Sorry for the late reply? So from the connection object you can find the PCache? Do you have any hints as to how I could find the db connection object in memory? Is there some typical pattern that I could find?
Best, Ren? > On 28 Feb 2016, at 17:09, Keith Medcalf <kmedcalf at dessus.com> wrote: > > You would have to find the db (connection) object in memory, and trace that > through to the PCache to find all the database pages in memory -- > equivalently to what the backup api does when sequentially accessing pages. > The PCache must have an in-memory structure pointing to where each page is in > memory. The database data pages themselves will not have that information. > > On Sunday, 28 February, 2016 08:46, Ren? Czerny <rene at czerny.pro > <mailto:rene at czerny.pro>> said" > >> Thank you for the quick response, Keith! >> As I understand it, the SQLite Backup API?s only work with an SQLite >> object. E.g.: sqlite3_backup_init() needs a pointer to the database to >> copy from. However, I do not have access to such a pointer, as the only >> thing I get is a raw binary dump of the main memory containing the >> database somewhere inside (think forensic dump). >> I believe the Backup API?s won?t be applicable. :-/ > >>> On 28 Feb 2016, at 16:32, Keith Medcalf <kmedcalf at dessus.com> wrote: >>> >>> >>> Is there something wrong with using the backup api's? >>> >>>> -----Original Message----- >>>> From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite- >> users- >>>> bounces at mailinglists.sqlite.org] On Behalf Of Ren? Czerny >>>> Sent: Sunday, 28 February, 2016 08:22 >>>> To: SQLite mailing list >>>> Subject: [sqlite] Database layout in memory >>>> >>>> Dear SQLite mailing list, >>>> >>>> after not finding anything on Google, I want to ask my question here: >>>> >>>> I am currently doing research on how to extract an SQLite inmemory- >>>> database from the image of a computer?s main memory and store it as a >>>> database file on disc. My previous attempts however failed, as the >>>> database is not in one place in memory, but seems to be fragmented. I >> only >>>> managed to extract the database file containing the sqlite_master >> table. >>>> Here is what I tried: >>>> >>>> 1. Dump the main memory using LiME [0] on a Debian Wheezy system. >>>> 2. Opened the dump in a hex-editor and searched for patterns that >> indicate >>>> an SQLite database. (according to [1]) >>>> 3. Extracted the database file starting at the database header and >>>> retrieving (page-size * page-amount) bytes. >>>> >>>> The result did not include the tables? content, but only the schema. >> The >>>> content is at a total different offset in the memory dump. >>>> >>>> So my questions are: Can you point me to a resource where SQLite in- >> memory >>>> database layout is documented or described in a detailed way? Any other >>>> resources I should check out? Did I miss something? Is there another >> way? >>>> >>>> Please note, that in my scenario I only have the memory dump and in >> theory >>>> can?t make use of the live system. >>>> I am very glad for every input you could give me. >>>> >>>> Best regards, >>>> Ren? Czerny >>>> >>>> [0] https://github.com/504ensicsLabs/LiME >>>> [1] https://www.sqlite.org/fileformat2.html >>>> _______________________________________________ >>>> sqlite-users mailing list >>>> sqlite-users at mailinglists.sqlite.org >>>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >>> >>> >>> >>> _______________________________________________ >>> sqlite-users mailing list >>> sqlite-users at mailinglists.sqlite.org >>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >> >> _______________________________________________ >> sqlite-users mailing list >> sqlite-users at mailinglists.sqlite.org <mailto:sqlite-users at >> mailinglists.sqlite.org> >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >> <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users> > > > > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org <mailto:sqlite-users at > mailinglists.sqlite.org> > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > <http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users>
