Memory Forensics of OpenSSH

Fengwei Zhang namedylan at
Mon May 5 06:37:09 EST 2014

Hello List, 

One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:

I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example.  In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures. 

Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated. 


More information about the openssh-unix-dev mailing list