C:\Python27\volatility-2.0>python vol.py strings --profile=WinXPSP3x86 -s \mem\120129\120129Nbivevokoxa.txt -f \mem\120129\120129c.w32 --output=text --output-file=\mem\120129\120129strings.txt -S
> Date: Sat, 4 Feb 2012 01:48:10 -0500
> Subject: Re: [Vol-users] what is at that address
> From: michael.hale@gmail.com
> To: dragonforen@hotmail.com
> CC: vol-users@volatilityfoundation.org
>
> Mike,
>
> You can try the strings command:
> http://code.google.com/p/volatility/wiki/CommandReference#strings
>
> Since you know what string you're looking for, and assuming you don't
> find it in process memory with vaddump or memdump, you could also
> write your own plugin that does something like this (assuming x86):
>
> CHUNKSIZE = 0x100000 # 1 MB
>
> for addr in xrange(0x80000000, 0xFFFFFFFF, CHUNKSIZE):
> data = addr_space.zread(addr, CHUNKSIZE)
> # test if your strings are in data
>
> MHL
>
>
> On Fri, Feb 3, 2012 at 6:00 PM, Mike Houston <dragonforen@hotmail.com> wrote:
> > I have a text string that I found in memory and I would like to find out
> > what is using/mapped to that address. (a process, a dll, a buffer,
> > unallocated, etc.)
> >
> > How do I do that? I'm exploring the docs to see how close I can get; for
> > example dumping what I can with memmap, and then searching for my physical
> > offset. (but that only gets me processes)
> >
> > Any suggestions appreciated.
> >
> > Mike Lambert
> > dragonforen@hotmail.com
> >
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users@volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >