CN102279877A - Physical memory mirror image file analyzing method of Mac OS system - Google Patents
Physical memory mirror image file analyzing method of Mac OS system Download PDFInfo
- Publication number
- CN102279877A CN102279877A CN2011102095464A CN201110209546A CN102279877A CN 102279877 A CN102279877 A CN 102279877A CN 2011102095464 A CN2011102095464 A CN 2011102095464A CN 201110209546 A CN201110209546 A CN 201110209546A CN 102279877 A CN102279877 A CN 102279877A
- Authority
- CN
- China
- Prior art keywords
- image file
- kernel
- physical memory
- address
- memory image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Memory System Of A Hierarchy Structure (AREA)
Abstract
The invention discloses a physical memory mirror image file analyzing method of a Mac OS system, which comprises the following steps: a, judging the system version information, and determining a pointer pointing to the highest page table of the address space of kernel process; b, obtaining a kernel symbol table and a string table, finding the kernel symbol table and the string table from the copy of the kernel image file in the physical memory mirror image file, and obtaining the system configuration information, mounted file system information, process information and driver information included in the physical memory mirror image file; and c, obtaining a pointer pointing to the highest page table of each task in the system. In the step b, the symbol table and string table are obtained by analyzing the copy of the kernel image file in the physical memory mirror image file. The method disclosed by the invention overcomes the shortcomings of complicated obtaining method of kernel image file, unreliable address conversion method and incomprehensive information obtaining in the prior art, is easy to obtain the information such as process, driver, mounted file system and the like, and is beneficial to the research on memory evidence obtaining of Mac OS system computer.
Description
Technical field
The present invention relates to the physical memory image file analytical approach of a kind of Mac OS system, in particular, relate in particular to a kind of pointer that points to highest page table in the kernel process address space that uses and carry out kernel virtual address obtains the Mac OS system of kernel symbol table and string table information again by physical memory image file analytical approach from this method to physical address translations.Present technique will be applied to the computer forensics field, be mainly used in the investigation and evidence collection of information security events and all kinds of computer crime cases.
Background technology
A. relate to notion and technical term
A-1. physical memory image file
The physical memory image file is meant the information in the physical memory in the computing machine that is moving at present shone upon out the file of being formed according to the mode of the corresponding bit of a bit, in this document in the position of data and the physical memory position of data be one to one.In the vmware virtual machine, can operate and obtain the physical memory image file by carrying out snapshot, this document is exactly that what carry out that snapshot operation back produced is the file of extension name with .vmem; In physical computer, can obtain its corresponding physical memory mirror file by software such as dd.
A-2. task
The abstract definition of Mach contains virtual address space and port name word space.Task itself is not done any operation, but provides context environmental for thread.
A-3. process
Among the BSD to the abstract definition of working procedure.Process resource comprises virtual address space, thread and filec descriptor.In Mac OS X, process is based on a Mach task and one or more Mach thread.
A-4. kernel spacing
Kernel spacing, the address space of kernel process operation.
A-5. kernel is videoed
The code of kernel and data just are kernel reflection (Kernel Image).
B. study background
For advancing the development of physics memory analysis technology, DFRWS(Digital Forensic Research Workshop) released the activity that is called " Forensics Challenge " in 2005, movable theme is exactly the physical memory analysis.From then on, for the analysis of physical memory with obtain and become the research of computer forensics focus.2008 and 2009, company and government department all was placed on research emphasis to the physical memory of Windows operating system analytically, and has obtained certain development.But the physical memory analysis for Mac OS system these years never relates to basically.2010, Matthieu Suiche proposed the physical memory analytical approach of Mac OS first, and this also is the physical memory analytical approach of at present disclosed unique a kind of Mac OS.This method is at first obtained the kernel symbol table and is reached corresponding characters string list with it; From the kernel symbol table, obtain the value of IdlePDPT, IdlePDPT64, IdlePML4, four kernel variables of IdlePTD then, realize the conversion of kernel virtual address to physical address according to these values; At last, on the basis of address translation and kernel symbolic variable, a series of information such as the file system of analysis process, carry, subsystem call table, kernel extensions.Its detailed process is as follows:
B-1. the kernel symbol table obtains
It is in the external file of extension name that Windows operating system compiler generally is stored in symbol with PDB.In Mac OS X operating system, compiler symbol file leave in the kernel executable file _ _ LINKEDIT joint in.This joint has comprised the skew of string table (depositing the kernel symbolic name) and symbol table (depositing and the corresponding kernel value of symbol of kernel symbolic name).To the physical memory analysis of Mac OS the basis that is retrieved as with symbol table.The basic step of obtaining symbol table is at first to obtain the file content of kernel mirror image file in internal memory according to FAT file layout and Mach-O file layout; Then, this document is analyzed, read _ _ LINKEDIT joint in the value that is offset of string table skew and symbol table; Resolve at last, _ _ content of LINKEDIT obtains the kernel symbol table.The concrete data structure that relates to and the concrete finding method of symbol table are as follows:
#define?FAT_MAGIC?0xBEBAFECA
Typedef?struct?_FAT_HEADER
{
ULONG?magic;
ULONG?nfat_arch;
}FAT_HEADER,?*PFAT_HEADER;
Can find file header according to FAT_MAGIC.From the position of file header, add that sizeof (FAT_HEADER) just can find first file structure, is defined as follows:
Typedef?struct?_FAT_ARCH
{
cpu_type_t?cputype;
cpu_subtype_t?cpusubtype;
ULONG?offset;
ULONG?size;
ULONG?align;
}FAT_ARCH,*PFAT_ARCH;
Mach-O file header reference position=FAT file header reference position+offset.Its structure is as follows:
#define?MH_MAGIC?0xfeedface
Typedef?struct?_MACH_HEADER
{
ULONG?Magic;
cpu_type_t?cputype;
cpu_subtype_t?cpusubtype;
ULONG?filetype;
ULONG?ncmds;
ULONG?sizeofcmds;
ULONG?flags;
}?MACH_HEADER,?*PMACH_HEADER;
Wherein 0xfeedface can be regarded as the mark that a Mach-O file begins.The MACH_HEADER structure is afterwards followed by being first command entry.Its general structure is as shown below.
