michael.hale at gmail.com
Fri Apr 26 00:14:08 CDT 2013
There is not one for windows (yet)
Sent from my iPhone
On Apr 24, 2013, at 11:59 PM, Pranjal Jumde <pranjal.jumde at gmail.com> wrote:
> Is this feature available in windows?
> On Sun, Apr 14, 2013 at 6:54 PM, Andrew Case <atcuno at gmail.com> wrote:
>> Currently, symbols are only pulled from the kernel (vmlinux) so none
>> of the symbol addresses of modules will be directly available via the
>> API. It is a future goal of Volatility to support these symbols as
>> In the meantime, you can use readelf or objdump on the bluetooth .ko
>> file to get the offset of the symbol from the .data section and then
>> you can use linux_lsmod with -S to find the .data section of the
>> bluetooth kernel module in memory then simply add the address + offset
>> to determine where the symbol is in the memory image.
>> On Sun, Apr 14, 2013 at 11:27 AM, Pranjal Jumde <pranjal.jumde at gmail.com> wrote:
>> > Hi,
>> > I am trying to get the value of the symbol "bt_proto" using the member
>> > function get_symbol, I checked using gdb that this symbol is a part of the
>> > bluetooth kernel module. But, I get the following error message
>> > "volatility.plugins.overlays.linux.linux: Requested symbol bt_proto not
>> > found in module kernel". Any thoughts why this might be happening?
>> > Thanks!
>> > Regards
>> > Pranjal Jumde
>> > _______________________________________________
>> > Vol-dev mailing list
>> > Vol-dev at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-dev