Cannot read/dump modules
by Tora
Hi there,
I'm trying to code an small tool to interact with users, hash modules
and dump them... but this last part is not working properly. I have in
my code something like:
(self.addr_space, self.symtab, self.types) =
vutils.load_and_identify_image(self.op, self.opts)
...
for module in modules_list(self.addr_space, self.types, self.symtab):
...
driver_base = module_baseaddr(self.addr_space, self.types, module)
driver_size = module_imagesize(self.addr_space, self.types, module)
data = self.addr_space.read(driver_base, driver_size)
The problem is that using this code, data is always None. Tracing a
bit I found that is because at some point, one of the pages cannot be
read because a call to vtop return None (PTE = 0 for that page, but it
shouldn't be). I've been testing the code with different memory images
and I even get the same behaviour when testing it with NIST's
xp-laptop dumps, so I'm quite sure it's not because a weird memory
dump.
So, any ideas of what I'm doing wrong? Also any hint about the best
way of use the API would be nice. I mean, I'm using calls to
module_baseaddr while other code I saw (moddump by moyix) uses things
like mod.BaseAddress.v()
Thanks,
Tora
14 years, 3 months
- 2
- 1