When trying to extract a file, is the address I have virtual or physical?

[gretschstreamliner]

I've carried out a RAM dump to find the value of a Variable in a C# encryption program. As the Visual studio encoding of the Variable is not faithful to its actual value, I need to access this variable directly in memory.

I have tried running many commands (i.e. vadinfo, virtmap, dumpfiles) in Volatility to find the value of this variable (memory offset outlined in m_handle in the Visual Studio screenshot below). However, none of the commands return anything.

Is volatility capable of finding and returning the data at this memory address (see m_handle)? I'm using both volatility 3 and 2.6 so a command for either would be appreciated.

Visual Studio Variable

Empty responses from Volatility when using various memory handles from program reruns.

[ikelos]

Hi there, the address you're working with is unlikely to be the physical address in memory. It's far more likely to be a virtual address, and the question is whether it will be in the kernel's virtual address space, or the applications. I'd imagine the applications, meaning you'll have to locate the process ID and then use --pid and --virtaddr to try to locate the file.