Analytic Memory Dump - A Mathematical Definition

The previous mathematical definition of memory dump is for raw memory dumps. They are not really useful because they require symbol files. Each symbol file entry conceptually is a correspondence between a memory address and a direct sum or product of letters from some alphabet:

00000000`76e82c40: kernel32!WaitForMultipleObjectsExImplementation

So we propose an analytical definition of a memory dump as a direct sum of disjoint memory areas Mt taken during some time interval (t0, …, tn) where we replace stk having values from Z2 with Stq having values from Zp and cardinality of Zp depending on a platform (32, 64, etc) plus a symbolic description Di for each Stq with cardinality of ”i” set sufficient enough to accommodate the largest symbolic name:

M = Mt where Mt = ∑(Stq+Di)

or simply

M = (Stq+Di)

This can be visualized as a linear memory space such as a virtual memory space when symbol files are applied to modules one after another. However, all this is not necessary, as a symbol from a virtual address can also be mapped to a physical address if necessary. Di, in fact, refers to any symbolic description.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply