[Vol-users] Understanding memmap output

Hi all, Hoping for some more newbie assistance! I have a sample from Win7SP1x86. When I took the capture I had notepad.exe running. Using pslist(1) I identified the pid and used this with memmap(2). (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 So really two questions: 1> Why does the first entry show a virtual offset of 0x00010000? Why isn't it 0x00000000? Where are the first 0x00010000 bytes of this process's virtual memory? 2> (and I know this is gonna be a face palm moment) Why aren't the virtual memory offsets contiguous? If this is a dump of the process's virtual memory shouldn't it be one big lump of 4GB? What's the obvious thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so the empty pages have been ignored?) Thank you! Adam -- Have you sent me your PGP Public Key yet?