Memory analysis

64bit Magic

The sole purpose of this short posting is to provide you with an extended snippet for your magic(5) file. Now file(1) can identify both 32bit and 64bit versions of crash dumps and tell the most important of their properties.

0       string          PAGE            Microsoft Windows crash dump
>4      string          DUMP            \b, 32bit
>>0x05c  byte            0              \b, no PAE
>>0x05c  byte            1              \b, PAE
>>0xf88  lelong          1              \b, full dump
>>0xf88  lelong          2              \b, kernel dump
>>0xf88  lelong          3              \b, small dump
>>0x068  lelong          x              \b, %ld pages
>4      string          DU64            \b, 64bit
>>0xf98  lelong          1              \b, full dump
>>0xf98  lelong          2              \b, kernel dump
>>0xf98  lelong          3              \b, small dump
>>0x090  lequad          x              \b, %lld pages

Posted by Andreas Schuster on February 29, 2008 04:00 PM |

Search


Deutsch

Deutschsprachige Ausgabe

Categories

Latest articles

Subscribe

Imprint

This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de

Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.