2012年1月10日 星期二

Dump file structure


 Offset Type Feild Remarks
 0x000 char Signature[4] 'PAGE'
 0x004 char ValidDump[4] 'DUMP'
 0x008 uint32 MajorVersion 
 0x00c uint32 MinorVersion windows build no.
 0x010 unit32 DirectoryTableBase 
 0x014 uint32 PfnDataBase 
 0x018 uint32 PsLoadedModuleList 
 0x01c uint32 PsActiveProcessHead 
 0x020 uint32 MachineImageTyoe 
 0x24 uint32 NumberProcessors 
 .....   
 0x05c char PaeEnabled 
 .....   
 0x064 char PhysicalMemoryBlockBuffer[700] 
 .....   
 0xf88 uint32 DumpType 1= full dump, 2= kernel dump (smaller)
 .....   
 0xfa0 int64 RequiredDumpSpace should equal dump file size
 ......   
 0xfb8 int64 SystemUpTime measured in units of 100ns
 0xfc0 int64 SystemTime FILETIME
 ......   
This is copy from http://computer.forensikblog.de/en/2006/03/dmp_file_structure.html
 
 Offset TypeField  Remarks
 0x000 char Signature[4] 'PAGE'
 0x004 char ValidDump[4] 'DU64'
 0x008 uint32 MajorVersion windows build no.
 0x00c uint32 MinorVersion 
 0x010 uint64 DirectoryTableBase 
 0x018 uint64 PfnDataBase 
 0x020 uint64 PsLoadedModuleList 
 0x028 uint64 PsActiveProcessHead 
 0x030 uint32 MachineImageType 
 0x034 uint32 NumberProcessors 
 .....   
 0x088 char PhysicalMemoryBlock[0x80] 
 .....   
 0x0f98 uint32 DumpType 1= full dump. 2 = kernel dump
 .....   
 0xfa0 int64 SystemUpTime measured in units of 100ns
 0xfa8 int64 SystemTime FILETIME
 
張貼者:
標籤:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)