RE: [Vol-users] what is at that address

Date: Sat, 4 Feb 2012 19:05:29 -0500 Subject: Re: [Vol-users] what is at that address From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org I updated our documentation to make it clear that decimal offsets are required, and we'll give your suggestion below some thought before the next major release of Volatility (http://code.google.com/p/volatility/issues/detail?id=205) Thanks! MHL On Sat, Feb 4, 2012 at 6:43 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: > I did figure out one way to do this, and it works if the memory block is > used by a process. > > I used memmap and dumped every processes to a text file. I then used notepad > to search for my physical address (and found it). The I just page-up until I > see that process name. > > It would be really cool if there was a switch that would change the output > from: > > smss.exe pid: 724 > Virtual Physical Size > 0x0000100000 0x00090b6000 0x000000001000 > > to: > > Virtual Physical Size > Process PID > 0x0000100000 0x00090b6000 0x000000001000 smss.exe 724 > > Then you could put it in a spreadsheet, sort on physical address. You would > then have a great guide to reference when you were exploring the memory dump > with Encase or a sector editor (looking for interesting addresses or > strings). I do this frequently. > > Best to all, > Mike Lambert > > ________________________________ > From: dragonforen(a)hotmail.com > To: vol-users(a)volatilityfoundation.org > Date: Fri, 3 Feb 2012 17:00:31 -0600 > Subject: [Vol-users] what is at that address > > > I have a text string that I found in memory and I would like to find out > what is using/mapped to that address. (a process, a dll, a buffer, > unallocated, etc.) > > How do I do that? I'm exploring the docs to see how close I can get; for > example dumping what I can with memmap, and then searching for my physical > offset. (but that only gets me processes) > > Any suggestions appreciated. > > Mike Lambert > dragonforen(a)hotmail.com > > > > > _______________________________________________ Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >