[Vol-users] Searching a Process's Memory

Bridgey theGeek bridgeythegeek at gmail.com
Fri Oct 2 16:55:43 CDT 2015


Hi all,

I'm thinking I might have a fundamental misunderstanding here, so I'm
hoping someone can help me out.

I'm looking for remnants of a data structure in the memory of a specific
process.
Originally, the data would have been on a heap.

I notice that in '/volatility/plugins/overlays/windows/windows.py' there is
a function named:
search_process_memory

I thought this would do the trick, but examining the code I notice that it
searches each of the VADs.

Which leads me to my question: would data that was originally on a heap,
but is no longer needed by the process still be in the VAD? That is, should
I be able to find it using this method?

If not, "where" is the data now? And is there a way of searching wherever
that "where" is?

I hope that makes sense!

Bridgey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20151002/09719509/attachment.html


More information about the Vol-users mailing list