Hi,
I'd been looking forward to the new dumpfiles plugin for a while, so I
immediately downloaded it and tried it out as soon as possible after I saw it had finally
been committed to the source tree the other day. (I'm freely admitting I'm using
the thing without any documentation, since that still hasn't been committed, and
probably have no idea what I'm really doing.) Now, I have a dumb question. The names
of the dumped files are all of the format:
file.<number>.<hex number>.< dat |img |vacb>
In addition, the dumping process produces a bunch of output, of the form:
<DataSectionObject|ImageSectionObject|SharedCacheMap> <hex number>
<number> <file path>
with no column header or other indication of what exactly these values refer to. (If I had
to guess, maybe the hex value is the data offset within the image?)
Looking at this format (without knowing for sure exactly what the numbers
are referring to) would lead me to expect that the <number> and <hex number>
fields from the output should correspond to the ones in the dumped filenames, and thus the
file paths should have some correspondence to the dumped file data, if the values match
up. Not necessarily being the contents of exact file to which the path corresponds, but
being related in some way.
But I'm not seeing the same hex value show up anywhere in the output
and in ANY filename...
Trying for a specific correspondence, I went looking through the dumped files, and was
able to positively identify the Software registry hive. The associated filename was
file.4.0x8697a2b8.vacb. Looking through the output for entries associated with this file
identified the following two entries:
DataSectionObject 0x89291f90 4
\Device\HarddiskVolume1\WINDOWS\system32\config\software
SharedCacheMap 0x89291f90 4
\Device\HarddiskVolume1\WINDOWS\system32\config\software
I'm probably just completely misinterpreting the output, but could somebody throw me a
bone?
Thanks much
John