Blog

Understanding Memory Address Translation

I read pages 10-12 in The Art of Memory Forensics more times than I care to admit before I began to understand address translation. Here’s a slide I made for class that might be helpful to you.

Here is the scenario from the book:
Memory sample: ENG-USTXHOU-148
https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM/edit

During your analysis you found a reference to a virtual address, 0x10016270 within the virtual address space of the svchost process with PID 1024. The page directory base (CR3) for PID 1024 is 0x7401000.You want to find the physical address to see what other data is in close spatial proximity.
— The Art of Memory Forensics, page 11
 Address Translation Example

Address Translation Example