Not sure if you are kidding. 1) WinDBG is a debugger, not really memory dump. 2) Not sure to understand* 3) It is your opinion. 4) Don't understand. Sounds like a joke, but even with that angle I don't get it.*
* If only you stopped with this weird english. --- phocean Le 12 juil. 2012 à 18:54, Григорий Братислава a écrit : > On Thu, Jul 12, 2012 at 12:47 PM, phocean <[email protected]> wrote: >> Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a >> good chance to learn and get more familiar. >> >> However: >> >> - Volatility: anything has to sit somehow in the memory, so there is no way >> for it to escape from the analysis. It has all advantages of offline >> analysis. I don't think Volatility is script kiddy stuff. I think it is a >> great tool and should be enough for my concern. >> >> - WinDBG: here we are doing live analysis, with all the difficulties it >> implies. It is long and painful. You have to read damn a lot of assembly, >> thousands of calls, decide to step into or step over, when and based on what >> assumptions, etc. >> Of course, perfect knowledge of the system internals is required. Difficulty >> will be raised if ever there are some anti-debugging protections. Respect to >> the people who can do it, they are artists, but is it really the most >> reasonable way to go? > > 0x00: MusntLive is give you now priceless advice for you must to listen: > > 1) WinDBG is to dump your memory > 2) Is HB Gary FD Pro is used not volatility. This is because since > Greg is backdoored all his tools, is we don't find problems, then when > is HB Gary snooping in our session maybe they can find is problem for > us. > 3) Volatility is script kid tool (don't is tell anyone who is use this) > 4) Step over is step into. MusntLive give you good analogy right now. > Is you have choice, step into POOP or is step over POOP is what is > your choice? Step over is what is hoped. Forget this is step over, > into, above, sideways. Foolproof is method is to diff memory. Before > and is after yes. This is key to anomalies: Before and is after
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
