intel non-pae address space getting selected when PAE should

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility

GNU General Public License v2.0

1 stars 0 forks source link

intel non-pae address space getting selected when PAE should #261

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

I am testing linux-trunk on the latest 32 bit Ubuntu (12.04) and it comes with 
this kernel:

Linux ubuntu 3.2.0-23-generic-pae #36-Ubuntu SMP

(notice the PAE part)

The problem I had was that the non-PAE address space was getting picked up, so 
none of the addresses were being translated correctly. To fix this, I had to 
change the 'order' variable of the PAE address space class so that it would be 
checked before the non-PAE version. This made it work.

I can send a memory capture if that would help debug it, but I imagine it would 
be reproducible on Windows or other Linuxes too.

Original issue reported on code.google.com by atc...@gmail.com on 18 May 2012 at 12:16

GoogleCodeExporter commented 9 years ago

Forgot to mention that I diff'ed between trunk and linux-trunk and 'intel.py' 
is the same in both, so I assume the issue is in all of Volatility and not just 
the Linux support.

Original comment by atc...@gmail.com on 18 May 2012 at 12:18

GoogleCodeExporter commented 9 years ago

Yep, I believe our tests for PAE/NonPAE are defined in VolatilityIA32ValidAS 
[1] and are windows specific.  You'll need to determine how to tell the 
difference between the two, some test you can make of memory about how the DTBs 
work, and then I can help you code up a similar check that we can apply to 
linux profiles...

[1] 
http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/overl
ays/windows/windows.py#699

Original comment by mike.auty@gmail.com on 18 May 2012 at 1:47

GoogleCodeExporter commented 9 years ago

Updating milestone to coincide with official linux support.

Original comment by mike.auty@gmail.com on 6 Jun 2012 at 8:29

Added labels: Milestone-2.2.x

GoogleCodeExporter commented 9 years ago

attc fixed this earlier and just forgot to close

Original comment by michael.hale@gmail.com on 24 Sep 2012 at 8:44

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Could someone list the commit reference for this please?

Original comment by mike.auty@gmail.com on 24 Sep 2012 at 9:07

GoogleCodeExporter commented 9 years ago

sure i think it was r2271

Original comment by michael.hale@gmail.com on 24 Sep 2012 at 9:24

GoogleCodeExporter commented 9 years ago

Thanks very much MHL, just makes it easier to keep track of what happened where 
and when...  5;)

Original comment by mike.auty@gmail.com on 24 Sep 2012 at 10:11

GoogleCodeExporter commented 9 years ago

No prob, sorry I came down with a case of the lazies before ;-)

Original comment by michael.hale@gmail.com on 24 Sep 2012 at 10:16