[Vol-users] Linux process DTB

Andrew Case atcuno at gmail.com
Wed Sep 18 10:10:19 CDT 2013


It is the address of the directory table base / page directory pointer that
is used to provide a private set of page tables for a particular context
(process). In order to examine the userland addresses of a particular
process, its own page tables must be examined by finding its DTB value and
then performing all virtual to physical address translation with it.

You may notice some entries do not have a DTB value -- this is because they
are kernel threads and not real processes. You can verify this by using
linux_pstree and looking at the children of kthreadd.

Please let me know if you have any other questions.

Andrew (@attrc)

On Wed, Sep 18, 2013 at 2:10 AM, Sebastian Biedermann <
biedermann at seceng.informatik.tu-darmstadt.de> wrote:

> Hi guys,
> I found out that version 2.3 of volatility shows an additional DTB address
> value for each process in the linux_pslist command.
> Can anyone tell me what this address exactly is and how it can be useful?
> Thank you!
> --
> Sebastian
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130918/8a16c595/attachment.html

More information about the Vol-users mailing list