Find the pooltag of a process #
Enter volshell for your selected pid, then put the current context to your pid:
vol.py -f memdump.mem --profile=yourprofile volshell
cc(pid=[pid])
when you use the cc(pid=pid) command, volshell will display the address, which we need to access the Pooltag. The pooltag is located at the address – 96:
dt("_POOL_HEADER", [address]-0x60)
Here is an example of what the output could be:
The value we want is the ‘Pooltag’, but we need to swap the endianess to actually read it properly. So we can do the following inside volshell. I am using the value of the example above:
res = hex(1280133197)[2:].decode('hex')[::-1]
Find the physical address of PoolTag #
If you the process is unlinked, then you need to provide the address of the process:
hidden_address = #process_address
dt("_POOL_HEADER", hidden_address, space=addrspace().base)
pool_header_address = 0x4 + #_POOL_HEADER address returned
Convert virtual to physical address #
Enter volshell for your selected pid, then put the current context to your pid:
vol.py -f memdump.mem --profile=yourprofile volshell
virtual = #yourvirtaladdress
physical = hex(addrspace().vtop(virtual))[:-1]
