Thanks to you both for the help & advice!
MA: You are right...I am using 2.0. Looks like a great plugin. I'll
try again soon with the new version.
MHL: I like your idea of searching the process's address space, at
least for my first attempt. The only problem is that I need to search
for a hex value. Reading the comment on "search_process_memory" from
indicates it is a string search. Do you have a suggestion for
searching a hex value?
Thanks again!
Mike
On 4/1/12, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
Just FYI there are a few templates you can use
depending on your needs
(where you expect to find the structures, etc). Packetscan is a good
example of a DiscontigScanner in physical space (it scans from offset
0 of the file to EOF). Other plugins like svcscan
(
http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/…)
iterate through processes and scan each process's private virtual
memory. There are some convenience functions making it quite easy to
use, for example:
for task in tasks.pslist(addr_space):
for found in task.search_process_memory("whatever"):
print "Found at", hex(found), "in process",
task.UniqueProcessId
I'm wondering, is it recommended to create a
new vtype when
scanning for a structure in memory?
Mike Auty answered this a bit, but I just wanted to add - if the
structures you're scanning for are standard (i.e. in the public kernel
PDB documented/released by Microsoft) then its already in the profile
and you can just use it. If you're scanning for undocumented
structures or ones that you've created, reversed yourself, then you'll
need to create your own vtypes for the structs.
MHL
On Sun, Apr 1, 2012 at 4:04 PM, Mike Auty <mike.auty(a)gmail.com> wrote:
Hiya Mike,
My guess would be that you're using volatility-2.0, but the packetscan
prototype that I put on issue 233 is only suitable for use with the
latest trunk (which will hopefully become volatility-2.1 in the next
month or two).
If you're intending to write your own scanner then it should be a
relatively suitable template to work from. I would recommend keeping
your structures as vtypes if they're simple enough. If they require
particularly complex parsing (conditionals, etc), then you may want to
just extract the appropriate amount of data and have a separate parser
that handles them.
Hope that helps? Do let me know on issue 233 if you have any other
problems with the packetscan prototype. It doesn't do everything yet,
but hopefully won't require too much work to be useful...
Mike 5:)
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev