Tool to decode the page tables and descriptor tables from a RAM snapshot

Question

I need a practical way to analyze a snapshot of RAM+registers and easily visualize (not necessarily in a graphical way) the x86 architecture structures. This would include the page tables, interrupt descriptor tables, global descriptor table, etc.

Note that I'm not interested in OS specific information (e.g., process list, etc.), I'm just interested in the architectural structures.

Obviously one can just figure out the layout for all of these structures (and all versions) from the Intel documentation but I'm wondering if there is already any simple tool that decodes them.

Answer 1

There are several tools for Memory Forensics Analysis listed in the forensicswiki at http://forensicswiki.org/wiki/Linux_Memory_Analysis (part of http://forensicswiki.org/wiki/Memory_analysis; there is also variant for Windows). Some of tools are open-source and active:

The output of a memory acquisition tool is a memory image which contains the raw physical memory of a system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.

Linux Memory Analysis Tools. Active Open Source Projects:

• The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. See the LinuxMemoryForensics page on the Volatility wiki. (Availability/License: GNU GPL)
• Rekall includes a Python-based analysis framework which forked from Volatility and has since added a number of features, as well as its own acquisition tools. It is usable as a library and is used as such in the GRR remote live forensics project.
• The Red Hat Crash Utility is an extensible Linux kernel core dump analysis program. Although designed as a debugging tool, it also has been utilized for memory forensics. See, for example, the 2008 DFRWS challenge write-up by AAron Walters. (Availability/License: GNU GPL)

(Some inactive projects are also listed, and there is Bibliography)

For example, Volatility is capable of using kernel and process "DTB (Directory Table Base)" (windows), list pages of linux processes (https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference#process-memory) and parse the memory dump in other ways.

[Rekall] also has GUI: http://www.rekall-forensic.com/pages/at_a_glance.html (pip install rekall-gui) and plugins for searching processes http://www.rekall-forensic.com/docs/Manual/tutorial.html

crash tool from David Anderson @ redhat is not as universal as two previous solutions, but still knows how to parse Linux kernel dumps. It is documented in command-line interface help and paper: http://people.redhat.com/anderson/crash_whitepaper/ "White Paper: Red Hat Crash Utility"

The Red Hat crash analysis utility is loosely based on the SVR4 UNIX crash command, but has been significantly enhanced by completely merging it with the GNU gdb debugger. The marriage of the two effectively combines the kernel-specific nature of the traditional UNIX crash utility with the source code level debugging capabilities of gdb. The utility can be used to investigate: Live Linux systems, Linux kernel core dumps created by the Kdump facility, Compressed Linux kernel core, ...