Typedef?struct?_LOAD_COMMAND?{
ULONG?cmd;
ULONG?cmdsize;
}?LOAD_COMMAND,?*PLOAD_COMMAND;
Wherein, cmd is a command type, and Cmdsize is an order length.Important command type is following two.
#define?LC_SEGMENT?0x1
#define?LC_SYMTAB?0x2
According to the command type difference, concrete imperative structures are also inequality.Below be that command type is the imperative structures of LC_SYMTAB:
Typedef?struct?_SYMTAB_COMMAND
{
ULONG?cmd;
ULONG?cmdsize;
ULONG?symoff;
ULONG?nsyms;
ULONG?stroff;
ULONG?strsize;
}?SYMTAB_COMMAND,?*PSYMTAB_COMMAND;
Wherein, the skew hereof of symoff is-symbol table, symbol table is the data of a nlist structure (as follows); The item number of nsyms is-symbol table; Stroff is string table skew hereof; Strsize is the length of string table.
Typedef?struct?_NLIST
{
ULONG?n_strx;
UCHAR?n_type;
UCHAR?n_sect;
USHORT?n_desc;
ULONG?n_value;
}?NLIST,?*PLIST;
Wherein, n_strx is meant the skew of variable name in string table of current sign list item correspondence.N_value is meant variate-value.
Offset+the symoff of the address of symbol table=from structure _ FAT_ARCH, obtain;
Offset+the stroff of the address of string table=from structure _ FAT_ARCH, obtain;
Can obtain kernel designation and value thereof according to these two tables at last.
B-2. address translation
Address conversion method depends on the value of IdlePDPT, IdlePDPT64, IdlePML4, four kernel variables of IdlePTD.By traveling through variable name and the corresponding value thereof in the kernel symbol table that is obtained, can obtain the value of above four variablees, adopt PML4(Page Map Level 4) paging method, can realize address translation.
B-3. information is obtained
By the variable in the kernel symbol table, obtain filesystem information, progress information and the activation bit of system configuration information, carry.
In the physical memory analytic process to the Mac machine of reality, we find, more than this analytical approach have certain problem, mainly show following four aspects: the obtain manner of (1) kernel image file is very complicated comparatively.This is because there is the file of a lot of FAT file layouts in the physical memory image file, can not determine which is the head that has pointed to our needed kernel image file.(2) in the physical memory of Mac OS X 10.5 and Mac OS X 10.6 operating systems is analyzed, according to _ _ that the LINKEDIT joint is resolved the method for symbol table content is infeasible.Mainly show according to this kind method find _ _ LINKEDIT joint after, its virtual address can't convert effective physical address (promptly not in physical memory) to.(3) address conversion method is unreliable.For the different mac machines that the same operation system version has been installed, the value of its kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD might be different.That is to say that for a certain concrete operating system version, the value of its kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD is uncertain, therefore, before the executive address conversion, need from the kernel symbol table, obtain the value of these four variablees.Yet by analyzing as can be known in (2), above kernel symbol table acquisition methods is infeasible, so the value of kernel variable IdlePDPT, IdlePDPT64, IdlePML4, IdlePTD can't be obtained, thereby can't carry out the memory analysis operation.(4) information is obtained not comprehensive.Can not obtain thread information that the details, process of process open and operating system version information etc.; Can not carry out address translation to the data that are positioned at the process address space.
Summary of the invention
The present invention is in order to overcome the shortcoming of above-mentioned technical matters, provide a kind of pointer that points to the highest page table of kernel process address space according to Mac OS system to realize the method for kernel virtual address to physical address translations, and on address translation basics, from the physical memory image file, obtain kernel symbol table and string table information, further obtain the pointer of the highest page table of each task in the pointing system and the method for thread details.
Virtual address adopts 4 grades of paging methods to the mapping of physical address in the Mac OS system.Describe as can be known according to this method, just can realize the conversion of virtual address to physical address as long as obtained the position of highest page table in the physical memory image file.Therefore in the analytic process of physical memory image file, virtual address can realize by the pointer that obtains the highest page table of sensing to the translation function of physical address.
