IMAGE_NT_HEADERS is IMAGE_NT_HEADERS64 in all x64 profiles

[GoogleCodeExporter]

We need to put something like this:

vtypes['_IMAGE_NT_HEADERS'] = vtypes['_IMAGE_NT_HEADERS64']

into the base x64 profile 

Otherwise dlldump, procexedump/procmemdump, and moddump on x64 are broken

Also see scudette's branch: 

http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/p
lugins/overlays/windows/win7_sp1_x64.py#117

# On win7 this struct is named differently.
win7_sp1_x64_vtypes.ntkrnlmp_types["_IMAGE_NT_HEADERS"] = 
win7_sp1_x64_vtypes.ntkrnlmp_types["_IMAGE_NT_HEADERS64"]

Don't copy over that comment though, its not a win7 thing, its all x64 
profiles. 

Original issue reported on code.google.com by michael.hale@gmail.com on 20 Jan 2012 at 11:55

[GoogleCodeExporter]

Yeah, ok.

I think probably we can do an overlay trick of

overlay['_IMAGE_NT_HEADERS'][1] = lambda x: x._IMAGE_NT_HEADERS64

However, I'm wondering if perhaps the plugins themselves shouldn't figure that 
out?  Are the structures otherwise identical, with the same internal names, etc?

Original comment by mike.auty@gmail.com on 21 Jan 2012 at 11:20

[GoogleCodeExporter]

Sadly,

That failed miserably.  I'm really not sure how best to add that mapping once 
and have it across all overlays, other than maybe overriding __init__ in the 
windows64.AbstractWindowsx64 class?

Original comment by mike.auty@gmail.com on 21 Jan 2012 at 1:18

[GoogleCodeExporter]

Just as a BTW, the entire idea of profiles inheriting from each other
is flawed and will be removed from my branch soon. Each profile should
define all of its vtypes, and overrides explicitly, otherwise you end
up with convoluted coupling between each profile (e.g. you load a win7
profile, and it effectively loads every single profile all the way
down to XP, applying corrections in arbitrary order - very error prone
and not particularly scalable.).

Also in future we will not be loading all the profiles each time we
run - only the one selected by the user on demand, just like it is
done in the linux branch - so this inheritance will not generally be
possible.

Michael.

Original comment by scude...@gmail.com on 21 Jan 2012 at 2:29

[GoogleCodeExporter]

Hey guys, if we plan to implement scudette's new system before 2.1 release, 
then OK. But if the new system is more of a 2.2+ thing, and there's no good way 
to add _IMAGE_NT_HEADERS->_IMAGE_NT_HEADERS64 once for all overlays, then I'd 
prefer adding it to each profile individually (its duplication but it for sure 
beats moddump, dlldump, and procdump not working ;-)) 

Original comment by michael.hale@gmail.com on 21 Jan 2012 at 5:38

[GoogleCodeExporter]

Scudette's suggestion is also duplication, so it makes no odds to the immediate 
solution.  Applied in r1298.

Original comment by mike.auty@gmail.com on 23 Jan 2012 at 2:35

• Changed state: Fixed