Re: [Vol-users] what is at that address
4 Feb
2012
4 Feb
'12
1:48 a.m.
Mike,
You can try the strings command:
http://code.google.com/p/volatility/wiki/CommandReference#strings
Since you know what string you're looking for, and assuming you don't
find it in process memory with vaddump or memdump, you could also
write your own plugin that does something like this (assuming x86):
CHUNKSIZE = 0x100000 # 1 MB
for addr in xrange(0x80000000, 0xFFFFFFFF, CHUNKSIZE):
data = addr_space.zread(addr, CHUNKSIZE)
# test if your strings are in data
MHL
On Fri, Feb 3, 2012 at 6:00 PM, Mike Houston <dragonforen(a)hotmail.com> wrote:
I have a text string that I found in memory and I
would like to find out
what is using/mapped to that address. (a process, a dll, a buffer,
unallocated, etc.)
How do I do that? I'm exploring the docs to see how close I can get; for
example dumping what I can with memmap, and then searching for my physical
offset. (but that only gets me processes)
Any suggestions appreciated.
Mike Lambert
dragonforen(a)hotmail.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users