Re: [Vol-users] Windows kernel memory.

Hello, I am doing some research on Windows kernel, using volatility. I need to get the mapping from virtual addresses to physical ones for kernel memory. As far as I know, every process maps kernel virtual addresses (addresses upper than 0x7fffffff in 32bit Windows versions with 3GB split disabled) to physical ones in the same way. In other words, the address spaces relative to every process are equals for kernel virtual addresses. Is this always true? I noticed that some plugins (e.g. kdbgscan) use the address space of the process "Idle", others use the address spaces of all processes (e.g. modscan). Which is the right way to proccede to develop a plugin to get the full virtual to physicall mapping for kernel addresses? Thank you. _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users