Closed GoogleCodeExporter closed 8 years ago
Original comment by mike.auty@gmail.com
on 18 Aug 2010 at 10:27
Original comment by mike.auty@gmail.com
on 18 Aug 2010 at 10:45
Original comment by mike.auty@gmail.com
on 26 Aug 2010 at 12:24
Original comment by mike.auty@gmail.com
on 26 Aug 2010 at 12:25
Original comment by mike.auty@gmail.com
on 27 Aug 2010 at 9:04
The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86.
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a
little different:
kd> dt _EPROCESS
...
+0x278 VadRoot : _MM_AVL_TABLE
+0x000 BalancedRoot : _MMADDRESS_NODE
+0x000 u1 : <unnamed-tag>
+0x004 LeftChild : (null)
+0x008 RightChild : 0x8594b410 _MMADDRESS_NODE
+0x00c StartingVpn : 0
+0x010 EndingVpn : 0
kd> dt _MMADDRESS_NODE 0x8594b410
ntdll!_MMADDRESS_NODE
+0x000 u1 : <unnamed-tag>
+0x004 LeftChild : 0x85389008 _MMADDRESS_NODE
+0x008 RightChild : 0x854185f8 _MMADDRESS_NODE
+0x00c StartingVpn : 0x75850
+0x010 EndingVpn : 0x7585c
So when the vad commands do task.VadRoot.traverse(), the code in
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:
## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)
if not theType:
return obj.NoneObject("Tag {0} not knowns".format(tag))
Due to the change in Win7, theType will always be None. At least it appears
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:
kd> db 0x8594b410-4 L4
8594b40c 56 61 64 20 Vad
kd> db 0x85389008-4 L4
85389004 56 61 64 53 VadS
Original comment by michael.hale@gmail.com
on 10 Sep 2010 at 3:06
Ok, thanks. Would you mind copy/pasting that into a separate bug, and then
I'll mark this as blocked on the new issue? This one's just for tracking the
problems, and then we can deal with the individual problems in their own
issues. Hope that's ok?
Original comment by mike.auty@gmail.com
on 10 Sep 2010 at 3:11
Original comment by mike.auty@gmail.com
on 13 Sep 2010 at 7:46
Closing this, since we're now using the milestones to keep track of what's due
when.
Original comment by mike.auty@gmail.com
on 30 Jan 2011 at 6:22
Sorry for the bugspam, but better to get this right now than later once it's
more in use.
Original comment by mike.auty@gmail.com
on 4 Feb 2011 at 9:34
Original issue reported on code.google.com by
mike.auty@gmail.com
on 18 Aug 2010 at 10:27