ikelos
ikelos
The `AppData` directory is usually hidden, but I've made an update to ensure the cache is fully cleared during run, rather than the quick clear it does at the moment....
From the name of the directory, it looks like you're using Volatility 2.5.0. You'd need to download the version from git after the commit I mentioned to get the update...
It's in the live development version. You can either wait for our next release or you can click on the green code button on the front page of our github...
So the two outputs you've listed suggest it's trying to download the PDB file, but failing. Please could you post the output of trying to run `python3 pdbconv.py -f krnlmp.pdb...
So, from the error message alone, (and looking up what `ProcessHeaps` is), it turns out it's a pointer to a pointer to a void. So first you need to dereference...
You can use [`volobj.cast`](https://volatility3.readthedocs.io/en/stable/volatility3.framework.interfaces.objects.html#volatility3.framework.interfaces.objects.ObjectInterface.cast) method to changer the type of an object, so when you get to the `void` object, you can cast it to whatever type it should be...
So the `BaseAddress` is a pointer, but again it looks like the types don't define *what* type it's pointing to, so you'll need to figure out what you expect that...
Sorry, the symbol_table doesn't exist in volshell by default, it was more a stand in for people that use volshell often. You need to know the name of the symbol...
Ok, so subtypes need to be actual subtypes rather than just names of subtypes. I'll look into whether we can improve this. In the rest of our code we tend...
We're keen to get as much volatility 2 functionality ported across to volatility 3 as possible, so from that perspective it would be useful. I'm not sure how popular or...