-
```
So upon investigating a new plugin that has to traverse a *lot* of registry
keys. In so doing, it calls is_valid_address often which calls
HiveAddressSpace vtop, which calls the following:
sel…
-
```
So currently the DTB is searched like this (basic.py):
1. Each profile has a magic signature which seems to be different for different
releases, but ends up pointing at the start of an _EPROCESS.…
-
```
This bug is probably the result of ambiguous validity checking. I did a vadinfo
on the image xp-laptop-2005-06-25.img and I could see lines like:
FileObject @823c234c FileBuffer @ f000af7e …
-
```
I took a crack at fixing kpcrscan for x64. Here's a patch that solves some of
the potential issues, but it still doesn't work.
The patch is built on r1289 from trunk.
```
Original issue rep…
-
```
Hey guys,
I've been seeing this problem:
$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
*************************************…
-
```
This bug is probably the result of ambiguous validity checking. I did a vadinfo
on the image xp-laptop-2005-06-25.img and I could see lines like:
FileObject @823c234c FileBuffer @ f000af7e …
-
```
What steps will reproduce the problem?
1. svn update to latest trunk (latest malware.py, too)
2. run apihooks module
imageinfo:
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instanti…
-
```
Traceback (most recent call last):
File "vol.py", line 130, in
main()
File "vol.py", line 121, in main
command.execute()
File "/TESTING/Volatility-1.4_rc1/volatility/commands.p…
-
```
I took a crack at fixing kpcrscan for x64. Here's a patch that solves some of
the potential issues, but it still doesn't work.
The patch is built on r1289 from trunk.
```
Original issue rep…
-
```
Hey guys,
I've been seeing this problem:
$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
*************************************…