Open superponible opened 7 years ago
Attached zip file is ~20M but will unzip to 4G. It is the 1640_reader_sl.exe/memory file from the description above.
cc @skuater
@GustavoLCR I see this is assigned to you. Do you think you'll be able to complete this for next release? I'm asking not to put pressure, just to try cleaning up a bit the issues that are assigned for the next milestone.
I'm working on a plugin for volatility that presents the memory image it opens as a FUSE volume where each directory is a view of a different process. What I'm trying to do is then open one of these virtual memory file representations and be able to analyze PE files mapped at various locations in memory with r2. Essentially, I'd like the same analysis performed on the file at a given memory location as if I had just loaded the PE file itself in r2. I'm not sure if this is currently possible. Some more details are below. I will attach the zipped "memory" file referenced below or post it somewhere and link to it if it's too big.
Here is the memory sample:
And here is a volatility list of a process and its loaded DLLs:
Run the plugin to create a FUSE volume from the memory image:
Mount directory now contains a subdir for each process:
Change into the process shown above and show the dlls and vads directory and the "memory" file which is the full 4GB virtual memory address space for this process.
Open the memory file with r2:
Tried doing this to load the PE file at 0x400000, but it doesn't seem to be working. The file is there, however, along with other DLLs shown in the volatility pslist output at the top: