Hi all,
I'm thinking I might have a fundamental misunderstanding here, so I'm hoping someone can help me out.
I'm looking for remnants of a data structure in the memory of a specific process.
Originally, the data would have been on a heap.
I notice that in '/volatility/plugins/overlays/windows/windows.py' there is a function named:
search_process_memory
I thought this would do the trick, but examining the code I notice that it searches each of the VADs.
Which leads me to my question: would data that was originally on a heap, but is no longer needed by the process still be in the VAD? That is, should I be able to find it using this method?
If not, "where" is the data now? And is there a way of searching wherever that "where" is?