Closed GoogleCodeExporter closed 9 years ago
Likely the module that once existed at those addresses has since unloaded, but
you can double check by going into volshell and checking for the PE header:
$ vol volshell
>>> db(0xf7797000)
Do you see an MZ header?
Original comment by michael.hale@gmail.com
on 17 Mar 2014 at 7:05
no..
# vol volshell
Volatility Foundation Volatility Framework 2.3.1
Current context: process System, pid=4, ppid=0 DTB=0xbf6c1000
Welcome to volshell! Current memory image is:
file:///root/vmware-Snapshot3.vmsn
To get help, type 'hh()'
>>> db(0xf7797000)
Memory unreadable at f7797000
Original comment by forensic...@gmail.com
on 22 Mar 2014 at 12:45
Yeah, so the memory is either not allocated anymore or its swapped to disk. The
driver could also load, move its code to another pool, and then unload. I'll
close this since its not a bug that needs fixing, but if you need additional
help feel free to write on the vol-users mailing list.
Original comment by michael.hale@gmail.com
on 25 Mar 2014 at 6:08
Original issue reported on code.google.com by
forensic...@gmail.com
on 17 Mar 2014 at 7:22Attachments: