Re: [Vol-users] Windows kernel memory.
by carl galton
Thank you for your answers.
> There is no such thing as "the address spaces of all processes."
What I meant to say was that moddump plugin uses find_space function to find a process whose address space maps the searched driver.
def find_space(self, addr_space, procs, mod_base):
"""Search for an address space (usually looking for a GUI process)"""
if addr_space.is_valid_address(mod_base):
return addr_space
for proc in procs:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
if ps_ad.is_valid_address(mod_base):
return ps_ad
return None
12 years, 8 months
- 1
- 0
Windows kernel memory.
by carl galton
Hello,
I am doing some research on Windows kernel, using volatility.
I need to get the mapping from virtual addresses to physical ones for kernel memory.
As far as I know, every process maps kernel virtual addresses (addresses upper than 0x7fffffff in 32bit Windows versions with 3GB split disabled) to physical ones in the same way.
In other words, the address spaces relative to every process are equals for kernel virtual addresses.
Is this always true?
I noticed that some plugins (e.g. kdbgscan) use the address space of the process "Idle", others use the address spaces of all processes (e.g. modscan).
Which is the right way to proccede to develop a plugin to get the full virtual to physicall mapping for kernel addresses?
Thank you.
12 years, 8 months
- 3
- 2