; Whether the virtual address of c-7. obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8; C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.Among the step c-1, at first obtain the virtual address of the proc structure of first process by the value of kernel variable kernproc, be translated into physical address after, obtain the proc structure of first process; Step c-2 is for obtaining the virtual address of task structure in the proc structure; Step c-3 is for obtaining the virtual address of vm_map structure in the task structure; Step c-4 is for obtaining the virtual address of pmap structure in the vm_map structure; Step c-5 is the pointer that obtains the highest page table of the corresponding task of corresponding process at the skew 0x54 place of structure pmap, and realizes virtual address to the conversion of physical address according to the pointer of this superlative degree page table, and then obtains corresponding progress information.Step c-6 is the virtual address of obtaining the proc of next process, and step c-7 judges the virtual address that step c-6 obtains, if be 0, show and detects completely, if be not 0, then proceeds to detect; Step c-8 is that the virtual address of the proc of next process is not in 0 the situation, jumps to step c-2 and continues to carry out.
The invention has the beneficial effects as follows: the physical memory image file analytical approach of (1) Mac OS disclosed in this invention system is more reliable and efficient; Kernel Symbol Table among the present invention and the obtain manner of string table have been avoided in the prior art too much can not determine the kernel mirror image top of file and being positioned at the generation of situation of the position of physical memory image file owing to the FAT file effectively; (2) in the physical memory image file analytical approach of Mac OS of the present invention system, the pointer of the highest page table by determine pointing to the kernel process address space is realized kernel virtual address to the conversion of physical address, has overcome the defective that kernel virtual address in the existing method can't change into effective physical address; (3) in the method for the present invention, obtain the pointer of the highest page table of each task in the pointing system, not only can realize kernel virtual address to the conversion of physical address, and can realization in the system other process address space virtual addresses to the conversion of physical address; (4) the present invention is by the analysis to kernel image file copy in the physical memory image file, obtain the virtual address of Kernel Symbol Table and string table, the highest page table of the kernel process address space that recycling is obtained realizes that virtual address is after the conversion method of physical address, the virtual address of Kernel Symbol Table and string table is converted into physical address, and then has realized easily obtaining kernel variable name and corresponding variate-value thereof; (5) applicable operating system version is wider, and the physical memory image file analytical approach of Mac OS of the present invention system can be analyzed for the physical memory image file of Mac OS X 10.5 and Mac OS X 10.6.
Description of drawings
Fig. 1 is the process flow diagram of the physical memory image file analytical approach of Mac OS of the present invention system;
Fig. 2 is SystemVersion.plist file mirror image figure in internal memory among the present invention;
Fig. 3 is that the page or leaf size is the address translation synoptic diagram of 4KB among the present invention;
Fig. 4 is that the page or leaf size is the address translation synoptic diagram of 2MB among the present invention;
Fig. 5 is the pointer acquisition methods process flow diagram of the highest page table of each task;
Fig. 6 is the process flow diagram of thread information getting method.
Embodiment
The invention will be further described below in conjunction with accompanying drawing and embodiment.
As shown in Figure 1, provided the process flow diagram of the physical memory image file analytical approach of Mac OS of the present invention system, its flow process according to " the kernel address conversion---is sought Kernel Symbol Table---acquisition of information " is carried out.Because for the mac machine that the different operating system version is installed, it points to the pointer value difference of the highest page table of kernel process address space, the different mac machines of same version operating system are installed, and its pointer value of pointing to the highest page table of kernel process address space is identical.Be the physical memory image file of Mac OS X 10.5 for operating system version, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, be the physical memory image file of Mac OS X 10.6 for operating system version, its pointer value of pointing to the highest page table of kernel process address space is 0x100000.Therefore, the prerequisite of realization address translation is exactly to determine operating system version.As shown in Figure 1, the physical memory image file analytical approach of Mac OS of the present invention system, at first to obtain operating system version information, and then obtain the pointer of the highest page table of kernel process address space, realize virtual address to the conversion method of physical address according to the highest page table that obtains again, and then obtain Kernel Symbol Table; The fileinfo that pointer, thread information, the process that last Kernel Symbol Table according to obtaining obtains the highest page table of each task in the pointing system opened, activation bit etc.Its concrete step can realize by following three concrete steps:
A. from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used for realizing that kernel virtual address is to the conversion of physical address; B. obtain Kernel Symbol Table and string table, find the virtual address of Kernel Symbol Table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry; C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task that herein obtains not only can be realized kernel process address space virtual address to the conversion of physical address, can also realize that other process address space virtual addresses except kernel process are to the conversion of physical address.
