Hello,

It is the address of the directory table base / page directory pointer that is used to provide a private set of page tables for a particular context (process). In order to examine the userland addresses of a particular process, its own page tables must be examined by finding its DTB value and then performing all virtual to physical address translation with it.

You may notice some entries do not have a DTB value -- this is because they are kernel threads and not real processes. You can verify this by using linux_pstree and looking at the children of kthreadd.

Please let me know if you have any other questions.

Thanks,
Andrew (@attrc)


On Wed, Sep 18, 2013 at 2:10 AM, Sebastian Biedermann <biedermann@seceng.informatik.tu-darmstadt.de> wrote:
Hi guys,

I found out that version 2.3 of volatility shows an additional DTB address
value for each process in the linux_pslist command.
Can anyone tell me what this address exactly is and how it can be useful?

Thank you!

--
Sebastian


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users