Re: [Vol-users] Windows kernel memory.

1 Mar 2012

      Thank you for your answers.

...
  There is no such thing as "the address spaces of
all processes." 
What I meant to say was that moddump plugin uses find_space function to find a process
whose address space maps the searched driver.

    def find_space(self, addr_space, procs, mod_base):
        """Search for an address space (usually looking for a GUI
process)"""
        if addr_space.is_valid_address(mod_base):
            return addr_space
        for proc in procs:
            ps_ad = proc.get_process_address_space()
            if ps_ad != None:
                if ps_ad.is_valid_address(mod_base):
                    return ps_ad
        return None

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Windows kernel memory.