Wherein, for step a, as shown in Figure 2, provided the mapping graph of SystemVersion.plist file in the physical memory image file, the mode that adopts keyword search in the physical memory image file searching key word "<key〉ProductName</key ", according to the content between the character string of closelying follow thereafter "<string〉" and "</string〉", can obtain OS name, continue down searching key word "<key〉ProductUserVisibleVersion</key ", content according between the character string of closelying follow thereafter "<string〉" and "</string〉" can obtain operating system version; Be the physical memory image file of Mac OS X 10.5 for operating system version, its pointer value of pointing to the highest page table in the kernel process address space is 0x104800, be the physical memory image file of Mac OS X 10.6 for operating system version, its pointer value of pointing to the highest page table in kernel process address space is 0x100000.
For step b, obtaining of Kernel Symbol Table and string table, can adopt following steps to realize: b-1. determines the position of kernel image file in the physical memory image file, be the operating system of Mac OS X 10.5 for version, the kernel image file is arranged in the skew 0x111000 place of physical memory image file; Be the operating system of Mac OS X 10.6 for version, the kernel image file is arranged in the skew 0x200000 place of physical memory image file; B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to record in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek by the following method the position of copy in the physical memory image file of kernel image file: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and copies this section content; Then from the memory mirror file, seek the position that this section content occurs again downwards; The position that this section content occurs again namely is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step; B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read record in the kernel image file copy _ vmaddr and these two corresponding values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the corresponding values of variable of stroff that record in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of Kernel Symbol Table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates respectively the virtual address of Kernel Symbol Table and kernel string table; At last, utilize the kernel virtual address realized among the step a to the conversion method of physical address, obtain the physical address of symbol table and the physical address of string table.
The Mac machine adopts the PAE-enable paging mode under the IA-32E pattern; it has two kinds of address translation modes; as shown in Figure 3 and Figure 4; having provided respectively page size is the address translation synoptic diagram of 4KB and 2MB; under the IA-32e pattern; from different under the PAE-enable protected mode, its address translation adopts 4 grades of paging structures to virtual address to the conversion of physical address.Be elaborated below in conjunction with the method for the kernel virtual address of being realized by the highest page table of kernel process address space among accompanying drawing 3 and 4 couples of step a of accompanying drawing to physical address translations:
A-1. take Mac OS X 10.5 operating systems as example, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, navigates to the skew 0x104800 place of memory mirror file, can find the highest page table of kernel process address space;
A-2. take the 47-39 position of virtual address to be converted as index, select to point to the list item of page directory pointer gauge, this Biao Xiang ﹠amp; The value that 0xFFFFF000 obtains is exactly to point to the pointer of page directory pointer gauge;
A-3. navigate to the position of this pointed in the memory mirror file, namely obtain the page directory pointer gauge, take the 38-30 position of virtual address to be converted as index, select to point to the list item of page directory, this Biao Xiang ﹠amp; 0xFFFFF000 is exactly the pointer that points to page directory;
A-4. navigate to the position of this pointed in the memory mirror file, can obtain page directory tables.Take the 29-21 position of virtual address to be converted as index, select corresponding page directory item;
The most significant digit of first byte of page directory item of a-5. obtaining among the determining step a-4 if the most significant digit of first byte of page directory item is " 1 ", then shows and uses large page mode, according to carrying out as shown in Figure 4 address translation, execution in step a-6; If be " 0 ", then show its sensing page table, by changing as shown in Figure 3 execution in step a-7;
A-6. the 20-0 position of virtual address to be converted as the skew of physical address in page or leaf, be designated as offset1; The page directory Xiang ﹠amp that obtains among physical address=step a-4; 0xFFFFF000+offset1; As shown in Figure 4;
A-7. at first, the page directory Xiang ﹠amp that obtains among the pointer value of sensing page table=step a-4; 0xFFFFF000 navigates to the position of this pointed in the memory mirror file, can obtain page table.Take the 20-12 position of virtual address to be converted as index, select corresponding page table entry, this Ye Biaoxiang ﹠amp; The value that 0xFFFFF000 obtains is exactly the base address of the physical address page of living in; Then, the 11-0 position of virtual address to be converted as the skew of physical address in the page, is designated as offset2; Physical address=page base address+offset2.Finally obtain the page directory item through step a-2, a-3, a-4; Step a-5 determines the address conversion regime, if the most significant digit of first byte of page directory item is " 1 " by judging the most significant digit of first byte of page directory item, then show and use large page mode, if be " 0 ", then show and use little page mode, at this moment, the page directory item points to page table.As shown in Figure 3.
