search

timmerk / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

enhancement to the strings plugin #363

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Outputting "kernel:virtualaddress" from the strings plugin is useful but the 
next logical step is to determine in which kernel module exactly the string was 
located (or if its just in pool memory). A user could run modules and then try 
to match the address with base and size, but that's tedious even if you only 
have one address to find. Another way is breaking into volshell and using the 
lsmod() generator to find the matching module - also not something the standard 
user would want to do. 

So we should consider doing the lookup inside the strings plugin and then have 
it output "kernel:virtualaddress" if the address is in a pool otherwise 
something like "ntosrknl.exe:virtualaddress"

Original issue reported on code.google.com by michael.hale@gmail.com on 26 Nov 2012 at 3:59

GoogleCodeExporter commented 9 years ago 
Gleeda would you mind testing this patch for me?

Original comment by michael.hale@gmail.com on 3 Jan 2013 at 11:16

Attachments:

GoogleCodeExporter commented 9 years ago 
sure, no problem :-)

Original comment by jamie.l...@gmail.com on 3 Jan 2013 at 11:20

GoogleCodeExporter commented 9 years ago 
How does it look?

Original comment by michael.hale@gmail.com on 11 Jan 2013 at 3:18

GoogleCodeExporter commented 9 years ago 
Alright this works fine so I'll commit. Example:

0ab55e8c [ipsec.sys:b2f5ce8c] WWWWj
0ab55f14 [ipsec.sys:b2f5cf14] HAL.dll
0ab55f1c [ipsec.sys:b2f5cf1c] NDIS.SYS
0ab55f26 [ipsec.sys:b2f5cf26] ntoskrnl.exe
0ab58220 [1084:0be9b220] p7!}
0ab582e8 [1084:0be9b2e8] p7!}
0ab58720 [1084:0be9b720] p7!}
0ab58e42 [1084:0be9be42] 0VwL
0ab58e58 [1084:0be9be58] LMEM
0ab58e88 [1084:0be9be88] LMEM
0ab58eb8 [1084:0be9beb8] LMEM
0ab58f6c [1084:0be9bf6c] D!Nw
0ab58f78 [1084:0be9bf78] 4!Nw$!Nw<
0ab5a98c [2204:7cbd098c] Service Pack 3
0ab5b04d [tcpip.sys:b2ef304d] !This program cannot be run in DOS mode.
0ab5b0c7 [tcpip.sys:b2ef30c7] dRich
0ab5b1d0 [tcpip.sys:b2ef31d0] .text
0ab5b1f7 [tcpip.sys:b2ef31f7] h.rdata
0abdd41a [kernel:d540141a] CD_8E0AB916B23BDDF6CCA4455B16622C65.370.442552.1549
0abdd44e [kernel:d540144e] KI_ED5F6E9444FFF9BA9E03EB0D623F3F46
0abdd472 [kernel:d5401472] I_18BA379108CD7CCC2FA0FD754AD45A25.6.2463250.179
0abde000 [kernel:cd3f8000] hbin
0abde228 [kernel:cd3f8228] CanLink
0abde248 [kernel:cd3f8248] OneTablePerFile
0abde288 [kernel:cd3f8288] IsamType

Original comment by michael.hale@gmail.com on 17 Jan 2013 at 2:11

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r2850.

Original comment by michael.hale@gmail.com on 17 Jan 2013 at 2:12