Structural Memory Patterns

Memory Region

http://www.dumpanalysis.org/blog/index.php/2010/10/01/structural-memory-patterns-part-4/

Region Boundary

http://www.dumpanalysis.org/blog/index.php/2010/10/01/structural-memory-patterns-part-5/

We can divide memory and trace analysis patterns mostly seen as abnormal software behavior into behavioral and structural catalogues. The goal is to account for normal system-independent structural entities and relationships visible in memory like modules, threads, processes, etc. For example, one such pattern (and also a super-pattern) is called Memory Snapshot. It is further subdivided into Structured Memory Snapshot and BLOB Memory Snapshot. Structured sub-pattern includes:

Contiguous memory dump files with artificially generated headers (for example, physical or process virtual space memory dump)
Software trace messages with imposed internal structure

BLOB sub-pattern variety includes address range snapshots without any externally imposed structure, for example, saved by .writemem WinDbg command or ReadProcessMemory Win32 API and contiguous buffer and raw memory dumps saved by various memory acquisition tools.

Behavioral patterns that relate to Memory Snapshot pattern are:

False Positive Dump

http://www.dumpanalysis.org/blog/index.php/2006/11/01/crash-dump-analysis-patterns-part-3/

Lateral Damage

http://www.dumpanalysis.org/blog/index.php/2006/11/03/crash-dump-analysis-patterns-part-4/

Inconsistent Dump

http://www.dumpanalysis.org/blog/index.php/2007/01/24/crash-dump-analysis-patterns-part-7/

Truncated Dump

http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-18/

Early Crash Dump

http://www.dumpanalysis.org/blog/index.php/2007/11/21/crash-dump-analysis-patterns-part-37/

Manual Dump (kernel)