The new hh() in volshell shows some details on how to reach different address spaces:

>>> hh()

Use self.addrspace for Kernel/Virtual AS

Use self.addrspace.base for Physical AS

Use self.proc to get the current _EPROCESS object

and self.proc.get_process_address_space() for the current process AS

and self.proc.get_load_modules() for the current process DLLs

So if you want to translate an address using a kernel DTB:

>>> self.addrspace.vtop(address)

If you wanted to translate an address using a specific process's DTB:

>>> cc(pid = XXX)

>>> self.proc.get_process_address_space().vtop(address)

MHL

On Thu, Apr 18, 2013 at 10:48 AM, kongo sec <kongo86.sec@gmail.com> wrote:

HI,

There was some talk on the #volatility irc channel.. Won't go into details,
Basically, wondering how one can use vtop from volshell as it is not a plugin.

thanks

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users