Thanks Mike,

I got the plugin and put it in the plugin directory.

I looked at the plugin help and did not see how to specify the address to translate. I tried this without a switch:

C:\Python27\volatility-2.0>python vol.py pas2kas -f \mem\120129\120129c.w32 --profile=WinXPSP3x86 0x19248000
Volatile Systems Volatility Framework 2.0
YARA is not installed, see http://code.google.com/p/yara-project/
distorm3 is not installed, see http://code.google.com/p/distorm/
Phys AS KAS

C:\Python27\volatility-2.0>

It seems I am not specifying the address to translate properly. Perhaps you can correct my commandline.

Thanks,
Mike

PS. Yara will not install because it does not see a key for python27 in the registry. Do you know what key I should put in the registry so Yara will install?

> From: scudette@gmail.com
> Date: Fri, 3 Feb 2012 23:34:43 -0800
> Subject: Re: [Vol-users] what is at that address
> To: dragonforen@hotmail.com
> CC: vol-users@volatilityfoundation.org
>
> Mike,
> You could also use the pas2kas module:
>
> http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/plugins/windows/pas2kas.py
>
> Michael.
>
> On 3 February 2012 15:00, Mike Houston <dragonforen@hotmail.com> wrote:
> > I have a text string that I found in memory and I would like to find out
> > what is using/mapped to that address. (a process, a dll, a buffer,
> > unallocated, etc.)
> >
> > How do I do that? I'm exploring the docs to see how close I can get; for
> > example dumping what I can with memmap, and then searching for my physical
> > offset. (but that only gets me processes)
> >
> > Any suggestions appreciated.
> >
> > Mike Lambert
> > dragonforen@hotmail.com
> >
> >
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users@volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >