Eve

Hello I've been looking into this a little - it's interesting. It looks like that the windows poolscanner will in some cases (I think modern windows version) scan a 'virtual'...

Also during the process of looking into this I had two thoughts. What do you think of these @ikelos? Maybe better in a different issue perhaps? 1) Would it be...

Yes, as i started to get my head around it I did question why it would return a virtual address in a scanner, but didn't fancy removing functionality. I agree...

@ikelos Re the native layer offset you're right. I was only thinking about a simple case with addresses that would translate neatly into kernel memory. Just need to look at...

If you run the `isfinfo` plugin, and the `banners` plugin. Do the banners match exactly? Vol what's them to be exactly the same and won't attempt to use them otherwise....

@d-millar - with `virsh` can you try with the `--memory-only` option. So it would be `virsh dump --memory-only ubuntu22.04 ubuntu.dmp --format elf`. You shouldn't need to specify the format, but...

Does that elf memory dump parse in vol3? If you run your first dump (e.g. not the elf one) with all 7 vs do you get any errors? E.g. `-vvvvvvv`...

Ah I understand, its different to what I thought the problem was. That error also looks like a different issue to what @ikelos fixed yesterday. Looks like a possible problem...

Essentially vol3 isn't able to understand that elf format for some reason. Which means it's being treated as a flat file, but that means the offsets are wrong which is...

Yes elfs should be supported (I use them all the time) - I think at this point its best to get that mem dump in the hands of someone who...