[Vol-users] Searching a Process's Memory

Michael Ligh michael.ligh at mnin.org
Fri Oct 16 10:52:19 CDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I think Andrew replied already...but just to reiterate...yes,
search_process_memory will scan all VADs (memory rages) in a process.
A heap is nothing more than a memory range (for which there is a VAD)
which is "managed" to allow allocations/frees of smaller chunks of
memory. So using search_process_memory will inherently be able to
"see" whats on the process heap(s). Note that there's a faster way to
scan if you know what you're looking for is on the heap, because you
can limit your scan to only VADs that contain heaps.

Another way to think about it is if you call HeapCreate, there will be
a new VAD created. The VAD should exist until you call HeapDestroy. If
you call HeapAlloc to break off a chunk of the heap, they the data you
put there should remain until:

1) you call HeapFree, in which case the data may stick around until
another call to HeapAlloc overwrites it

2) you call HeapDestroy, in which case the whole VAD goes away...in
this case you would just scan physical memory because its no longer
visible to the process.

MHL

On 10/2/15 4:55 PM, Bridgey theGeek wrote:
> Hi all,
> 
> I'm thinking I might have a fundamental misunderstanding here, so
> I'm hoping someone can help me out.
> 
> I'm looking for remnants of a data structure in the memory of a
> specific process. Originally, the data would have been on a heap.
> 
> I notice that in '/volatility/plugins/overlays/windows/windows.py'
> there is a function named: search_process_memory
> 
> I thought this would do the trick, but examining the code I notice
> that it searches each of the VADs.
> 
> Which leads me to my question: would data that was originally on a
> heap, but is no longer needed by the process still be in the VAD?
> That is, should I be able to find it using this method?
> 
> If not, "where" is the data now? And is there a way of searching
> wherever that "where" is?
> 
> I hope that makes sense!
> 
> Bridgey
> 
> 
> 
> _______________________________________________ Vol-users mailing
> list Vol-users at volatilityfoundation.org 
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF4EAREKAAYFAlYhHTMACgkQXnt9v1O0LItZTQD9EW+nFOPlTjcYdhaYGvX6kXBm
bnHDxbqpFRV2hMLTX/EA/1KPDWy4TxxrTnCjd3Cbtj0VgS4TiajqVDo4vYJarOoK
=XtsT
-----END PGP SIGNATURE-----


More information about the Vol-users mailing list