[Vol-dev] Pythonisms and volatility-isms for structs

Edwin Smulders edwin.smulders at gmail.com
Mon Apr 15 07:37:43 CDT 2013


Hello all,

I have arrived at an implementation part of my research and I was
wondering if you have any advice or documentation on some "pythonisms"
and "volatility-isms" I could be using to do this implementation.

My question is two-fold:

1) I have acquired a small part of memory using read/zread and want to
match (not search) this part of memory to a specific pattern. Do you
know of any pythonisms I could be using, other than checking and
matching byte by byte? Is there some type pattern I could use? I
suspect I'll just have to evaluate a list of rules, but I figured I'd
ask anyway.
2) Some parts of memory I am interested in are originally (C) structs,
I'd like to map these to objects similar to the way this is done for
structs like 'task_struct' and 'mm_struct', is there any documentation
on the way this is done?

If it matters, this is all in process address space.

Cheers,
Edwin


More information about the Vol-dev mailing list