\\PhysicalMemory
Forensic Acquisition Utilities に含まれるdd.exeは物理メモリのダンプが可能です。
dd if=\\.\PhysicalMemory of=d:\memory.dmp --localwrt
実行結果はこんな↓感じ。
Total physical memory reported: 1073197056 bytes Copying physical memory... Physical memory in the range 0x00006000-0x00007000 could not be read. Physical memory in the range 0x00045000-0x00065000 could not be read. Output d:\memory.dmp 1073672192/1073672192 bytes (compressed/uncompressed) 262127+0 records in 262127+0 records out
ここで、「could not be read」となっているのが Kernel Memory 領域なのかな?