qwhai / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Cant find object _ADDRESS_OBJECT in profile for Windows 7 #201

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
When running the sockscan plugin, I get an error that the _ADDRESS_OBJECT 
structure is not defined for the current profile. The memory image came from a 
Windows 7 RTM system. 

$ python vol.py sockscan -f filename.vmem --profile=Win7SP0x86 --dtb=0x185000 
[...]
WARNING : volatility.obj      : Cant find object _ADDRESS_OBJECT in profile 
<volatility.plugins.overlays.windows.win7_sp0_x86.Win7SP0x86 object at 
0x1007890d0>?
WARNING : volatility.obj      : Cant find object _ADDRESS_OBJECT in profile 
<volatility.plugins.overlays.windows.win7_sp0_x86.Win7SP0x86 object at 
0x1007890d0>?

I am using the /trunk code, r1340, on OS X, with Python 2.7.2.

The _ADDRESS_OBJECT structure is defined for Windows XP and Windows 2003, but 
no other operating systems. I looked through the symbols for ntoskrnl.exe, 
tcpip.sys, and tdi.sys, but couldn't find a definition of _ADDRESS_OBJECT. Is 
there another file which would contain that structure? Did the structure change 
in Windows 7?

Original issue reported on code.google.com by jessekornblum on 2 Feb 2012 at 1:27

GoogleCodeExporter commented 9 years ago
_ADDRESS_OBJECT hasn't been used in Windows since 2003 (even then it wasn't a 
public symbol). Please check over the Networking section of 
http://code.google.com/p/volatility/wiki/FeaturesByPlugin. 

Original comment by michael.hale@gmail.com on 2 Feb 2012 at 1:42

GoogleCodeExporter commented 9 years ago
Ack! oops, sorry.

Original comment by jessekornblum on 2 Feb 2012 at 1:45