EX_FAST_REF on x64 has been working by accident

[GoogleCodeExporter]

Hey guys, 

This is a much needed patch. On x86 the MAX_FAST_REF constant is 7 thus to get 
the address of an_EX_FAST_REF object, its _EX_FAST_REF.Object.v() & ~7. 
However, on x64 the MAX_FAST_REF constant is 15. 

#if defined (_WIN64)
#define MAX_FAST_REFS 15
#else
#define MAX_FAST_REFS 7
#endif

Anything using the _EX_FAST_REF object on x64 (for example _EPROCESS.Token is 
an _EX_FAST_REF and the getsids plugin calls 
_EPROCESS.Token.dereference_as("_TOKEN") has a chance of being instantiated at 
the wrong address. 

In the attached patch, I subclassed _EX_FAST_REF with MAX_FAST_REF=15 and then 
applied it to all x64 windows profiles. 

Thoughts please? Otherwise I'll commit shortly if it looks OK.

Original issue reported on code.google.com by michael.hale@gmail.com on 24 Feb 2012 at 6:52

Attachments:

• volatility-maxfastref.patch

[GoogleCodeExporter]

Michael, 
  This looks great. Thanks for spotting this bug :-)

Thanks Michael.

Original comment by scude...@gmail.com on 24 Feb 2012 at 8:52

[GoogleCodeExporter]

Hey MHL, looks good to me too, I'm just not sure I'd put in win2k3, it might be 
better placed in windows64, since it applies to all windows 64 systems?  Not 
sure if it matters, but you may also want to differentiate the two classes (so 
_EX_FAST_REF64, or similar, and then mapping it to _EX_FAST_REF only when 
updating the object classes).  I still need to scout the code for __name__ 
usage (/me bumps it up my todo list)...

Original comment by mike.auty@gmail.com on 24 Feb 2012 at 9:22

[GoogleCodeExporter]

This issue was closed by revision r1471.

Original comment by michael.hale@gmail.com on 25 Feb 2012 at 4:27

• Changed state: Fixed