[Vol-users] Experimenting with notepad.exe

Adam Bridge adam.bridge at yahoo.com
Mon Sep 23 15:46:23 CDT 2013


Hi Jesse,

I've been plodding on with this and am fishing for the next tip!

I'm happy that every time a process calls VirtualAlloc, it gets a new
entry in the VAD tree. And I'm happy with the VAD tree being a binary
tree structure.

Using Volaility I did:
$ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 vaddump -D
~/memtest/292-vads -p 292
(292 being the pid of notepad.exe)

Then I was able to find the particular VAD entry that contained my text:
$ grep "i.-.t.y.p.e.d.-." ~/memtest/292-vads/*
Binary file 292-vads/notepad.exe.1ef08030.0x00120000-0x0021ffff.dmp matches

By opening this dmp file in a hex editor I found my string at offset
0x1dab8.
Interestingly, I repeated this process for two other notepad processes
and in both cases the text could be found at the same offset.

I was surprised that the offset was the same in all three cases because
I know that in the latter two cases I'd done things in notepad I hadn't
done in the first instance, for example, pasting from the clipboard.

Running the vadtree plugin against the three notepad processes I noticed
a couple of things:
- The root node always covered range: 0x75840000 - 0x75913fff.
- The node containing my text wasn't always in the same position in the
VAD tree. (It was for the first two, not for the third.)

I'm struggling with the next step.
I'd really appreciate a suggestion as to what to go read about next!

Thank you,
Adam

On 21/09/13 20:06, Adam Bridge wrote:
> HaHa! Thanks Jesse!
>
> Thank you for the hints - I'm just trying to get my head around walking
> the VAD tree at the moment.
> I'll be sure to ask you if I need some more assistance.
>
> Hopefully down the line I'll write a mini-tutorial around this to share
> with the list.
>
> Adam
>
> On 21/09/13 19:25, Jesse Kornblum wrote:
>> Hi Adam,
>>
>> Two hints, in progressive levels of practicality:
>>
>> 1. I when I tried to do this, I ended up falling down in a Heap.
>>
>> 2. Memory allocated by a program is stored in the VADs.
>>
>> If you're stuck, write back and I'll show you exactly how to do it!
>>
>> Good luck,

-- 
Have you sent me your PGP Public Key yet?



More information about the Vol-users mailing list