Memory Forensics of OpenSSH
namedylan at gmail.com
Mon May 5 06:37:09 EST 2014
One of my project needs memory forensics of OpenSSH. Here is a brief description of the problem:
I have a raw memory dump, and all of the kernel data structures (e.g., task_struct, mm_struct) have been figured out. Now, I want to retrieve the data structures (e.g., struct session_state) of an SSH process instance. Finding a session key (active_state->newkeys) could be an example. In order to find these information, I think I need a starting point (i.e., memory address) of the OpenSSH data structures.
Does anyone know how to tackle this problem? Any comments and suggestions are much appreciated.
More information about the openssh-unix-dev