search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

psxview plugin for x86 and x64 #231

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Here's the psxview plugin. All tests are now functional on x86 and x64 all 
profiles. 

Please let me know if you have questions or concerns!

Original issue reported on code.google.com by michael.hale@gmail.com on 11 Mar 2012 at 8:59

Attachments:

GoogleCodeExporter commented 9 years ago 
Looks ok, although MalwarePspCidx64 is unnecessary, because pointer64's get 
converted to pointer objects on x64 windows arches, and they then use 
native_types['address'] to make sure they're the right length.

Also, handle_value doesn't appear to be used in _PSP_CID_TABLE.get_item.  If 
it's not used, it's convention to start the parameter name with _.  That one's 
arguable though, since it's an overridden function.

Nothing else stood out...  5:)

Original comment by mike.auty@gmail.com on 11 Mar 2012 at 9:07

GoogleCodeExporter commented 9 years ago 
Thanks Ikelos! That's funny about the pointer64. Next time I try to "fix" 
something for x64 I should make sure it doesn't already work ;-) Anyway, I've 
fixed that. 

Regarding the un-used handle_value, yeah its unused but just there to keep the 
same arguments as the overridden function. So I could do this:

def get_item(self, entry, _ = 0): 

But that looks kinda funny too. Or if I just leave it off like this:

def get_item(self, entry):

Then there's a "TypeError: get_item() takes exactly 2 arguments (3 given)"

Would you suggest we identify the variable but just start it with an underscore 
like this:

def get_item(self, entry, _handle_value = 0):

I can do that if its desired...let me know?

Original comment by michael.hale@gmail.com on 12 Mar 2012 at 12:40

GoogleCodeExporter commented 9 years ago 
No, you're fine.  I'd probably have done _handle_value, but it's purely taste, 
and there's the exceptionally remote possibility that if people start using 
**kwargs, they may not get what they were expecting from the get_item function. 
 It's fine, by all means leave it as is...  5:)

Original comment by mike.auty@gmail.com on 12 Mar 2012 at 12:44

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1543.

Original comment by michael.hale@gmail.com on 12 Mar 2012 at 12:57