For obtaining of the pointer of the highest page table of each task in the sensing system among the step c, describe in conjunction with Figure of description 5, adopt following step to realize: the Kernel Symbol Table that obtains among the c-1. finding step b, therefrom find the corresponding value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data namely are the virtual addresses that is arranged in the proc structure of first process of system; Be physical address with this address translation, and be designated as lastProcAddr, the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of first process in the system; C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure; C-3. the virtual address that obtained in the upper step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data that are comprised of four bytes, and these data are the virtual address of vm_map structure; C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure; C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value that forms with four bytes at the skew 0x54 place of this structure, this value namely is to point to the pointer that runs on the highest page table of the corresponding task of this process in the system; C-6. return the physical address lastProcAddr of the process proc structure of obtaining, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system; Whether the virtual address of c-7. obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8; C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.
Sentencing the value that four bytes form at the skew 0x0c of structure proc namely is the virtual address of structure task, its virtual address translation is physical address after, its value of location obtains the task structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x14 namely is the virtual address of structure vm_map, its pointer virtual address translation is physical address after, its value of location obtains the vm_map structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x2c namely is the virtual address of structure pmap, its pointer virtual address translation is physical address after, its value of location obtains the pmap structure in the memory mirror file; Namely be the pointer of the highest page table of each task in our pointing system that need to obtain in value with four bytes compositions of its skew 0x54 place record.
In step c, for the obtaining step of thread information, 6 its detailed step described by reference to the accompanying drawings, step is:
C-2-1. the Kernel Symbol Table that obtains among the finding step c, therefrom find the corresponding value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data namely are the virtual addresses that runs on the proc structure of first process in the system; Be physical address with this address translation, and be designated as lastProcAddr, the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtain running on the proc structure of first process in the system;
C-2-2. read the data of four bytes at the skew 0x40 place of the proc structure of obtaining, these data namely are the virtual addresses of uthread structure;
C-2-3. the virtual address of bar structure uthread is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the uthread structure; Skew 0x104 place in the uthread structure reads four byte datas; These data namely are the virtual addresses of vfs_context structure;
C-2-4. the virtual address of bar structure vfs_context is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vfs_context structure; Read the data of four bytes at the skew 0x00 place of vfs_context structure; These data namely are the virtual addresses of structure thread;
C-2-5. the virtual address of bar structure thread is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the thread structure, has deposited the essential information about thread in this structure;
C-2-6. return the physical address lastProcAddr of the process proc structure of obtaining in this analytic process, physical address as skew, navigate to this deviation post place of physical memory image file, can obtain the proc structure of the current process of having analyzed in the system that runs on, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system;
Whether the virtual address of c-2-7. obtaining among the determining step c-2-6 is 0, as is 0 and withdraws from execution; Otherwise, execution in step c-2-8;
C-2-8. be that physical address is designated as lastProcAddr with the virtual address translation of obtaining among the step c-2-6, physical address as skew, navigate to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2-2;
That is, sentencing the value that four bytes form at the skew 0x40 of structure proc namely is the virtual address of structure uthread, its virtual address translation is physical address after, its value of location obtains the uthread structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x104 namely is the virtual address of structure vfs_context, its virtual address translation is physical address after, its value of location obtains the vfs_context structure in the memory mirror file; The value of sentencing four bytes compositions at its skew 0x00 namely is the virtual address of structure thread, has deposited the essential information about thread in this structure.