The physical memory image file analytical approach of Mac OS of the present invention system, its special feature is, may further comprise the steps: a. is from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used to realize the conversion of kernel virtual address to physical address; B. obtain kernel symbol table and string table, find the virtual address of kernel symbol table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry; C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task of Huo Deing not only can be realized the conversion of kernel process address space virtual address to physical address herein, can also realize that other process address space virtual addresses except that kernel process are to the conversion of physical address.Among the step a, from the memory mirror file, obtain operating system version information, so that determine to carry out the pointer of kernel virtual address to the highest page table of the needed sensing kernel process of physical address translations address space according to this version information.Among the step b, by copy analysis to kernel image file in the physical memory image file, obtain kernel kernel symbol table and string table, and then obtain kernel variable name and corresponding variate-value thereof, finally realize the obtaining of filesystem information, progress information and activation bit of system configuration information, carry.Among the step c, the pointer of the highest page table by each task of obtaining is realized the conversion of corresponding process address space virtual address to physical address, and then is realized obtaining corresponding progress information.The pointer of the highest page table of step a by pointing to the kernel process address space is realized the conversion of kernel virtual address to physical address, pointed herein be the reference position of highest page table in the physical memory image file of kernel process address space.Among the step b, on the basis of having realized address translation, from the memory mirror file, find kernel image file copy, and therefrom obtain kernel symbol table and the reference position of kernel string table in the physical memory image file, analyze these two tables and obtain kernel variable name and variate-value, and then obtain filesystem information, progress information and the activation bit of system configuration information, carry.Among the step c, obtain the pointer and the thread details of the highest page table of each task in the pointing system, realized that analysis is more fully analyzed to the internal memory image file.
The physical memory image file analytical approach of Mac OS of the present invention system, among the described step a, because operating system version information leaves in the file of SystemVersion.plist by name, therefore according to file characteristic, search the physical memory image file, from the physical memory image file, find the file of SystemVersion.plist by name, therefrom obtain system version information; For version is the operating system of Mac OS X 10.5, and its pointer value of pointing to the highest page table of kernel process address space is 0x104800, and promptly the highest page table in the kernel process address space is arranged in the skew 0x104800 place of physical memory image file; For version is the operating system of Mac OS X 10.6, and its pointer value of pointing to the highest page table of kernel process address space is 0x100000, and promptly the highest page table of kernel process address space is positioned at the skew 0x100000 place of physical memory image file.
The physical memory image file analytical approach of Mac OS of the present invention system, obtaining of kernel symbol table among the step b and string table, may further comprise the steps: b-1. determines the position of kernel image file in the physical memory image file, for version is the operating system of Mac OS X 10.5, and the kernel image file is arranged in the skew 0x111000 place of physical memory image file; For version is the operating system of Mac OS X 10.6, and the kernel image file is arranged in the skew 0x200000 place of physical memory image file; B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to write down in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek the position of copy in the physical memory image file of kernel image file by the following method: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and duplicates this section content; From the memory mirror file, seek the position that this section content occurs once more then downwards; The position that this section content occurs once more promptly is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step; B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read write down in the kernel image file copy _ vmaddr and these two pairing values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the pairing values of variable of stroff that write down in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of kernel symbol table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates the virtual address of kernel symbol table and kernel string table respectively; At last, utilize the pointer of the highest page table of the kernel process address space that obtains among the step a to realize the conversion method of kernel virtual address, obtain the physical address of symbol table and the physical address of string table to physical address.Among the step b-1, for operating system version is the physical memory image file of Mac OS X 10.5, its kernel image file is positioned at the skew 0x111000 place of physical memory image file, for operating system version is the physical memory image file of Mac OS X 10.6, and the position of its kernel image file is arranged in the skew 0x200000 place of physical memory image file; For different versions, find the kernel image file at the diverse location of physical memory image file.Among the step b-2,, obtain the position of kernel image file copy in the memory mirror file by the relation between kernel image file and the kernel image file copy; Among the step b-3, by reading vmaddr, fileoff, the value of symoff and stroff, obtain the virtual address of kernel symbol table and kernel string table, utilize the pointer of the highest page table of the kernel process address space that obtains among the step a to realize that kernel virtual address is after the conversion method of physical address again, kernel symbol table and kernel string table ground virtual address are converted into physical address, can obtain kernel variable name and corresponding variate-value thereof, so that to system configuration information, the filesystem information of carry, progress information and activation bit read and analyze.
The physical memory image file analytical approach of Mac OS of the present invention system, obtaining successively of the pointer of the highest page table of each task may further comprise the steps in the pointing system described in the step c: the kernel symbol table that obtains among the c-1. finding step b, therefrom find the pairing value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data promptly are the virtual addresses that is arranged in the proc structure of first process of system; With this address translation is physical address, and is designated as lastProcAddr, and the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtains the proc structure of first process in the system; C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure; C-3. the virtual address that obtained in the last step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data of being made up of four bytes, and these data are the virtual address of vm_map structure; C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure; C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value of forming with four bytes at the skew 0x54 place of this structure, this value promptly is to point to the pointer that runs on the highest page table of the pairing task of this process in the system; C-6. return the physical address lastProcAddr of the process proc structure of being obtained, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system; C-7. whether the virtual address of obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8; C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.Among the step c-1, at first obtain the virtual address of the proc structure of first process by the value of kernel variable kernproc, be translated into physical address after, obtain the proc structure of first process; Step c-2 is for obtaining the virtual address of task structure in the proc structure; Step c-3 is for obtaining the virtual address of vm_map structure in the task structure; Step c-4 is for obtaining the virtual address of pmap structure in the vm_map structure; Step c-5 is the pointer that obtains the highest page table of the corresponding task of corresponding process at the skew 0x54 place of structure pmap, and realizes the conversion of virtual address to physical address according to the pointer of this superlative degree page table, and then obtains corresponding progress information.Step c-6 is a virtual address of obtaining the proc of next process, and step c-7 judges the virtual address that step c-6 obtains, if be 0, shows to detect to finish, if be not 0, then proceeds to detect; Step c-8 is that the virtual address of the proc of next process is not under 0 the situation, jumps to step c-2 and continues to carry out.
