Hi all,
Wondering if anybody's come across this scenario...
I want to read an address from my_offset:
my_address = obj.Object('address', offset=my_offset, vm=task_vm)
However, for Wow64 the address should only be 4 bytes, but because we're analysing with a 64-bit profile, 'address' will cause 8 bytes to be parsed (right?).
Do I need to replace it with something like:
if profile_is_32bit or process_is_wow64:
my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm)
else:
my_address = obj.Object('unsigned long long', offset=my_offset, vm=task_vm)
Or do I need to start manually unpacking structs?
Thanks,
Adam