moddump needs the find_space function

Hey guys, 

One flaw in the moddump I submitted last week - its missing BDG's original 
find_space function. Thus, it cannot dump a few modules (namely win32k.sys). 
Here is a new version of moddump.py and a patch file (not sure which you 
prefer). 

Old version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Cannot dump win32k.sys at bf800000

New version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Dumping win32k.sys, Base: bf800000 output: driver.bf800000.sys

One thing we could consider doing in the future is adding the find_space 
function to the address space object and having it automatically perform this 
search when a user tries to read an address in kernel memory. In WinDbg, you 
have to switch to a context of a process with at least one GUI thread before 
reading memory owned by win32k.sys...so we could essentially handle that 
context switch on the fly. 

Btw, can someone remind me how to use the plugins in the contrib directory? I 
know they don't show up in the list of plugins by default, and also the 
--plugins=contrib/ doesn't work. Lately I've been copying plugins from the 
contrib directory into the plugins directory to use them, which kinda defeats 
the purpose of putting them in contrib ;-) 

Thanks.

Original issue reported on code.google.com by michael.hale@gmail.com on 18 Oct 2010 at 2:48

Attachments:

ralphymoto / volatility

moddump needs the find_space function #42