The invention has the beneficial effects as follows: the physical memory image file analytical approach of (1) Mac OS disclosed in this invention system is reliable more and efficient; The kernel symbol table among the present invention and the obtain manner of string table have been avoided in the prior art too much can not determine the kernel mirror image top of file and being positioned at the generation of situation of the position of physical memory image file owing to the FAT file effectively; (2) in the physical memory image file analytical approach of Mac OS of the present invention system, the pointer of the highest page table by determine pointing to the kernel process address space is realized the conversion of kernel virtual address to physical address, has overcome the defective that kernel virtual address in the existing method can't change into effective physical address; (3) in the method for the present invention, obtain the pointer of the highest page table of each task in the pointing system, not only can realize the conversion of kernel virtual address to physical address, and can realization in the system other process address space virtual addresses to the conversion of physical address; (4) the present invention is by the analysis to kernel image file copy in the physical memory image file, obtain the virtual address of kernel symbol table and string table, utilize the highest page table of the kernel process address space that obtains to realize that virtual address is after the conversion method of physical address again, the virtual address of kernel symbol table and string table is converted into physical address, and then has realized obtaining easily kernel variable name and corresponding variate-value thereof; (5) operating system version of Shi Yonging is wider, and the physical memory image file analytical approach of Mac OS of the present invention system can be analyzed at the physical memory image file of Mac OS X 10.5 and Mac OS X 10.6.
Description of drawings
Fig. 1 is the process flow diagram of the physical memory image file analytical approach of Mac OS of the present invention system;
Fig. 2 is SystemVersion.plist file mirror image figure in internal memory among the present invention;
Fig. 3 is the address translation synoptic diagram of 4KB for page or leaf size among the present invention;
Fig. 4 is the address translation synoptic diagram of 2MB for page or leaf size among the present invention;
Fig. 5 is the pointer acquisition methods process flow diagram of the highest page table of each task;
Fig. 6 is the process flow diagram of thread information getting method.
Embodiment
The invention will be further described below in conjunction with accompanying drawing and embodiment.
As shown in Figure 1, provided the process flow diagram of the physical memory image file analytical approach of Mac OS of the present invention system, its flow process according to " the kernel address conversion---is sought kernel symbol table---, and information is obtained " is carried out.Because for the mac machine that the different operating system version is installed, it points to the pointer value difference of the highest page table of kernel process address space, the different mac machines of same version operating system are installed, and its pointer value of pointing to the highest page table of kernel process address space is identical.For operating system version is the physical memory image file of Mac OS X 10.5, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, for operating system version is the physical memory image file of Mac OS X 10.6, and its pointer value of pointing to the highest page table of kernel process address space is 0x100000.Therefore, the prerequisite of realization address translation is exactly to determine operating system version.As shown in Figure 1, the physical memory image file analytical approach of Mac OS of the present invention system, at first to obtain operating system version information, and then obtain the pointer of the highest page table of kernel process address space, realize the conversion method of virtual address according to the highest page table that obtains again, and then obtain the kernel symbol table to physical address; Last obtain fileinfo that pointer, thread information, the process of the highest page table of each task in the pointing system open, activation bit etc. according to the kernel symbol table that obtains.Its concrete step can realize by following three concrete steps:
A. from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used to realize the conversion of kernel virtual address to physical address; B. obtain kernel symbol table and string table, find the virtual address of kernel symbol table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry; C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task of Huo Deing not only can be realized the conversion of kernel process address space virtual address to physical address herein, can also realize that other process address space virtual addresses except that kernel process are to the conversion of physical address.
Wherein, for step a, as shown in Figure 2, provided the mapping graph of SystemVersion.plist file in the physical memory image file, the mode that adopts keyword search in the physical memory image file searching key word "<key〉ProductName</key ", according to the content between the character string of closelying follow thereafter "<string〉" and "</string〉", can obtain OS name, continue down searching key word "<key〉ProductUserVisibleVersion</key ", content according between the character string of closelying follow thereafter "<string〉" and "</string〉" can obtain operating system version; For operating system version is the physical memory image file of Mac OS X 10.5, its pointer value of pointing to the highest page table in the kernel process address space is 0x104800, for operating system version is the physical memory image file of Mac OS X 10.6, and its pointer value of pointing to the highest page table in the kernel process address space is 0x100000.
