I think you're looking to work with volshell. I did a presentation
based upon a lot of the Volatility developer's work:
To understand how it all works, I read the Windows Sys Internals 5th
Edition's chapter on memory management. I would 100% consider that to
be the greatest resource for mem management in Windows.
On Mon, Sep 23, 2013 at 4:46 PM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:
Hi Jesse,
I've been plodding on with this and am fishing for the next tip!
I'm happy that every time a process calls VirtualAlloc, it gets a new
entry in the VAD tree. And I'm happy with the VAD tree being a binary
tree structure.
Using Volaility I did:
$ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 vaddump -D
~/memtest/292-vads -p 292
(292 being the pid of notepad.exe)
Then I was able to find the particular VAD entry that contained my text:
$ grep "i.-.t.y.p.e.d.-." ~/memtest/292-vads/*
Binary file 292-vads/notepad.exe.1ef08030.0x00120000-0x0021ffff.dmp matches
By opening this dmp file in a hex editor I found my string at offset
0x1dab8.
Interestingly, I repeated this process for two other notepad processes
and in both cases the text could be found at the same offset.
I was surprised that the offset was the same in all three cases because
I know that in the latter two cases I'd done things in notepad I hadn't
done in the first instance, for example, pasting from the clipboard.
Running the vadtree plugin against the three notepad processes I noticed
a couple of things:
- The root node always covered range: 0x75840000 - 0x75913fff.
- The node containing my text wasn't always in the same position in the
VAD tree. (It was for the first two, not for the third.)
I'm struggling with the next step.
I'd really appreciate a suggestion as to what to go read about next!
Thank you,
Adam
On 21/09/13 20:06, Adam Bridge wrote:
HaHa! Thanks Jesse!
Thank you for the hints - I'm just trying to get my head around walking
the VAD tree at the moment.
I'll be sure to ask you if I need some more assistance.
Hopefully down the line I'll write a mini-tutorial around this to share
with the list.
Adam
On 21/09/13 19:25, Jesse Kornblum wrote:
> Hi Adam,
>
> Two hints, in progressive levels of practicality:
>
> 1. I when I tried to do this, I ended up falling down in a Heap.
>
> 2. Memory allocated by a program is stored in the VADs.
>
> If you're stuck, write back and I'll show you exactly how to do it!
>
> Good luck,
--
Have you sent me your PGP Public Key yet?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users