5

So this might sound a little stupid but here I go.

Why can't we read physical memory as a simple file. Like we can read raw bits/bytes of any device file?

Assume you have root access or any other permission related issue.

Is there a way to read the physical ram's all bits and bytes from start to end and make a bitstream copy?

Thoughts?

Comments
  • 3
    I believe dump files are files you can read, not sure tho 🤔
  • 2
    Does this help you https://support.symantec.com/en_US/... ?
    It shows how to dump the contents of your memory to harddisk.
  • 0
    @dudeking

    there are some tools that do read RAM but they still require understanding of memory map of each OS.

    I just can't help but think that at the end of the day its just 0s and 1s. Why can't they simply be read and copied?
  • 0
    @possum

    Sounds promising. Will look into it :)
  • 5
    Does anyone remember PEEK and POKE?
  • 11
    Security issues and reserved areas.
    You may have root permissions, but your name isn't Colonel Desmond.

    Think: passwords, encryption keys, the kernel, etc. are all stored in memory. Allowing arbitrary processes unfettered read access to memory is a gigantic security hole. Segfaults exist for a reason!
  • 3
    This used to be the case until people realized they don't want the sensitive info stored in certain memory locations to be accessible by any program they just so happen to run.
  • 0
    @Root

    But LiME helps in taking a memory dump. It involves a few steps to get it to work but it reads entire RAM except reserved areas.

    So, what is it doing different here?
  • 4
    What do you want to do with the raw memory?

    A PC is not small microcontroller with direct memory access. We're talking about process memory, virtual memory, various caches, processors prefetching and out-of-order execution. All that affects the memory contents.

    Without the state and information of the OS and the running processes, the raw memory content are just uninterpretable 0s and 1s.
  • 1
    @ddephor

    I wish to find traces of running software, services etc. Whatever I can find.

    Currently I can use LiME to get the memory dump and then use Volatility to achieve this task.

    But if LiME is just reading RAM then why do I have to compile it every different distribution.

    I suppose it could be because how memory is mapped or something but why does it matter to an acquisition tool?

    It just needs to read and get the raw data right?
  • 1
    I don't know lime, but I assume it processes and arranges the memory based on the current system state for an analysis. The raw memory content would be much harder to use.

    Take a look at https://edn.com/design/..., this is just the cache architecture of an i7, and a lot of that is used mainly before main memory is even involved
  • 1
    Ram isn't so easy. You have things paged out to swap, and with virtual memory enabled, you can't access ram by physical address anymore. Essentially, you'd need to read the page tables to find out what virtual address maps to what physical address, etc. It's quite a process, and it requires ring 0 permissions.
Your Job Suck?
Get a Better Job
Add Comment