For step b, obtaining of kernel symbol table and string table, can adopt following steps to realize: b-1. determines the position of kernel image file in the physical memory image file, for version is the operating system of Mac OS X 10.5, and the kernel image file is arranged in the skew 0x111000 place of physical memory image file; For version is the operating system of Mac OS X 10.6, and the kernel image file is arranged in the skew 0x200000 place of physical memory image file; B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to write down in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek the position of copy in the physical memory image file of kernel image file by the following method: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and duplicates this section content; From the memory mirror file, seek the position that this section content occurs once more then downwards; The position that this section content occurs once more promptly is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step; B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read write down in the kernel image file copy _ vmaddr and these two pairing values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the pairing values of variable of stroff that write down in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of kernel symbol table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates the virtual address of kernel symbol table and kernel string table respectively; At last, utilize the kernel virtual address realized among the step a conversion method, obtain the physical address of symbol table and the physical address of string table to physical address.
The Mac machine adopts the PAE-enable paging mode under the IA-32E pattern; it has two kinds of address translation modes; as shown in Figure 3 and Figure 4; having provided page size respectively is the address translation synoptic diagram of 4KB and 2MB; under the IA-32e pattern; with different under the PAE-enable protected mode, its address translation adopts 4 grades of paging structures to virtual address to the conversion of physical address.Be elaborated to the method for physical address translations below in conjunction with the kernel virtual address of realizing by the highest page table of kernel process address space among accompanying drawing 3 and 4 couples of step a of accompanying drawing:
A-1. be example with Mac OS X 10.5 operating systems, its pointer value of pointing to the highest page table of kernel process address space is 0x104800, navigates to the skew 0x104800 place of memory mirror file, can find the highest page table of kernel process address space;
A-2. the 47-39 position with virtual address to be converted is an index, selects to point to the list item of page directory pointer gauge, this Biao Xiang ﹠amp; The value that 0xFFFFF000 obtains is exactly to point to the pointer of page directory pointer gauge;
A-3. navigating to the position of this pointed in the memory mirror file, promptly obtain the page directory pointer gauge, is index with the 38-30 position of virtual address to be converted, selects to point to the list item of page directory, this Biao Xiang ﹠amp; 0xFFFFF000 is exactly the pointer that points to page directory;
A-4. navigate to the position of this pointed in the memory mirror file, can obtain page directory tables.29-21 position with virtual address to be converted is an index, selects corresponding page directory item;
The most significant digit of first byte of page directory item of a-5. obtaining among the determining step a-4 if the most significant digit of first byte of page directory item is " 1 ", then shows and uses big page mode, according to carrying out address translation, execution in step a-6 as shown in Figure 4; If be " 0 ", then show its sensing page table, by changing execution in step a-7 as shown in Figure 3;
A-6. the 20-0 position of virtual address to be converted as the skew of physical address in page or leaf, be designated as offset1; The page directory Xiang ﹠amp that obtains among physical address=step a-4; 0xFFFFF000+offset1; As shown in Figure 4;
A-7. at first, point to the page directory Xiang ﹠amp that obtains among the pointer value=step a-4 of page table; 0xFFFFF000 navigates to the position of this pointed in the memory mirror file, can obtain page table.20-12 position with virtual address to be converted is an index, selects corresponding page table entry, this Ye Biaoxiang ﹠amp; The value that 0xFFFFF000 obtains is exactly the base address of the physical address page of living in; Then, the 11-0 position of virtual address to be converted as the skew of physical address in the page, is designated as offset2; Physical address=page base address+offset2.Finally obtain the page directory item through step a-2, a-3, a-4; Step a-5 determines the address conversion regime, if the most significant digit of first byte of page directory item is " 1 " by judging the most significant digit of first byte of page directory item, then show and use big page mode,, then show and use little page mode if be " 0 ", at this moment, the page directory item points to page table.As shown in Figure 3.
For obtaining of the pointer of the highest page table of each task in the sensing system among the step c, describe in conjunction with Figure of description 5, adopt following step to realize: the kernel symbol table that obtains among the c-1. finding step b, therefrom find the pairing value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data promptly are the virtual addresses that is arranged in the proc structure of first process of system; With this address translation is physical address, and is designated as lastProcAddr, and the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtains the proc structure of first process in the system; C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure; C-3. the virtual address that obtained in the last step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data of being made up of four bytes, and these data are the virtual address of vm_map structure; C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure; C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value of forming with four bytes at the skew 0x54 place of this structure, this value promptly is to point to the pointer that runs on the highest page table of the pairing task of this process in the system; C-6. return the physical address lastProcAddr of the process proc structure of being obtained, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system; C-7. whether the virtual address of obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8; C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.
Sentencing the value that four bytes form at the skew 0x0c of structure proc promptly is the virtual address of structure task, its virtual address translation is physical address after, its value of location obtains the task structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x14 promptly is the virtual address of structure vm_map, its pointer virtual address translation is physical address after, its value of location obtains the vm_map structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x2c promptly is the virtual address of structure pmap, its pointer virtual address translation is physical address after, its value of location obtains the pmap structure in the memory mirror file; In value with four bytes compositions of its skew 0x54 place record promptly is the pointer of the highest page table of each task in our pointing system that need obtain.
