Re: [Vol-users] using vtop()
18 Apr
2013
18 Apr
'13
11:31 a.m.
The new hh() in volshell shows some details on how to reach different
address spaces:
>> hh()
Use self.addrspace for Kernel/Virtual AS
Use self.addrspace.base for Physical AS
Use self.proc to get the current _EPROCESS object
and self.proc.get_process_address_space() for the current process AS
and self.proc.get_load_modules() for the current process DLLs
So if you want to translate an address using a kernel DTB:
>> self.addrspace.vtop(address)
If you wanted to translate an address using a specific process's DTB:
>> cc(pid = XXX)
>> self.proc.get_process_address_space().vtop(address)
MHL
On Thu, Apr 18, 2013 at 10:48 AM, kongo sec <kongo86.sec(a)gmail.com> wrote:
HI,
There was some talk on the #volatility irc channel.. Won't go into details,
Basically, wondering how one can use vtop from volshell as it is not a
plugin.
thanks
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 1.9 KB)