[Vol-users] Processes have more than one address space???

Bridgey theGeek bridgeythegeek at gmail.com
Thu Oct 15 08:19:26 CDT 2015


Hi all,

I've come across a peculiarity that I'd really like someone to shed some
light on. Consider:

> python vol.py --profile Win7SP1x64 -f Windows7x64.vmem volshell
Volatility Foundation Volatility Framework 2.4
Current context: System @ 0xfffffa80018ae890, pid=4, ppid=0 DTB=0x187000
Welcome to volshell! Current memory image is:
file:///C:/Windows7x64.vmem
To get help, type 'hh()'
>>> for p in getprocs():
...     my_proc = p
...     break
...
>>> print my_proc.UniqueProcessId, my_proc.ImageFileName
4 System
>>> for i in range(10):
...     my_proc.get_process_address_space()
...
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76240>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76470>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D762E8>
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x0000000008D76240>

There appears to be three different objects that are returned on a cycle.

Is this normal, expected behaviour? Why are there three?

Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20151015/7b6823b4/attachment.html


More information about the Vol-users mailing list