VAD commands don't list all mapped files on non-XP systems

[GoogleCodeExporter]

Hey guys, 

We successfully enumerate/walk the VADs on all OS, but on systems later than 
XP, only some (but not all) of the mapped files are shown. Its a two part fix:

1) In windows.py, the Vadm tag should be an _MMVAD_LONG 

switch = {"Vadl": '_MMVAD_LONG',
          'VadS': '_MMVAD_SHORT',
          'Vad ': '_MMVAD_LONG',
          'VadF': '_MMVAD_SHORT',
          'Vadm': '_MMVAD_LONG', <== Here
          }

2) The _EX_FAST_REF object in vista_sp0_x86.py needs to use a different mask. 
For a little background, _EX_FAST_REF is used by Windows to track the object 
address and number of references to the object, using the same 32-bit 
container. So assuming you have an object at address 0x81234560 with 2 
references, then the value in _EX_FAST_REF will actually be 0x81234562. The max 
number of references appears to be 7 because the ref count is stored in the 
lower 3 bits (111b == 7). 

I misinterpreted chopping off the lower 3 bits as using & 0xFFFFFFFC, but 
that's not right. So instead of this:

return obj.Object(theType, vm = self.obj_vm, parent = self, offset = 
self.Object.v() & 0xFFFFFFFC)

It needs to be this instead (also using ~ for readability)

return obj.Object(theType, vm = self.obj_vm, parent = self, offset = 
self.Object.v() & ~7)

So in summary, without these changes, we only list the mapped files for files 
which have a certain number of references. For example, on one system I tested 
with, that was 930. After applying the changes, 2504 are shown. 

Original issue reported on code.google.com by michael.hale@gmail.com on 17 Feb 2011 at 11:29

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 17 Feb 2011 at 7:23

• Added labels: Milestone-1.4.x

[GoogleCodeExporter]

This issue was closed by revision r814.

Original comment by mike.auty@gmail.com on 17 Feb 2011 at 7:29

• Changed state: Fixed