ikelos
ikelos
You'll need to change the `/path/to/memory.raw`
So the question is, why doesn't `0xfffff80001f00000` map to `0x1f00000`? And why didn't the KDBG or the module heuristics work?
Oh, yeah, ok, because it's only a partial config, you still need to supply the `-f` parameter.
So that file is which one the layer will be, and it should reconstruct that layer as necessary, but some automagic won't run without a single-location parameter (and the issue...
Just to follow up on other conversations, after identifying the correct profile and forcing volatility to use it, everything worked just fine, so it's an instance where the windows automagic...
Just to note, that there shouldn't be a need to add the file image when using a config.json, but it turned out that the various layers weren't being loaded before...
Further information on this specific problem, the KDBG structure appears to be swapped out, so that means we've fallen back to the next heuristic (the mysterious module list that we...
Hmmm, ok, I'd probably need the output from `vol.py -vvvvvvvv` to help diagnose it. You could also try a git bisect to figure out the commit that causes the problem?...
So I think I've still go the memory image, and when I roll back to `0c43beb` I still get no luck with windows.pslist? I've also tried in volshell to have...
(This is the md5 I've got for it: `1e415dbbdea9d46314247970052306d9`)