In step c, for the obtaining step of thread information, 6 its detailed step described in conjunction with the accompanying drawings, step is:
C-2-1. the kernel symbol table that obtains among the finding step c, therefrom find the pairing value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data promptly are the virtual addresses that runs on the proc structure of first process in the system; With this address translation is physical address, and is designated as lastProcAddr, and the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtains running on the proc structure of first process in the system;
C-2-2. read the data of four bytes at the skew 0x40 place of the proc structure of obtaining, these data promptly are the virtual addresses of uthread structure;
C-2-3. the virtual address of bar structure uthread is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the uthread structure; Skew 0x104 place in the uthread structure reads four byte datas; These data promptly are the virtual addresses of vfs_context structure;
C-2-4. the virtual address of bar structure vfs_context is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vfs_context structure; Read the data of four bytes at the skew 0x00 place of vfs_context structure; These data promptly are the virtual addresses of structure thread;
C-2-5. the virtual address of bar structure thread is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the thread structure, has deposited the essential information about thread in this structure;
C-2-6. return the physical address lastProcAddr of the process proc structure of being obtained in this analytic process, physical address as skew, navigate to this deviation post place of physical memory image file, can obtain the proc structure of the current process of having analyzed in the system that runs on, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system;
C-2-7. whether the virtual address of obtaining among the determining step c-2-6 is 0, as is 0 and withdraws from execution; Otherwise, execution in step c-2-8;
C-2-8. be that physical address is designated as lastProcAddr with the virtual address translation of obtaining among the step c-2-6, physical address as skew, navigate to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2-2;
That is, sentencing the value that four bytes form at the skew 0x40 of structure proc promptly is the virtual address of structure uthread, its virtual address translation is physical address after, its value of location obtains the uthread structure in the memory mirror file; Sentencing the value that four bytes form at its skew 0x104 promptly is the virtual address of structure vfs_context, its virtual address translation is physical address after, its value of location obtains the vfs_context structure in the memory mirror file; The value of sentencing four bytes compositions at its skew 0x00 promptly is the virtual address of structure thread, has deposited the essential information about thread in this structure.
Therefore, by above-mentioned various method steps, can obtain the pointer and the thread details of the highest page table of each task in the pointer, pointing system of the highest page table that points to the kernel process address space.
Claims (4)
1. the physical memory image file analytical approach of a Mac OS system is characterized in that, may further comprise the steps:
A. from the physical memory image file of Mac OS system, judge system version information, and then definite pointer that points to the highest page table of kernel process address space, the highest page table of kernel process address space is used to realize the conversion of kernel virtual address to physical address;
B. obtain kernel symbol table and string table, find the virtual address of kernel symbol table and string table by the copy of kernel image file in the physical memory image file, can obtain kernel variable name and corresponding variate-value thereof by analysis kernel symbol table and string table, kernel variable name and corresponding value thereof are used for obtaining the system configuration information that the physical memory image file comprises, filesystem information, progress information and the activation bit of carry;
C. obtain the pointer of the highest page table of each task in the pointing system, the highest page table of each task of Huo Deing not only can be realized the conversion of kernel process address space virtual address to physical address herein, can also realize that other process address space virtual addresses except that kernel process are to the conversion of physical address.
2. the physical memory image file analytical approach of Mac OS according to claim 1 system, it is characterized in that, among the described step a, because operating system version information leaves in the file of SystemVersion.plist by name, therefore according to file characteristic, search the physical memory image file, from the physical memory image file, find the file of SystemVersion.plist by name, therefrom obtain system version information; For version is the operating system of Mac OS X 10.5, and its pointer value of pointing to the highest page table of kernel process address space is 0x104800, and promptly the highest page table in the kernel process address space is arranged in the skew 0x104800 place of physical memory image file; For version is the operating system of Mac OS X 10.6, and its pointer value of pointing to the highest page table of kernel process address space is 0x100000, and promptly the highest page table of kernel process address space is positioned at the skew 0x100000 place of physical memory image file.
3. the physical memory image file analytical approach of Mac OS according to claim 1 system is characterized in that obtaining of kernel symbol table among the step b and string table may further comprise the steps:
B-1. determining the position of kernel image file in the physical memory image file, is the operating system of Mac OS X 10.5 for version, and the kernel image file is arranged in the skew 0x111000 place of physical memory image file; For version is the operating system of Mac OS X 10.6, and the kernel image file is arranged in the skew 0x200000 place of physical memory image file;
B-2. seek the position of copy in the physical memory image file of kernel image file, kernel image file and difference between its copy be to write down in these two files _ the LINKEDIT joint in the value of vmaddr by name different, therefore, seek the position of copy in the physical memory image file of kernel image file by the following method: in the physical memory image file, begin from the position of kernel image file the physical memory image file, to field _ _ LINKEIDT finishes, and duplicates this section content; From the memory mirror file, seek the position that this section content occurs once more then downwards; The position that this section content occurs once more promptly is the position of copy in the physical memory image file of kernel image file; After the copy of kernel image file finds, then carry out next step;
B-3. at first, in the physical memory image file, begin from the position of kernel image file copy the physical memory image file, read write down in the kernel image file copy _ vmaddr and these two pairing values of variable of fileoff of LINKEDIT joint; The reading order type is symoff and these two the pairing values of variable of stroff that write down in the order of LC_SYMTAB; Then according to the virtual address symvaddr=vmaddr+symoff-fileoff of kernel symbol table, the virtual address straddr=vmaddr+stroff-fileoff of kernel string table calculates the virtual address of kernel symbol table and kernel string table respectively; At last, utilize the kernel virtual address realized among the step a conversion method, obtain the physical address of symbol table and the physical address of string table to physical address.
