Although I cannot speak with any authority on the data structures of SSH, I can at least point you in the right direction on tools already available. Looks like someone also wrote a tool already to do SSH key extraction from memory; https://github.com/kholia/passe-partout Have a look at volatility framework; https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6 http://www.forensicswiki.org/wiki/Volatility_Framework http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins Also these; http://sneakygcr.tumblr.com/post/52514790216/how-to-extract-the-private-key-from-a-running-ssh http://c0decstuff.blogspot.co.uk/2011/01/in-memory-extraction-of-ssl-private.html http://www.vnsecurity.net/2009/10/how-to-recover-rsa-private-key-in-a-coredump-of-ssh-agent-sapheads-hackjam-2009-challenge-6/ Hope this helps Cal On Sun, May 4, 2014 at 9:37 PM, Fengwei Zhang <namedylan@xxxxxxxxx> wrote: > Hello List, > > One of my project needs memory forensics of OpenSSH. Here is a brief > description of the problem: > > I have a raw memory dump, and all of the kernel data structures (e.g., > task_struct, mm_struct) have been figured out. Now, I want to retrieve the > data structures (e.g., struct session_state) of an SSH process instance. > Finding a session key (active_state->newkeys) could be an example. In > order to find these information, I think I need a starting point (i.e., > memory address) of the OpenSSH data structures. > > Does anyone know how to tackle this problem? Any comments and suggestions > are much appreciated. > > Thanks, > Fengwei > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev