Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

moddump needs the find_space function #42

Closed
GoogleCodeExporter opened this issue Jun 1, 2015 · 1 comment
Closed

moddump needs the find_space function #42

GoogleCodeExporter opened this issue Jun 1, 2015 · 1 comment
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Hey guys, 

One flaw in the moddump I submitted last week - its missing BDG's original 
find_space function. Thus, it cannot dump a few modules (namely win32k.sys). 
Here is a new version of moddump.py and a patch file (not sure which you 
prefer). 

Old version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Cannot dump win32k.sys at bf800000

New version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Dumping win32k.sys, Base: bf800000 output: driver.bf800000.sys

One thing we could consider doing in the future is adding the find_space 
function to the address space object and having it automatically perform this 
search when a user tries to read an address in kernel memory. In WinDbg, you 
have to switch to a context of a process with at least one GUI thread before 
reading memory owned by win32k.sys...so we could essentially handle that 
context switch on the fly. 

Btw, can someone remind me how to use the plugins in the contrib directory? I 
know they don't show up in the list of plugins by default, and also the 
--plugins=contrib/ doesn't work. Lately I've been copying plugins from the 
contrib directory into the plugins directory to use them, which kinda defeats 
the purpose of putting them in contrib ;-) 

Thanks.

Original issue reported on code.google.com by michael.hale@gmail.com on 18 Oct 2010 at 2:48

Attachments:
@GoogleCodeExporter
Copy link
Author 

Thanks very much, the patch was fine (since there are minor changes from the 
original for the in-tree version, notably using re.error rather than REError, 
and also using debug.error rather than config.error), but including the full 
plugin never hurts.  Applied in r512, marking as Fixed.  5:)

As to using contrib plugins, my ~/.volatilityrc contains the following:

[DEFAULT]
PLUGINS=./plugins;./contrib/plugins;/path/to/private/volatility/plugins

Also:

--plugins="./plugins;./contrib/plugins" 

should also work...

Original comment by mike.auty@gmail.com on 18 Oct 2010 at 10:16

  • Changed state: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter