1.1 Getting VAD Information

To get VAD information from the memory image, you can use the vadinfo Volatility plugin. In the following example, vadinfo is used to display the memory regions of an explorer.exe process using its process ID (pid 2180). In the following output, the first VAD node at address 0x8724d718 in the kernel memory describes the memory range 0x00db0000-0x0102ffff in the process memory and its memory protection PAGE_EXECUTE_WRITECOPY. Since the first node is describing a memory range containing a memory-mapped executable image (explorer.exe), it also gives its full path on the disk. The second node, 0x8723fb50, describes a memory range of 0x004b0000-0x004effff, which does not contain any memory mapped file. Similarly, the third node at address 0x8723fb78 displays the information about the process memory range of 0x77690000-0x777cbfff, which contains ntdll.dll and its memory protection:

$ python vol.py -f win7.vmem --profile=Win7SP1x86 vadinfo -p 2180
Volatility Foundation Volatility Framework 2.6

VAD node @ 0x8724d718 Start 0x00db0000 End 0x0102ffff Tag Vadm
Flags: CommitCharge: 4, Protection: 7, VadType: 2
Protection: PAGE_EXECUTE_WRITECOPY
Vad Type: VadImageMap
ControlArea @87240008 Segment 82135000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 215
NumberOfMappedViews: 1 NumberOfUserReferences: 2
Control Flags: Accessed: 1, File: 1, Image: 1
FileObject @8723f8c0, Name: DeviceHarddiskVolume1Windowsexplorer.exe
First prototype PTE: 82135030 Last contiguous PTE: fffffffc
Flags2: Inherit: 1, LongVad: 1

VAD node @ 0x8723fb50 Start 0x004b0000 End 0x004effff Tag VadS
Flags: CommitCharge: 43, PrivateMemory: 1, Protection: 4
Protection: PAGE_READWRITE
Vad Type: VadNone

VAD node @ 0x8723fb78 Start 0x77690000 End 0x777cbfff Tag Vad 
Flags: CommitCharge: 9, Protection: 7, VadType: 2
Protection: PAGE_EXECUTE_WRITECOPY
Vad Type: VadImageMap
ControlArea @8634b790 Segment 899fc008
NumberOfSectionReferences: 2 NumberOfPfnReferences: 223
NumberOfMappedViews: 40 NumberOfUserReferences: 42
Control Flags: Accessed: 1, File: 1, Image: 1
FileObject @8634bc38, Name: DeviceHarddiskVolume1WindowsSystem32
tdll.dll
First prototype PTE: 899fc038 Last contiguous PTE: fffffffc
Flags2: Inherit: 1
[REMOVED]
To get the VAD information of a process using the Windbg kernel debugger, first, you need to switch the context to the desired process using the .process command followed by the address of the _EPROCESS structure. After switching the context, use the !vad extension command to display the process memory regions.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.9.115