Memory Forensics of OpenSSH

Fengwei Zhang namedylan at gmail.com
Mon May 5 06:37:09 EST 2014


Hello List, 

One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:

I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example.  In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures. 

Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated. 

Thanks,
Fengwei


More information about the openssh-unix-dev mailing list