[Vol-dev] Method to get absolute physical address

Frédéric Baguelin frederic.baguelin at arxsys.fr
Mon May 6 06:37:30 CDT 2013

Hi List,

It's my first post here, so first of all, thanks a lot for this project !

I'm currently working with Volatility 2.2 (testing with 2.3 too) to link it with
DFF [1]. I've almost finished my module but a co-worker provided me a dump
acquired via VirtualBox. Thereferore, I used latest vboxelf.py available in
trunk on the svn but here is the problem:

DFF'API provides some mechanism to represent file mapping: logical offset, size,
physical offset and underlying file for each chunk of data. This is how we are
able to have access to all exe, dlls and modules without having to extract them
with Volatility. Precisely, I adapted the code used by procexedump to be able to
push each chunk. At least, I have the same sha1 than files created with
procexedump even if some chunk are overlapping but this is off topic

So, when having the following layers, everything is ok:

AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 dffAdressSpace ( /Logical files/ds_fuzz_hidden_proc.img )

__But__ when dealing with the following ones:

AS Layer 1 JKIA32PagedMemoryPae ( Kernel AS )
AS Layer 2 VirtualBoxCoreDumpElf64 ( Unnamed AS )
AS Layer 3 dffAdressSpace ( /Logical files/Window7_2013-04-24_18_51_39.310504 )

Content for each exe, dll and module is wrong. In the code where I push chunk
for each files, I use vtop() method of the corresponding address space but since
there is another level here, I'm missing the last translation of the address.

The vtop() returns what could be seen as a virtual address for the Layer 2.

So I dug the code of vboxelf.py and saw there was a get_addr() method I could
use but it is not a "standardized" method. The issue would be the same with a
dump acquired with Lime for example (which has __get_offset() method itself).

So here is my question, could it be possible to implement a standard method in
each address space plugins to be able to obtain the corresponding address for
the underlying layer ? Finally, either having a global function iterating on
each layer to provide the "absolute" physical address or something like that.


[1] http://www.digital-forensic.org/
Frédéric Baguelin    frederic.baguelin at arxsys.fr
ArxSys SAS, Directeur technique
Tél: +33 146 362 522

More information about the Vol-dev mailing list