1:01 p.m.
Hi all,
I have acquired an android RAM image by using Lime and now I am using
volatility to analyze it. I have created a profile and can now list
processes, etc. What I need to do is inspect an integer array of a kernel
module, which I have the address. I tried using volshell's dd() but I
believe it is not showing the correct values. How can I certify that the
virtual address is being calculated correctly by volatility?
Thanks in advance,
Felipe
3:57 p.m.
Hello,
A few questions to see how we can diagnose this.
1) Can you share the sample publicly or at least privately with us (the
Volatility developers)? This would be the quickest way for us to diagnose.
2) If you cannot, could you provide the output of dd() and also some
more background on how you found the array address?
3) Is the kernel module available publicly (e.g. open source project or
a rootkit that has been shared)?
Thanks,
Andrew (@attrc)
On 10/08/2014 12:01 PM, felipecboeira . wrote:
Hi all,
I have acquired an android RAM image by using Lime and now I am using
volatility to analyze it. I have created a profile and can now list
processes, etc. What I need to do is inspect an integer array of a
kernel module, which I have the address. I tried using volshell's dd()
but I believe it is not showing the correct values. How can I certify
that the virtual address is being calculated correctly by volatility?
Thanks in advance,
Felipe
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3685
days inactive
3690
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Andrew Case -
felipecboeira .