Memory Forensics of OpenSSH
Fengwei Zhang
namedylan at gmail.com
Mon May 5 06:37:09 EST 2014
Hello List,
One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:
I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example. In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures.
Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated.
Thanks,
Fengwei
More information about the openssh-unix-dev
mailing list