RE: [Vol-users] what is at that address
4 Feb
2012
4 Feb
'12
6 p.m.
Hi Mike,
I did try strings.
My string input file (120129Nbivevokoxa.txt ) looks like this
192480a0:Nbivevokoxa
My commandline was:
C:\Python27\volatility-2.0>python vol.py strings --profile=WinXPSP3x86 -s
\mem\120129\120129Nbivevokoxa.txt -f \mem\120129\120129c.w32 --output=text
--output-file=\mem\120129\120129strings.txt -S
Volatile Systems Volatility Framework 2.0
ERROR : volatility.plugins.strings: String file format invalid.
What should the contents of 120129Nbivevokoxa.txt look like?
Thanks,
Mike
Date: Sat, 4 Feb 2012 01:48:10 -0500
Subject: Re: [Vol-users] what is at that address
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike,
You can try the strings command:
http://code.google.com/p/volatility/wiki/CommandReference#strings
Since you know what string you're looking for, and assuming you don't
find it in process memory with vaddump or memdump, you could also
write your own plugin that does something like this (assuming x86):
CHUNKSIZE = 0x100000 # 1 MB
for addr in xrange(0x80000000, 0xFFFFFFFF, CHUNKSIZE):
data = addr_space.zread(addr, CHUNKSIZE)
# test if your strings are in data
MHL
On Fri, Feb 3, 2012 at 6:00 PM, Mike Houston <dragonforen(a)hotmail.com> wrote:
> I have a text string that I found in memory and I would like to find out
> what is using/mapped to that address. (a process, a dll, a buffer,
> unallocated, etc.)
>
> How do I do that? I'm exploring the docs to see how close I can get; for
> example dumping what I can with memmap, and then searching for my physical
> offset. (but that only gets me processes)
>
> Any suggestions appreciated.
>
> Mike Lambert
> dragonforen(a)hotmail.com
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
Attachments:
- attachment.html (text/html — 2.7 KB)