Therefore, by above-mentioned various method steps, can obtain pointer and the thread details of the highest page table of each task in the pointer, pointing system of the highest page table that points to the kernel process address space.
Claims (3)
1. the physical memory image file analytical approach of a Mac OS system is characterized in that, may further comprise the steps:
A. from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used for realizing that kernel virtual address is to the conversion of physical address;
B. obtain Kernel Symbol Table and string table, find the virtual address of Kernel Symbol Table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry; Obtaining of Kernel Symbol Table and string table may further comprise the steps:
B-1. determining the position of kernel image file in the physical memory image file, is the operating system of Mac OS X 10.5 for version, and the kernel image file is arranged in the skew 0x111000 place of physical memory image file; Be the operating system of Mac OS X 10.6 for version, the kernel image file is arranged in the skew 0x200000 place of physical memory image file;
B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to record in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek by the following method the position of copy in the physical memory image file of kernel image file: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and copies this section content; Then from the memory mirror file, seek the position that this section content occurs again downwards; The position that this section content occurs again namely is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step;
B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read record in the kernel image file copy _ vmaddr and these two corresponding values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the corresponding values of variable of stroff that record in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of Kernel Symbol Table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates respectively the virtual address of Kernel Symbol Table and kernel string table; At last, utilize the kernel virtual address realized among the step a to the conversion method of physical address, obtain the physical address of symbol table and the physical address of string table;
C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task that herein obtains not only can be realized kernel process address space virtual address to the conversion of physical address, can also realize that other process address space virtual addresses except kernel process are to the conversion of physical address.
2. the physical memory image file analytical approach of Mac OS according to claim 1 system, it is characterized in that, among the described step a, because operating system version information leaves in the file of SystemVersion.plist by name, therefore according to file characteristic, search the physical memory image file, from the physical memory image file, find the file of SystemVersion.plist by name, therefrom obtain system version information; Be the operating system of Mac OS X 10.5 for version, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, and namely the highest page table in the kernel process address space is arranged in the skew 0x104800 place of physical memory image file; Be the operating system of Mac OS X 10.6 for version, its pointer value of pointing to the highest page table of kernel process address space is 0x100000, and namely the highest page table of kernel process address space is positioned at the skew 0x100000 place of physical memory image file.
3. the physical memory image file analytical approach of Mac OS according to claim 1 system is characterized in that obtaining successively of the pointer of the highest page table of each task may further comprise the steps in the pointing system described in the step c:
C-1. the Kernel Symbol Table that obtains among the finding step b, therefrom find the corresponding value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data namely are the virtual addresses that is arranged in the proc structure of first process of system; Be physical address with this address translation, and be designated as lastProcAddr, the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of first process in the system;
C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure;
C-3. the virtual address that obtained in the upper step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data that are comprised of four bytes, and these data are the virtual address of vm_map structure;
C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure;
C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value that forms with four bytes at the skew 0x54 place of this structure, this value namely is to point to the pointer that runs on the highest page table of the corresponding task of this process in the system;
C-6. return the physical address lastProcAddr of the process proc structure of obtaining, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system;
Whether the virtual address of c-7. obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8;
C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110209546 CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110209546 CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102279877A CN102279877A (en) | 2011-12-14 |
