How can I obtain the Physical address's data by volatility3?

Open summerCol opened this issue 5 years ago • 1 comments

Describe the bug Hi, I run the command python vol.py -o D:\data -f mem.vmem windows.memmap --pid 376 --dump then I get the output content as below:

Volatility3 Framework 1.2.1-beta.1
Progress:   0.00    Scanning primary2 using PdbSignatureScanner
Virtual         Physical          Size         Offset         Dump
0x100000       0xa63e000          0x1000       0x100000       True
...

How Can I obtain the Physical address's data by volatility3?

Nov 03 '20 03:11 summerCol

The data will have been written into a file that should now live in D:\data? If you want to read the data at a particular virtual address, you might want to try using volshell. You'd need to find the physical memory layer's name, so it would be something like. The layer is most likely called memory_layer, so you'd want something like the following (where you need to fill in <physical_offset> and <length>):

python volshell.py -f mem.vmem -w
(primary) >>> [x for x in context.layers]
['memory_layer', 'primary']
(primary) >>> data = context.layers['memory_layer'].read(<physical_offset>, <length>)
(primary) >>> print(repr(data))

Nov 16 '20 00:11 ikelos