jack198345 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Add support for prototype page table entries on Windows #419

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This patch adds support for using Prototype Page Table Entries (PTEs) during 
virtual to physical address translation under Microsoft Windows. Pages of 
memory which are not in the current working set, but available in some other 
working set, can be used. The result is a significant improvement in the amount 
of data available to the user.

For example, try dumping out the DLLs of the firefox.exe process, pid 3276, of 
the xp-laptop memory image. Using the current trunk code, the framework can 
recover ten modules. With this patch, it can recover 32. 

Trunk code:
$ python vol.py -f xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 dlldump 
--dump-dir=output --pid=3276 | grep -c OK
10

Patched:
$ python vol.py -f xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 dlldump 
--dump-dir=output --pid=3276 | grep -c OK
32

Care has been taken to ensure prototypes are only used when looking at profiles 
for Windows systems. Prototypes are a software construct--not part of the 
hardware architecture.

Original issue reported on code.google.com by jessekornblum on 16 May 2013 at 7:47

Attachments:

GoogleCodeExporter commented 9 years ago
Some recent revisions have changed the format of intel.py and amd64.py. I've 
modified the patch for those changes. You should get the same output as 
described above.

Original comment by jessekornblum on 21 May 2013 at 6:05

Attachments:

GoogleCodeExporter commented 9 years ago
Hiya Jesse, on line 175 of your most recent patch, did you mean get_paddr or 
should that be get_prototype?

Original comment by mike.auty@gmail.com on 22 May 2013 at 10:24

GoogleCodeExporter commented 9 years ago
Hi Mike, yes, you're right, thank you! Line 175 should be "get_paddr". I'll 
update the file tonight.

Original comment by jessekornblum on 22 May 2013 at 10:41

GoogleCodeExporter commented 9 years ago
Ack, yes, line 175 should be get_prototype. Third time is the charm.

Original comment by jessekornblum on 23 May 2013 at 5:56

Attachments:

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 20 Nov 2014 at 8:32