Re: [Vol-users] Searching a Process's Memory
15 Oct
2015
15 Oct
'15
8:55 p.m.
Hey,
So the answer depends on what happened with the heap since the
allocation holding the data was free()d..
If the allocation was freed, but the heap holding it was still active
(which is the normal way things work), then the memory where the data
was is basically just in free memory on that heap's VAD. So it will be
inside the VAD of the heap until some other allocation overwrites it.
If the allocation is not on the default heap, then its possible that the
entire heap (VAD) that its on will have been freed. At that point you
won't be able to find it inside the process' address space.
Thanks,
Andrew (@attrc)
On 10/02/2015 04:55 PM, Bridgey theGeek wrote:
Hi all,
I'm thinking I might have a fundamental misunderstanding here, so I'm
hoping someone can help me out.
I'm looking for remnants of a data structure in the memory of a specific
process.
Originally, the data would have been on a heap.
I notice that in '/volatility/plugins/overlays/windows/windows.py' there
is a function named:
search_process_memory
I thought this would do the trick, but examining the code I notice that
it searches each of the VADs.
Which leads me to my question: would data that was originally on a heap,
but is no longer needed by the process still be in the VAD? That is,
should I be able to find it using this method?
If not, "where" is the data now? And is there a way of searching
wherever that "where" is?
I hope that makes sense!
Bridgey
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users