[Vol-users] Searching a Process's Memory

Andrew Case atcuno at gmail.com
Thu Oct 15 19:55:19 CDT 2015


Hey,

So the answer depends on what happened with the heap since the
allocation holding the data was free()d..

If the allocation was freed, but the heap holding it was still active
(which is the normal way things work), then the memory where the data
was is basically just in free memory on that heap's VAD. So it will be
inside the VAD of the heap until some other allocation overwrites it.

If the allocation is not on the default heap, then its possible that the
entire heap (VAD) that its on will have been freed. At that point you
won't be able to find it inside the process' address space.

Thanks,
Andrew (@attrc)

On 10/02/2015 04:55 PM, Bridgey theGeek wrote:
> Hi all,
> 
> I'm thinking I might have a fundamental misunderstanding here, so I'm
> hoping someone can help me out.
> 
> I'm looking for remnants of a data structure in the memory of a specific
> process.
> Originally, the data would have been on a heap.
> 
> I notice that in '/volatility/plugins/overlays/windows/windows.py' there
> is a function named:
> search_process_memory
> 
> I thought this would do the trick, but examining the code I notice that
> it searches each of the VADs.
> 
> Which leads me to my question: would data that was originally on a heap,
> but is no longer needed by the process still be in the VAD? That is,
> should I be able to find it using this method?
> 
> If not, "where" is the data now? And is there a way of searching
> wherever that "where" is?
> 
> I hope that makes sense!
> 
> Bridgey
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 


More information about the Vol-users mailing list