-
```
Hey guys,
I've been seeing this problem:
$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
*************************************…
-
```
It's a Windows 7 image where I forgot to put the profile:
$ python vol.py -f win7vss.vmem hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
Traceback (most recen…
-
```
So currently the DTB is searched like this (basic.py):
1. Each profile has a magic signature which seems to be different for different
releases, but ends up pointing at the start of an _EPROCESS.…
-
```
The FileAddressSpace.read(addr, length) API doesn't handle NativeType. All
other AS (or at least most of them that I've seen) you can pass a NativeType as
the length. If you pass a NativeType to…
-
```
It's a Windows 7 image where I forgot to put the profile:
$ python vol.py -f win7vss.vmem hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
Traceback (most recen…
-
```
Hey guys,
I noticed something strange with kdbgscan. Not sure what the issue is yet.
Potential KDBG structure addresses (P = Physical, V = Virtual):
_KDBG: V 0xf80002837070 (Win7SP1x64)
_KD…
-
```
What steps will reproduce the problem?
1.vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
2.
3.
What i…
-
```
It's a Windows 7 image where I forgot to put the profile:
$ python vol.py -f win7vss.vmem hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
Traceback (most recen…
-
```
Hey guys,
I noticed something strange with kdbgscan. Not sure what the issue is yet.
Potential KDBG structure addresses (P = Physical, V = Virtual):
_KDBG: V 0xf80002837070 (Win7SP1x64)
_KD…
-
```
Relatively minor issue. I've read issues 184 and 190 which discuss the masking
out the upper 16 bits of 64-bit pointers in the v() and __eq__() functions.
However this doesn't seem intuitive t…