Hi all,
Back in June 2006 I wrote about caching issues when PhysicalMemory is
used for memory dumping
<http://ntsecurity.nu/onmymind/2006/2006-06-01.html>. PhysicalMemory is
not the only option for memory dumping from User Mode though. There is a
system call named NtSystemDebugControl which has a few well known
control codes as well as a few less well known ones. One of the less
well known control codes is number 10, which is used to copy contents
from the physical memory. I believe this technique was first implemented
in a dumping tool called kntlist coded by George M. Garner Jr. some
years ago. Here I will once again investigate possible caching issues,
but this time for NtSystemDebugControl control code 10.
Full text:
http://ntsecurity.nu/onmymind/2007/2007-02-04.html
Regards /Arne Vidstrom
