[Vol-users] Experimenting with notepad.exe

Brett Cunningham brettcu at gmail.com
Wed Sep 25 09:12:57 CDT 2013


I think you're looking to work with volshell. I did a presentation
based upon a lot of the Volatility developer's work:
http://www.irongeek.com/i.php?page=videos/derbycon2/brett-cunningham-beyond-strings-memory-analysis-during-incident-response

To understand how it all works, I read the Windows Sys Internals 5th
Edition's chapter on memory management. I would 100% consider that to
be the greatest resource for mem management in Windows.

On Mon, Sep 23, 2013 at 4:46 PM, Adam Bridge <adam.bridge at yahoo.com> wrote:
> Hi Jesse,
>
> I've been plodding on with this and am fishing for the next tip!
>
> I'm happy that every time a process calls VirtualAlloc, it gets a new
> entry in the VAD tree. And I'm happy with the VAD tree being a binary
> tree structure.
>
> Using Volaility I did:
> $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 vaddump -D
> ~/memtest/292-vads -p 292
> (292 being the pid of notepad.exe)
>
> Then I was able to find the particular VAD entry that contained my text:
> $ grep "i.-.t.y.p.e.d.-." ~/memtest/292-vads/*
> Binary file 292-vads/notepad.exe.1ef08030.0x00120000-0x0021ffff.dmp matches
>
> By opening this dmp file in a hex editor I found my string at offset
> 0x1dab8.
> Interestingly, I repeated this process for two other notepad processes
> and in both cases the text could be found at the same offset.
>
> I was surprised that the offset was the same in all three cases because
> I know that in the latter two cases I'd done things in notepad I hadn't
> done in the first instance, for example, pasting from the clipboard.
>
> Running the vadtree plugin against the three notepad processes I noticed
> a couple of things:
> - The root node always covered range: 0x75840000 - 0x75913fff.
> - The node containing my text wasn't always in the same position in the
> VAD tree. (It was for the first two, not for the third.)
>
> I'm struggling with the next step.
> I'd really appreciate a suggestion as to what to go read about next!
>
> Thank you,
> Adam
>
> On 21/09/13 20:06, Adam Bridge wrote:
>> HaHa! Thanks Jesse!
>>
>> Thank you for the hints - I'm just trying to get my head around walking
>> the VAD tree at the moment.
>> I'll be sure to ask you if I need some more assistance.
>>
>> Hopefully down the line I'll write a mini-tutorial around this to share
>> with the list.
>>
>> Adam
>>
>> On 21/09/13 19:25, Jesse Kornblum wrote:
>>> Hi Adam,
>>>
>>> Two hints, in progressive levels of practicality:
>>>
>>> 1. I when I tried to do this, I ended up falling down in a Heap.
>>>
>>> 2. Memory allocated by a program is stored in the VADs.
>>>
>>> If you're stuck, write back and I'll show you exactly how to do it!
>>>
>>> Good luck,
>
> --
> Have you sent me your PGP Public Key yet?
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list