FW: [Vol-users] what is at that address
4 Feb
2012
4 Feb
'12
6 p.m.
Thanks Mike,
I got the plugin and put it in the plugin directory.
I looked at the plugin help and did not see how to specify the address to translate. I
tried this without a switch:
C:\Python27\volatility-2.0>python vol.py pas2kas -f \mem\120129\120129c.w32
--profile=WinXPSP3x86 0x19248000
Volatile Systems Volatility Framework 2.0
YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
Phys AS KAS
C:\Python27\volatility-2.0>
It seems I am not specifying the address to translate properly. Perhaps you can correct my
commandline.
Thanks,
Mike
PS. Yara will not install because it does not see a key for python27 in the registry. Do
you know what key I should put in the registry so Yara will install?
From: scudette(a)gmail.com
Date: Fri, 3 Feb 2012 23:34:43 -0800
Subject: Re: [Vol-users] what is at that address
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike,
You could also use the pas2kas module:
http://code.google.com/p/volatility/source/browse/branches/scudette/volatil…
Michael.
On 3 February 2012 15:00, Mike Houston <dragonforen(a)hotmail.com> wrote:
> I have a text string that I found in memory and I would like to find out
> what is using/mapped to that address. (a process, a dll, a buffer,
> unallocated, etc.)
>
> How do I do that? I'm exploring the docs to see how close I can get; for
> example dumping what I can with memmap, and then searching for my physical
> offset. (but that only gets me processes)
>
> Any suggestions appreciated.
>
> Mike Lambert
> dragonforen(a)hotmail.com
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
Attachments:
- attachment.html (text/html — 2.7 KB)