Memory dumps

Revision as of 12:42, 24 February 2015 by Xemul (talk | contribs)

This page describes the way memory is stored in the image files.

Overview

Process mappings are stored in mm.img images. But that info is only about the virtual memory areas. The data sitting inside those areas is all stored in pairs of files described below.

The memory dumps contain the contents of individual pages (4k) and the information about at which address in the virtual memory the data in question should be. Those images are not connected to the VMA list in mm.img at all, just the addresses matching makes things get into proper locations.

What gets into memory dumps is

  • Present pages from anonymous private mappings
  • Present pages from anonymous shared mappings
  • Private (copied) pages from file private mappings

Images structure

Memory dumps are stored into two images.

Pagemap
This is the list of entries each of which is a pair -- where in the memory the data should go and which amount of pages it includes.
Pages
This is the plain set of 4k entries -- each one is a full page with data.

Example

Let's imagine we have pagemap contain two entries

  { 0x1000000, 4 }
  { 0xCF000000, 8 }

In this case the pages should have 12 pages in it, i.e. be 48K in size. Then the first 4 pages (16k, the first pagemap entry) would be read from image and put at address 0x1000000 thus occupying space up to the 0x1000000 + 4 * 4096 = 0x1004000 address. The last 8 pages (32k, the 2nd pagemap entry) would be read and put at the 0xCF000000 address.