I did figure out one way to do this, and it works if the memory block is used by a process.
I used memmap and dumped every processes to a text file. I then used notepad to search for my physical address (and found it). The I just page-up until I see that process name.
It would be really cool if there was a switch that would change the output from:
smss.exe pid: 724
Virtual Physical Size
0x0000100000 0x00090b6000 0x000000001000
to:
Virtual Physical Size Process PID
0x0000100000 0x00090b6000 0x000000001000 smss.exe 724
Then you could put it in a spreadsheet, sort on physical address. You would then have a great guide to reference when you were exploring the memory dump with Encase or a sector editor (looking for interesting addresses or strings). I do this frequently.
Best to all,
Mike Lambert
From: dragonforen@hotmail.com
To: vol-users@volatilityfoundation.org
Date: Fri, 3 Feb 2012 17:00:31 -0600
Subject: [Vol-users] what is at that address
I have a text string that I found in memory and I would like to find out what is using/mapped to that address. (a process, a dll, a buffer, unallocated, etc.)
How do I do that? I'm exploring the docs to see how close I can get; for example dumping what I can with memmap, and then searching for my physical offset. (but that only gets me processes)
Any suggestions appreciated.
Mike Lambert
dragonforen@hotmail.com _______________________________________________ Vol-users mailing list Vol-users@volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users