[Vol-users] Searching a Process's Memory
bridgeythegeek at gmail.com
Fri Oct 2 16:55:43 CDT 2015
I'm thinking I might have a fundamental misunderstanding here, so I'm
hoping someone can help me out.
I'm looking for remnants of a data structure in the memory of a specific
Originally, the data would have been on a heap.
I notice that in '/volatility/plugins/overlays/windows/windows.py' there is
a function named:
I thought this would do the trick, but examining the code I notice that it
searches each of the VADs.
Which leads me to my question: would data that was originally on a heap,
but is no longer needed by the process still be in the VAD? That is, should
I be able to find it using this method?
If not, "where" is the data now? And is there a way of searching wherever
that "where" is?
I hope that makes sense!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users