Re: [Vol-users] what is at that address

I did figure out one way to do this, and it works if the memory block is used by a process. I used memmap and dumped every processes to a text file. I then used notepad to search for my physical address (and found it). The I just page-up until I see that process name. It would be really cool if there was a switch that would change the output from: smss.exe pid:    724 Virtual      Physical     Size 0x0000100000 0x00090b6000 0x000000001000 to: Virtual             Physical          Size Process           PID 0x0000100000 0x00090b6000 0x000000001000 smss.exe         724 Then you could put it in a spreadsheet, sort on physical address. You would then have a great guide to reference when you were exploring the memory dump with Encase or a sector editor (looking for interesting addresses or strings). I do this frequently. Best to all, Mike Lambert ________________________________ From: dragonforen(a)hotmail.com To: vol-users(a)volatilityfoundation.org Date: Fri, 3 Feb 2012 17:00:31 -0600 Subject: [Vol-users] what is at that address I have a text string that I found in memory and I would like to find out what is using/mapped to that address. (a process, a dll, a buffer, unallocated, etc.) How do I do that? I'm exploring the docs to see how close I can get; for example dumping what I can with memmap, and then searching for my physical offset. (but that only gets me processes) Any suggestions appreciated. Mike Lambert dragonforen(a)hotmail.com _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users