3:10 a.m.
Hi guys,
I found out that version 2.3 of volatility shows an additional DTB address
value for each process in the linux_pslist command.
Can anyone tell me what this address exactly is and how it can be useful?
Thank you!
--
Sebastian
11:10 a.m.
Hello,
It is the address of the directory table base / page directory pointer that
is used to provide a private set of page tables for a particular context
(process). In order to examine the userland addresses of a particular
process, its own page tables must be examined by finding its DTB value and
then performing all virtual to physical address translation with it.
You may notice some entries do not have a DTB value -- this is because they
are kernel threads and not real processes. You can verify this by using
linux_pstree and looking at the children of kthreadd.
Please let me know if you have any other questions.
Thanks,
Andrew (@attrc)
On Wed, Sep 18, 2013 at 2:10 AM, Sebastian Biedermann <
biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
Hi guys,
I found out that version 2.3 of volatility shows an additional DTB address
value for each process in the linux_pslist command.
Can anyone tell me what this address exactly is and how it can be useful?
Thank you!
--
Sebastian
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4075
days inactive
4075
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Andrew Case -
Sebastian Biedermann