[Vol-dev] get_symbol

Pranjal Jumde pranjal.jumde at gmail.com
Wed Apr 24 22:59:28 CDT 2013


Is this feature available in windows?


On Sun, Apr 14, 2013 at 6:54 PM, Andrew Case <atcuno at gmail.com> wrote:

> Hello,
>
> Currently, symbols are only pulled from the kernel (vmlinux) so none
> of the symbol addresses of modules will be directly available via the
> API. It is a future goal of Volatility to support these symbols as
> well.
>
> In the meantime, you can use readelf or objdump on the bluetooth .ko
> file to get the offset of the symbol from the .data section and then
> you can use linux_lsmod with -S to find the .data section of the
> bluetooth kernel module in memory then simply add the address + offset
> to determine where the symbol is in the memory image.
>
> On Sun, Apr 14, 2013 at 11:27 AM, Pranjal Jumde <pranjal.jumde at gmail.com>
> wrote:
> > Hi,
> >
> > I am trying to get the value of the symbol "bt_proto" using the member
> > function get_symbol, I checked using gdb that this symbol is a part of
> the
> > bluetooth kernel module. But, I get the following error message
> > "volatility.plugins.overlays.linux.linux: Requested symbol bt_proto not
> > found in module kernel". Any thoughts why this might be happening?
> >
> > Thanks!
> >
> > Regards
> > Pranjal Jumde
> >
> >
> > _______________________________________________
> > Vol-dev mailing list
> > Vol-dev at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-dev/attachments/20130424/b3ba85b3/attachment.html


More information about the Vol-dev mailing list