search

ClaudeZoo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

kdbgscan doesn't print virtual addresses? #245

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
This is copied from an email:

* kdbgscan doesn't seem to print any virtual addresses on x64. I don't
have a huge supply of x64 images but kdbgscan doesn't print VA's for
any of them (yet it does for my x86 images)

Is this an issue for anyone else? Can we discuss the possible reasons why 
kdbgscan would not print physical addresses but not virtual addresses? In some 
cases, imageinfo (and thus the KDBG magic's first suggestion) is not the right 
KDBG so we have to use kdbgscan to search for others. however when kdbgscan 
only outputs physical addresses, that's not helpful since we can't supply 
physical addresses to --kdbg. 

I think Gleeda is testing some x64 now...

Original issue reported on code.google.com by michael.hale@gmail.com on 11 Apr 2012 at 3:40

GoogleCodeExporter commented 8 years ago 
I think this may not actually be an issue.  I just printed the following from a 
Vista SP2 x64 image:

python vol.py -f ikelos-vistasp2-x64.dmp kdbgscan --profile=VistaSP2x64
Volatile Systems Volatility Framework 2.1_alpha
Potential KDBG structure addresses (P = Physical, V = Virtual):
 _KDBG: V 0xf800019ccf00  (Win2008SP2x64)
 _KDBG: P 0x019ccf00  (Win2008SP2x64)
 _KDBG: V 0xf800019ccf00  (VistaSP2x64)
 _KDBG: P 0x019ccf00  (VistaSP2x64)
 _KDBG: V 0xf800019ccf00  (VistaSP1x64)
 _KDBG: P 0x019ccf00  (VistaSP1x64)
 _KDBG: V 0xf800019ccf00  (Win2008SP1x64)
 _KDBG: P 0x019ccf00  (Win2008SP1x64)

Of course, it will only print the virtual addresses if has a virtual space to 
do the scanning over (which requires it having the correct profile specified).  
My guess would be that you didn't specify the correct profile for your image.  
Could you double check this please?

Original comment by mike.auty@gmail.com on 11 Apr 2012 at 4:13

GoogleCodeExporter commented 8 years ago 
It worked with my samples when the profile was specified.

Original comment by jamie.l...@gmail.com on 11 Apr 2012 at 4:18

GoogleCodeExporter commented 8 years ago 
Sorry for the confusion, you're right. For some reason I was under the 
impression that kdbgscan didn't need to be told the profile.

Original comment by michael.hale@gmail.com on 11 Apr 2012 at 4:20