You have a pointer to the db connection when you open the database. The definition of the structure is in sqliteInt.h it contains a pointer to the Db struct. which contains pointers to other structures used to magange the Btree and the Pager and the PCache.
> -----Original Message----- > From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users- > bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny > Sent: Sunday, 27 March, 2016 11:45 > To: SQLite mailing list > Subject: Re: [sqlite] Database layout in memory > > Sorry for the late reply? > So from the connection object you can find the PCache? Do you have any > hints as to how I could find the db connection object in memory? Is there > some typical pattern that I could find? > > Best, > Ren? > > > On 28 Feb 2016, at 17:09, Keith Medcalf <kmedcalf at dessus.com> wrote: > > > > You would have to find the db (connection) object in memory, and trace > that through to the PCache to find all the database pages in memory -- > equivalently to what the backup api does when sequentially accessing > pages. The PCache must have an in-memory structure pointing to where each > page is in memory. The database data pages themselves will not have that > information. > > > > On Sunday, 28 February, 2016 08:46, Ren? Czerny <rene at czerny.pro > <mailto:rene at czerny.pro>> said" > > > >> Thank you for the quick response, Keith! > >> As I understand it, the SQLite Backup API?s only work with an SQLite > >> object. E.g.: sqlite3_backup_init() needs a pointer to the database to > >> copy from. However, I do not have access to such a pointer, as the only > >> thing I get is a raw binary dump of the main memory containing the > >> database somewhere inside (think forensic dump). > >> I believe the Backup API?s won?t be applicable. :-/ > > > >>> On 28 Feb 2016, at 16:32, Keith Medcalf <kmedcalf at dessus.com> wrote: > >>> > >>> > >>> Is there something wrong with using the backup api's? > >>> > >>>> -----Original Message----- > >>>> From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite- > >> users- > >>>> bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny > >>>> Sent: Sunday, 28 February, 2016 08:22 > >>>> To: SQLite mailing list > >>>> Subject: [sqlite] Database layout in memory > >>>> > >>>> Dear SQLite mailing list, > >>>> > >>>> after not finding anything on Google, I want to ask my question here: > >>>> > >>>> I am currently doing research on how to extract an SQLite inmemory- > >>>> database from the image of a computer?s main memory and store it as a > >>>> database file on disc. My previous attempts however failed, as the > >>>> database is not in one place in memory, but seems to be fragmented. I > >> only > >>>> managed to extract the database file containing the sqlite_master > >> table. > >>>> Here is what I tried: > >>>> > >>>> 1. Dump the main memory using LiME [0] on a Debian Wheezy system. > >>>> 2. Opened the dump in a hex-editor and searched for patterns that > >> indicate > >>>> an SQLite database. (according to [1]) > >>>> 3. Extracted the database file starting at the database header and > >>>> retrieving (page-size * page-amount) bytes. > >>>> > >>>> The result did not include the tables? content, but only the schema. > >> The > >>>> content is at a total different offset in the memory dump. > >>>> > >>>> So my questions are: Can you point me to a resource where SQLite in- > >> memory > >>>> database layout is documented or described in a detailed way? Any > other > >>>> resources I should check out? Did I miss something? Is there another > >> way? > >>>> > >>>> Please note, that in my scenario I only have the memory dump and in > >> theory > >>>> can?t make use of the live system. > >>>> I am very glad for every input you could give me. > >>>> > >>>> Best regards, > >>>> Ren? Czerny > >>>> > >>>> [0] https://github.com/504ensicsLabs/LiME > >>>> [1] https://www.sqlite.org/fileformat2.html > >>>> _______________________________________________ > >>>> sqlite-users mailing list > >>>> sqlite-users at mailinglists.sqlite.org > >>>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > >>> > >>> > >>> > >>> _______________________________________________ > >>> sqlite-users mailing list > >>> sqlite-users at mailinglists.sqlite.org > >>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > >> > >> _______________________________________________ > >> sqlite-users mailing list > >> sqlite-users at mailinglists.sqlite.org <mailto:sqlite- > users at mailinglists.sqlite.org> > >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users> > > > > > > > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users at mailinglists.sqlite.org <mailto:sqlite- > users at mailinglists.sqlite.org> > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users> > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
