search

Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

[Tracker] Plugins that fail on profiles other than XPSP2 #9

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
This is a meta-bug about all the plugins that fail to work with Windows 7.

Any bugs that refer to Windows 7 breakage should be noted and added to *this* 
bug's "Blocked On" field.  This will help us keep a track of what needs fixing 
and how far we have to go.

Original issue reported on code.google.com by mike.auty@gmail.com on 18 Aug 2010 at 10:27

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 18 Aug 2010 at 10:27

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 18 Aug 2010 at 10:45

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 26 Aug 2010 at 12:24

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 26 Aug 2010 at 12:25

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 27 Aug 2010 at 9:04

GoogleCodeExporter commented 8 years ago 
The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86. 
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a 
little different:

kd> dt _EPROCESS 
...
   +0x278 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MMADDRESS_NODE
         +0x000 u1               : <unnamed-tag>
         +0x004 LeftChild        : (null) 
         +0x008 RightChild       : 0x8594b410 _MMADDRESS_NODE
         +0x00c StartingVpn      : 0
         +0x010 EndingVpn        : 0

kd> dt _MMADDRESS_NODE 0x8594b410 
ntdll!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x85389008 _MMADDRESS_NODE
   +0x008 RightChild       : 0x854185f8 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0x75850
   +0x010 EndingVpn        : 0x7585c

So when the vad commands do task.VadRoot.traverse(), the code in 
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:

## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)

if not theType:
    return obj.NoneObject("Tag {0} not knowns".format(tag))

Due to the change in Win7, theType will always be None. At least it appears 
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:

kd> db 0x8594b410-4 L4
8594b40c  56 61 64 20     Vad 

kd> db 0x85389008-4 L4
85389004  56 61 64 53     VadS

Original comment by michael.hale@gmail.com on 10 Sep 2010 at 3:06

GoogleCodeExporter commented 8 years ago 
Ok, thanks.  Would you mind copy/pasting that into a separate bug, and then 
I'll mark this as blocked on the new issue?  This one's just for tracking the 
problems, and then we can deal with the individual problems in their own 
issues.  Hope that's ok?

Original comment by mike.auty@gmail.com on 10 Sep 2010 at 3:11

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 13 Sep 2010 at 7:46

GoogleCodeExporter commented 8 years ago 
Closing this, since we're now using the milestones to keep track of what's due 
when.

Original comment by mike.auty@gmail.com on 30 Jan 2011 at 6:22

GoogleCodeExporter commented 8 years ago 
Sorry for the bugspam, but better to get this right now than later once it's 
more in use.

Original comment by mike.auty@gmail.com on 4 Feb 2011 at 9:34