Re: [Vol-users] Understanding memmap output

Adam, Virtual memory is not contiguous. memmap will show you the regions which are mapped to physical memory and the offset in the virtual address space where they are mapped into. The simple answer is that the process's virtual address range from 0x00000000-0x00010000 does not exist - all this means is that if the process was to reference addresses in that range, the processor will issue a page fault, and be killed. Note also that for 64 bit processes, the address space is much larger than 4GB (2^^48 actually). Michael. On 30 August 2013 22:50, Adam Bridge <adam.bridge(a)yahoo.com> wrote: > Hi all, > > Hoping for some more newbie assistance! > > I have a sample from Win7SP1x86. > When I took the capture I had notepad.exe running. > > Using pslist(1) I identified the pid and used this with memmap(2). > (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist > (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 > > So really two questions: > > 1> Why does the first entry show a virtual offset of 0x00010000? Why > isn't it 0x00000000? Where are the first 0x00010000 bytes of this > process's virtual memory? > > 2> (and I know this is gonna be a face palm moment) Why aren't the > virtual memory offsets contiguous? If this is a dump of the process's > virtual memory shouldn't it be one big lump of 4GB? What's the obvious > thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so > the empty pages have been ignored?) > > Thank you! > > Adam > > -- > Have you sent me your PGP Public Key yet? > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users