Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory. This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
Tag: Memory analysis
Some months ago i’ve got GCFA certification. During exam preparation i’ve collected a lot of notes, and after the exam i’ve gradually organized them in a index based on topics emerged during the exam, usual using my few freetime.
About the “Process Hollowing” i have already written some posts (like this). However, i’ve never published any practical example. So, today i want to quote this interesting article where Tigzy explains the process hollowing with a brief code snippet. in wich the process hollowing is explained with a brief code snippet. A brief recap: what […]
Let’s try to analyze the memory in more detail… If we try to analyze the memory more thoroughly, without focusing only on the processes, we can find other interesting information. memmap The memmap command shows you exactly which pages are memory resident, given a specific process DTB (or kernel DTB if you use this plugin on […]