Hi all,

I've come across a peculiarity that I'd really like someone to shed some light on. Consider:

> python vol.py --profile Win7SP1x64 -f Windows7x64.vmem volshell
Volatility Foundation Volatility Framework 2.4
Current context: System @ 0xfffffa80018ae890, pid=4, ppid=0 DTB=0x187000
Welcome to volshell! Current memory image is:
file:///C:/Windows7x64.vmem
To get help, type 'hh()'
>>> for p in getprocs():
...     my_proc = p
...     break
...
>>> print my_proc.UniqueProcessId, my_proc.ImageFileName
4 System
>>> for i in range(10):
...     my_proc.get_process_address_space()
...
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0000000008D76240>

There appears to be three different objects that are returned on a cycle.

Is this normal, expected behaviour? Why are there three?

Thank you!