Re: [Vol-users] Cannot read/dump modules
28 Jul
2010
28 Jul
'10
6:28 p.m.
Hi,
I'm not sure what you mean by "PTE = 0 for that page, but it shouldn't
be" -- it is normal in a memory image to have some areas of virtual memory that are
inaccessible due to paging. If you want to read a whole block that may have some missing
portions, you can use zread to fill missing pages with zread.
As for the API -- there are currently two different ways of accessing data structures:
Object and Object2. Object is the older one, which consists of functions like read_obj and
read_value and wrapper functions like module_baseaddr that call read_obj and read_value.
Object2 is the newer interface, which represents data types from the OS in the memory
image as Python objects. In most cases object2 is much simpler to use, and the wrapper
functions are no longer required -- that's why I use them in my code. I believe the
current plan is to use this style of API for everything going forward.
Hope this helps,
Brendan (aka moyix)
On Jul 27, 2010, at 7:35 PM, Tora wrote:
Hi there,
I'm trying to code an small tool to interact with users, hash modules
and dump them... but this last part is not working properly. I have in
my code something like:
(self.addr_space, self.symtab, self.types) =
vutils.load_and_identify_image(self.op, self.opts)
...
for module in modules_list(self.addr_space, self.types, self.symtab):
...
driver_base = module_baseaddr(self.addr_space, self.types, module)
driver_size = module_imagesize(self.addr_space, self.types, module)
data = self.addr_space.read(driver_base, driver_size)
The problem is that using this code, data is always None. Tracing a
bit I found that is because at some point, one of the pages cannot be
read because a call to vtop return None (PTE = 0 for that page, but it
shouldn't be). I've been testing the code with different memory images
and I even get the same behaviour when testing it with NIST's
xp-laptop dumps, so I'm quite sure it's not because a weird memory
dump.
So, any ideas of what I'm doing wrong? Also any hint about the best
way of use the API would be nice. I mean, I'm using calls to
module_baseaddr while other code I saw (moddump by moyix) uses things
like mod.BaseAddress.v()
Thanks,
Tora
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users