search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

give vadinfo an --address filter for easy searching #293

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Possible enhancement to vadinfo: 

Often, when I use vadinfo, I have a specific address in mind. It may be the 
base of a vad in the process (vad.Start) or an address within a vad (vad.Start 
to vad.End). Currently, the plugin prints all vad nodes, which can be hundreds, 
and since they're in binary tree form, they're not in simple highest to lowest 
order, and it can be time consuming to find the vad I'm interested in. 
Typically I just scroll through the terminal output or redirect to a file and 
grep looking for what I need. 

So what I'd propose is adding an --address option to the vadinfo plugin. If 
--address is not supplied, vadinfo prints all vads (i.e. the default behavior 
now). If --address is supplied and matches a vad.Start exactly, then details of 
that vad only are printed. If --address is supplied but doesn't match a 
vad.Start, then the surrounding vads are printed (i.e. "I can't find the vad 
you're looking for, but here are the closest two on either side of the memory 
you requested")

Does that sound useful to anyone?

Original issue reported on code.google.com by michael.hale@gmail.com on 8 Jul 2012 at 8:54

GoogleCodeExporter commented 9 years ago 
this sounds really useful to me, actually.  do you have a patch for this that 
you'd like for us to try?

Original comment by jamie.l...@gmail.com on 3 Aug 2012 at 2:52

GoogleCodeExporter commented 9 years ago 
On second thought, I'm not sure I want to add this. It occurred to me if we add 
an --address parameter to vadinfo, we should add it to vaddump. And if we can 
filter those plugins by address, we may want to filter by vad tag or size in 
the future. I'd rather not start a trend of making the plugins even more 
complex with so many options/behaviors so I'm happy leaving it as-is and anyone 
wanting to see (or dump) single vads based on address can use the API with 
their own plugins. If you feel strongly otherwise, just re-open ;-)

Original comment by michael.hale@gmail.com on 9 Aug 2012 at 4:39