 |
|
In the left part we can see the memory dump window, this window contains the memory addresses and subsequently the bytes in hexadecimal format immediately to their right we can see an ASCII dump of the same data. To the Right we can see a death listing in assembler, this disassembly belongs to the memory visualized, interpreted as assembly code, this allows us to see the code of any DLL loaded by the program and even the code of the virtual machine. As we can see in the example, is showing the PE header of the virtual machine in their version 6.0. This disassembly is also able to analyze cross references as you can appreciate in the image. You can enable/disable the crossed references by checking the check control Enable Cross RefX. Address to Jump: Here we can enter any memory address that we want to visualize, so much if it belongs to the executable program as there is some additional module loaded by the application. The button ‘+' located to the right of the edit box allows us to add addresses to the combo list, this way we have controlled the memory addresses that we want without having to remember them. The button Clear List, erases the list of addresses. The buttons "<<" and ">>" allow us to advance and to go back inside the memory in blocks of 256 bytes from the previous position. Dump to File: This button allows us to dump to a file the content of the memory that is being visualized at the moment. Depending on the state of those buttons C Array of Hex Data, Hex Data or Raw binary Data, the file will have a different format. With C Array of Hex Data we obtain a file with a structure of such and array like the one declares in language C, with Hex Dates we obtain a file of hexadecimal data separated by comas and with Raw binary Data we obtain a raw image. The edit box Size, allows us to indicate the number of bytes to dump in decimal format. Search: This button allows the search of data starting from a given range of memory, the search can be in Hexadecimal, in ASCII or in Wide Char format. Save Disassembly: Save to a text file the content of the disassembly window.
|