search

Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

vad commands don't work on Windows 7 #32

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86. 
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a 
little different:

kd> dt _EPROCESS 
...
   +0x278 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MMADDRESS_NODE
         +0x000 u1               : <unnamed-tag>
         +0x004 LeftChild        : (null) 
         +0x008 RightChild       : 0x8594b410 _MMADDRESS_NODE
         +0x00c StartingVpn      : 0
         +0x010 EndingVpn        : 0

kd> dt _MMADDRESS_NODE 0x8594b410 
ntdll!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x85389008 _MMADDRESS_NODE
   +0x008 RightChild       : 0x854185f8 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0x75850
   +0x010 EndingVpn        : 0x7585c

So when the vad commands do task.VadRoot.traverse(), the code in 
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:

## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)

if not theType:
    return obj.NoneObject("Tag {0} not knowns".format(tag))

Due to the change in Win7, theType will always be None. At least it appears 
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:

kd> db 0x8594b410-4 L4
8594b40c  56 61 64 20     Vad 

kd> db 0x85389008-4 L4
85389004  56 61 64 53     VadS

Original issue reported on code.google.com by michael.hale@gmail.com on 13 Sep 2010 at 2:14

GoogleCodeExporter commented 8 years ago 
Thanks.  Looks like we'll have to write an __MM_AVL_TABLE object that has a 
traverse method on it for that verison?  Either that, or find another 
per-profile way of dealing with the different Vad systems.  Any takers for 
helping code this?

Original comment by mike.auty@gmail.com on 13 Sep 2010 at 7:49

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 23 Nov 2010 at 8:33

GoogleCodeExporter commented 8 years ago 
Reassigning, because I know MHL's working on this (and I think it's nearly 
done).  5:)

Original comment by mike.auty@gmail.com on 14 Jan 2011 at 6:52

GoogleCodeExporter commented 8 years ago 
Thanks to MHL, I believe this has officially been FIXED!  Hurrah!  5:)

Original comment by mike.auty@gmail.com on 21 Jan 2011 at 8:38