| CN102279877B true CN102279877B (en) | 2013-03-13 |
Family
ID=45105319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110209546 Expired - Fee Related CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102279877B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945288B (en) * | 2012-11-29 | 2016-01-20 | 重庆邮电大学 | A kind of text data file from physical memory image extracting method |
| CN104102881B (en) * | 2014-07-07 | 2017-01-04 | 杭州电子科技大学 | A kind of internal memory evidence collecting method based on kernel objects linking relationship |
| CN105786596B (en) * | 2016-03-21 | 2018-04-13 | 山东省计算中心(国家超级计算济南中心) | A kind of method that object information is obtained from the memory mirror file of 64 Windows10 operating systems |
| CN106126431A (en) * | 2016-08-23 | 2016-11-16 | 腾讯科技(深圳)有限公司 | Performance test methods and system |
| CN106502755B (en) * | 2016-11-28 | 2021-11-02 | 杭州迪普科技股份有限公司 | Method and device for checking unknown symbols of Linux kernel module |
| CN111026554B (en) * | 2019-12-17 | 2023-05-02 | 山东省计算中心(国家超级计算济南中心) | XenServer system physical memory analysis method and system |
| CN111552511B (en) * | 2020-05-14 | 2023-06-16 | 山东省计算中心(国家超级计算济南中心) | Method for recovering file name by unpacking firmware of Internet of things of VxWorks system |
| CN112269713B (en) * | 2020-10-14 | 2023-01-10 | 苏州浪潮智能科技有限公司 | Method, device and equipment for acquiring program running state and storage medium |
| CN112540846B (en) * | 2020-11-12 | 2022-12-20 | 苏州浪潮智能科技有限公司 | Method, device and medium for controlling performance stability of server |
| CN112486922B (en) * | 2020-12-02 | 2022-12-06 | 中国人民解放军战略支援部队信息工程大学 | Memory fragment file reconstruction method and system based on reverse structure chain |
| CN115292721B (en) * | 2022-10-09 | 2023-01-24 | 北京麟卓信息科技有限公司 | Starting method for adapting to multiple Linux kernels in android compatible environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6308247B1 (en) * | 1994-09-09 | 2001-10-23 | International Business Machines Corporation | Page table entry management method and apparatus for a microkernel data processing system |
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
-
2011
- 2011-07-26 CN CN 201110209546 patent/CN102279877B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6308247B1 (en) * | 1994-09-09 | 2001-10-23 | International Business Machines Corporation | Page table entry management method and apparatus for a microkernel data processing system |
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
Non-Patent Citations (4)
| Title |
|---|
| Mac OS X Physical Memory Analysis;Matthieu Suiche;《www.forensicinstitute.nl》;20100228;全文 * |
| Matthieu Suiche.Mac OS X Physical Memory Analysis.《www.forensicinstitute.nl》.2010, |
| 基于KPCR结构的Windows物理内存分析方法;郭牧等;《计算机工程与应用》;20090621(第18期);74-77,143 * |
| 郭牧等.基于KPCR结构的Windows物理内存分析方法.《计算机工程与应用》.2009,(第18期), |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102279877A (en) | 2011-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102279877B (en) | Physical memory mirror image file analyzing method of Mac OS system | |
| Case et al. | Dynamic recreation of kernel data structures for live forensics | |
| WO2016155386A1 (en) | Method and device for determining whether webpage comprises point of interest (poi) data | |
| CN103150395B (en) | Directory path analysis method of solid state drive (SSD)-based file system | |
| CN101192231A (en) | Bookmark based on context | |
| CN103020176A (en) | Data block dividing method in XML parsing and XML parsing method | |
| CN103970514B (en) | The information acquisition method and device of Android application program installation kit | |
| CN101414304B (en) | Method for analyzing Windows system physical internal memory based on K P C R structure | |
| CN101458630B (en) | Self-modifying code identification method based on hardware emulator | |
| CN102945288B (en) | A kind of text data file from physical memory image extracting method | |
| Zhang et al. | Windows memory analysis based on kpcr | |
| WO2008038416A1 (en) | Document searching device and document searching method | |
| CN101727323B (en) | Obtaining method of network information under Vista operating system | |
| CN105242932A (en) | Automatic translation method of software developed on the basis of DELPHI tool | |
| CN101339507B (en) | Method for creating embedded program operation symbol table | |
| CN105204752A (en) | Method and system for achieving interaction in projection type reading | |
| CN107590140B (en) | Document missing item processing method | |
| CN103577444A (en) | Browser control method and system | |
| Karsvall et al. | SDHK meets NER: Linking Place Names with Medieval Charters and Historical Maps. | |
| De Rouck et al. | Georeferencing Wikipedia pages using language models from Flickr | |
| CN105786596A (en) | Method for acquiring object information from memory image file in 64-bit Windows 10 operating system | |
| JP2012173771A (en) | Library conversion method and program between programming languages | |
| CN105573818B (en) | A kind of windows kernels base address in virtualized environment and compiled version recognition methods | |
| JP2009123033A5 (en) | ||
| Barati et al. | Spectral analysis of time series cycles of the durability of rainy season over Iran |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130313 Termination date: 20130726 |