4. the physical memory image file analytical approach of Mac OS according to claim 1 system is characterized in that obtaining successively of the pointer of the highest page table of each task may further comprise the steps in the pointing system described in the step c:
C-1. the kernel symbol table that obtains among the finding step b, therefrom find the pairing value of kernel variable kernproc, this is worth as a skew, navigate to this deviation post place of physical memory image file, read the data of four bytes that this position begins to locate, these data promptly are the virtual addresses that is arranged in the proc structure of first process of system; With this address translation is physical address, and is designated as lastProcAddr, and the physical address that obtains as skew, is navigated to this deviation post place of physical memory image file, obtains the proc structure of first process in the system;
C-2. read the data of 4 bytes at the skew 0x0c place of the proc structure of obtaining, these data are the virtual address of task structure;
C-3. the virtual address that obtained in the last step is converted into physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the task structure; Skew 0x14 place in the task structure reads the data of being made up of four bytes, and these data are the virtual address of vm_map structure;
C-4. the virtual address of bar structure vm_map is converted into physical address, and physical address as skew, is navigated to this deviation post place of physical memory image file, obtains the vm_map structure; Read by four bytes at the skew 0x2c place of vm_map structure and to form data, these data are the virtual address of pmap structure;
C-5. be the virtual address translation of pmap structure physical address, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the pmap structure; Read the value of forming with four bytes at the skew 0x54 place of this structure, this value promptly is to point to the pointer that runs on the highest page table of the pairing task of this process in the system;
C-6. return the physical address lastProcAddr of the process proc structure of being obtained, this physical address as skew, navigate to this deviation post place of physical memory image file, the proc structure of the process of having been analyzed, read the data of 4 bytes at the skew 0x04 place of this structure, these data are the virtual address that runs on the proc structure of next process in the system;
C-7. whether the virtual address of obtaining among the determining step c-6 is 0, as is 0, then finishes the obtaining of highest page table pointers of each task in the pointing system; Otherwise, execution in step c-8;
C-8. be physical address with the virtual address translation of obtaining among the step c-6, and be designated as lastProcAddr, physical address as skew, is navigated to this deviation post place of physical memory image file, obtain the proc structure of this process, redirect execution in step c-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110209546 CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110209546 CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102279877A true CN102279877A (en) | 2011-12-14 |
| CN102279877B CN102279877B (en) | 2013-03-13 |
Family
ID=45105319
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110209546 Expired - Fee Related CN102279877B (en) | 2011-07-26 | 2011-07-26 | Physical memory mirror image file analyzing method of Mac OS system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102279877B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945288A (en) * | 2012-11-29 | 2013-02-27 | 重庆邮电大学 | Method for extracting text data file from physical memory image |
| CN105786596A (en) * | 2016-03-21 | 2016-07-20 | 山东省计算中心(国家超级计算济南中心) | Method for acquiring object information from memory image file in 64-bit Windows 10 operating system |
| CN106126431A (en) * | 2016-08-23 | 2016-11-16 | 腾讯科技(深圳)有限公司 | Performance test methods and system |
| CN104102881B (en) * | 2014-07-07 | 2017-01-04 | 杭州电子科技大学 | A kind of internal memory evidence collecting method based on kernel objects linking relationship |
| CN106502755A (en) * | 2016-11-28 | 2017-03-15 | 杭州迪普科技股份有限公司 | A kind of method and device for checking Linux kernel module unknown symbols |
| CN111026554A (en) * | 2019-12-17 | 2020-04-17 | 山东省计算中心(国家超级计算济南中心) | Physical memory analysis method and system for XenServer system |
| CN111552511A (en) * | 2020-05-14 | 2020-08-18 | 山东省计算中心(国家超级计算济南中心) | Method for unpacking and recovering file name of Internet of things firmware of VxWorks system |
| CN112269713A (en) * | 2020-10-14 | 2021-01-26 | 苏州浪潮智能科技有限公司 | Method, device and equipment for acquiring program running state and storage medium |
| CN112486922A (en) * | 2020-12-02 | 2021-03-12 | 中国人民解放军战略支援部队信息工程大学 | Memory fragment file reconstruction method and system based on reverse structure chain |
| CN112540846A (en) * | 2020-11-12 | 2021-03-23 | 苏州浪潮智能科技有限公司 | Method, device and medium for controlling performance stability of server |
| CN115292721A (en) * | 2022-10-09 | 2022-11-04 | 北京麟卓信息科技有限公司 | Starting method for adapting to multiple Linux kernels in android compatible environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6308247B1 (en) * | 1994-09-09 | 2001-10-23 | International Business Machines Corporation | Page table entry management method and apparatus for a microkernel data processing system |
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
-
2011
- 2011-07-26 CN CN 201110209546 patent/CN102279877B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6308247B1 (en) * | 1994-09-09 | 2001-10-23 | International Business Machines Corporation | Page table entry management method and apparatus for a microkernel data processing system |
