search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

misleading volshell error message #301

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
>>> dt("_EPROCESS", 0xff6a0d90)
ERROR: first argument not an object or known type

>>> dt("_EPROCESS")
'_EPROCESS' (704 bytes)
0x0   : Pcb                            ['_KPROCESS']
0x98  : ProcessLock                    ['_EX_PUSH_LOCK']
0xa0  : CreateTime                     ['WinTimeStamp', {}]
0xa8  : ExitTime                       ['WinTimeStamp', {}]

>>> dd(0xff6a0d90)
Memory unreadable at ff6a0d90

So the problem in the first command is not that the object is not known, its 
that the memory is paged.

Original issue reported on code.google.com by michael.hale@gmail.com on 12 Jul 2012 at 5:27

GoogleCodeExporter commented 9 years ago 
So, there's a potential fix in r2068, could you please check if that makes 
things a little clearer?

Original comment by mike.auty@gmail.com on 17 Jul 2012 at 4:33

GoogleCodeExporter commented 9 years ago 
Hey Mike - that looks much better ;-) I'll go ahead and close this.

Original comment by michael.hale@gmail.com on 17 Jul 2012 at 5:48