search

gh0stisic / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

_KDDEBUGGER_DATA32 offsets in crash_vtypes look wrong #61

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
So the current _KDDEBUGGER_DATA32 offsets for PsActiveProcessHead and 
PsLoadedModuleList are around 0x78 and 0x80, however from all the copies of 
wdbgexts.h that I've been able to find and some quick (possibly faulty) mental 
arithmetic, these values should be somewhere in the 0x2Cish region...

Also, at the moment, the KDBG scanner (or the new one, when it gets committed) 
will only be able to find the start of _KDDEBUGGER_DATA64 structures (since it 
locates the text KDBG, and works backwards to the find the start, there's no 
way of determining whether it's the 32-bit or 64-bit version, so no way of 
finding the start of it).

That's probably find, but also means our KPCR search for various KDDEBUGGER 
types should also be investigated.

Hopefully one of you two can double check my maths and/or make a decision about 
whether we should still support DATA32 (since I believe it's only applicable 
for NT4 machines).  I've assigned to to moyix for the moment, since the KDBG 
scanner came from his blog, so I assume he knows the most about it.  Hope 
that's ok?  5:)

Original issue reported on code.google.com by mike.auty@gmail.com on 25 Jan 2011 at 2:06

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 25 Jan 2011 at 2:30

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 17 Feb 2011 at 7:16

GoogleCodeExporter commented 9 years ago 
Ok, just for progress, we've agreed to ditch KDDEBUGGER_DATA32 support for now, 
and to remove the structure, and replace KDDEBUGGER_DATA64 with a complete 
structure courtesy of a pdb from Matthieu Suiche.

Original comment by mike.auty@gmail.com on 25 Feb 2011 at 11:48

GoogleCodeExporter commented 9 years ago 
Ok, thanks to labarum_x for some swift vtype production, we've now got a very 
complete (and should be exceptionally handy) KDBG64 vtype in use and working.  
I'm therefore going to mark this as Fixed.  Yay!  5:)

Original comment by mike.auty@gmail.com on 27 Feb 2011 at 4:23