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
Non-Patent Citations (2)
| Title |
|---|
| MATTHIEU SUICHE: "Mac OS X Physical Memory Analysis", 《WWW.FORENSICINSTITUTE.NL》, 28 February 2010 (2010-02-28) * |
| 郭牧等: "基于KPCR结构的Windows物理内存分析方法", 《计算机工程与应用》, no. 18, 21 June 2009 (2009-06-21) * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945288B (en) * | 2012-11-29 | 2016-01-20 | 重庆邮电大学 | A kind of text data file from physical memory image extracting method |
| CN102945288A (en) * | 2012-11-29 | 2013-02-27 | 重庆邮电大学 | Method for extracting text data file from physical memory image |
| CN104102881B (en) * | 2014-07-07 | 2017-01-04 | 杭州电子科技大学 | A kind of internal memory evidence collecting method based on kernel objects linking relationship |
| CN105786596A (en) * | 2016-03-21 | 2016-07-20 | 山东省计算中心(国家超级计算济南中心) | Method for acquiring object information from memory image file in 64-bit Windows 10 operating system |
| CN105786596B (en) * | 2016-03-21 | 2018-04-13 | 山东省计算中心(国家超级计算济南中心) | A kind of method that object information is obtained from the memory mirror file of 64 Windows10 operating systems |
| CN106126431A (en) * | 2016-08-23 | 2016-11-16 | 腾讯科技(深圳)有限公司 | Performance test methods and system |
| CN106502755A (en) * | 2016-11-28 | 2017-03-15 | 杭州迪普科技股份有限公司 | A kind of method and device for checking Linux kernel module unknown symbols |
| CN111026554B (en) * | 2019-12-17 | 2023-05-02 | 山东省计算中心(国家超级计算济南中心) | XenServer system physical memory analysis method and system |
| CN111026554A (en) * | 2019-12-17 | 2020-04-17 | 山东省计算中心(国家超级计算济南中心) | Physical memory analysis method and system for XenServer system |
| CN111552511A (en) * | 2020-05-14 | 2020-08-18 | 山东省计算中心(国家超级计算济南中心) | Method for unpacking and recovering file name of Internet of things firmware of VxWorks system |
| CN111552511B (en) * | 2020-05-14 | 2023-06-16 | 山东省计算中心(国家超级计算济南中心) | Method for recovering file name by unpacking firmware of Internet of things of VxWorks system |
| CN112269713A (en) * | 2020-10-14 | 2021-01-26 | 苏州浪潮智能科技有限公司 | Method, device and equipment for acquiring program running state and storage medium |
| CN112540846A (en) * | 2020-11-12 | 2021-03-23 | 苏州浪潮智能科技有限公司 | Method, device and medium for controlling performance stability of server |
| CN112540846B (en) * | 2020-11-12 | 2022-12-20 | 苏州浪潮智能科技有限公司 | Method, device and medium for controlling performance stability of server |
| CN112486922A (en) * | 2020-12-02 | 2021-03-12 | 中国人民解放军战略支援部队信息工程大学 | Memory fragment file reconstruction method and system based on reverse structure chain |
| CN112486922B (en) * | 2020-12-02 | 2022-12-06 | 中国人民解放军战略支援部队信息工程大学 | Memory fragment file reconstruction method and system based on reverse structure chain |
| CN115292721A (en) * | 2022-10-09 | 2022-11-04 | 北京麟卓信息科技有限公司 | Starting method for adapting to multiple Linux kernels in android compatible environment |
| CN115292721B (en) * | 2022-10-09 | 2023-01-24 | 北京麟卓信息科技有限公司 | Starting method for adapting to multiple Linux kernels in android compatible environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102279877B (en) | 2013-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102279877B (en) | Physical memory mirror image file analyzing method of Mac OS system | |
| WO2016155386A1 (en) | Method and device for determining whether webpage comprises point of interest (poi) data | |
| Case et al. | Dynamic recreation of kernel data structures for live forensics | |
| CN103150395B (en) | Directory path analysis method of solid state drive (SSD)-based file system | |
| CN101520798A (en) | Webpage classification technology based on vertical search and focused crawler | |
| CN101414304B (en) | Method for analyzing Windows system physical internal memory based on K P C R structure | |
| CN102945288B (en) | A kind of text data file from physical memory image extracting method | |
| CN101458630B (en) | Self-modifying code identification method based on hardware emulator | |
| Zhang et al. | Windows memory analysis based on kpcr | |
| CN105160001A (en) | Physical memory mirror image document analysis method of Linux system | |
| WO2008038416A1 (en) | Document searching device and document searching method | |
| CN105242932A (en) | Automatic translation method of software developed on the basis of DELPHI tool | |
| WO2015074455A1 (en) | Method and apparatus for computing url pattern of associated webpage | |
| CN101727323A (en) | Obtaining method of network information under Vista operating system | |
| CN105159940A (en) | Geographic information mining method, apparatus and server | |
| CN107590140B (en) | Document missing item processing method | |
| Karsvall et al. | SDHK meets NER: Linking Place Names with Medieval Charters and Historical Maps. | |
| De Rouck et al. | Georeferencing Wikipedia pages using language models from Flickr | |
| CN102722490B (en) | A character-capturing method and a character-capturing device of an electronic reader and the same | |
| JP2012173771A (en) | Library conversion method and program between programming languages | |
| JP5826148B2 (en) | Drawing management server and drawing management system using the same | |
| CN105095276A (en) | Method and device for mining maximum repetitive sequence | |
| CN105786596A (en) | Method for acquiring object information from memory image file in 64-bit Windows 10 operating system | |
| CN103176968A (en) | Electronic device and vocabulary information display method thereof | |
| CN105573818A (en) | Method for identifying base address and compiling version of windows core in virtual environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130313 Termination date: 20130726 |