[Vol-users] Reading 'address' objects for Wow64 processes

Bridgey theGeek Fri, 20 May 2016 15:03:56 -0700

Hi all,

Wondering if anybody's come across this scenario...


I want to read an address from my_offset:
my_address = obj.Object('address', offset=my_offset, vm=task_vm)

However, for Wow64 the address should only be 4 bytes, but because we're
analysing with a 64-bit profile, 'address' will cause 8 bytes to be parsed
(right?).

Do I need to replace it with something like:
if profile_is_32bit or process_is_wow64:
    my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm)
else:
    my_address = obj.Object('unsigned long long', offset=my_offset,
vm=task_vm)

Or do I need to start manually unpacking structs?

Thanks,
Adam

_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users

[Vol-users] Reading 'address' objects for Wow64 processes

Reply via email to