stephanelpaul / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

missing value for KUSER_SHARED_DATA #199

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
after we redid the profiles, we lost the value for KUSER_SHARED_DATA that was 
in xp_sp2_x86.py:

'KUSER_SHARED_DATA' : [ 0x0, ['VolatilityMagic', dict(value = 0xFFDF0000)]],

This leads to problems when trying to get the system time (like in 
get_image_time of imageinfo)

Also we need to find the value for KUSER_SHARED_DATA for x64, since it doesn't 
appear to be the same.

Original issue reported on code.google.com by jamie.l...@gmail.com on 1 Feb 2012 at 7:52

GoogleCodeExporter commented 9 years ago
ok the value for x64 is: 0xFFFFF78000000000 ;-)

Original comment by jamie.l...@gmail.com on 1 Feb 2012 at 8:03

GoogleCodeExporter commented 9 years ago
so maybe something like:

Index: volatility/plugins/overlays/windows/windows.py
===================================================================
--- volatility/plugins/overlays/windows/windows.py  (revision 1327)
+++ volatility/plugins/overlays/windows/windows.py  (working copy)
@@ -35,7 +35,7 @@
     'VOLATILITY_MAGIC' : [None, {
     # Profile specific values
     'DTBSignature' : [ 0x0, ['VolatilityMagic', dict(value = "Volatility DTBSignature unspecified")]],
-    'KUSER_SHARED_DATA' : [ 0x0, ['VolatilityMagic', dict(value = 0x0)]],
+    'KUSER_SHARED_DATA' : [ 0x0, ['VolatilityMagic', dict(value = 
0xFFDF0000)]],
     'KDBGHeader' : [ 0x0, ['VolatilityMagic', dict(value = 'Volatility KDBGHeader unspecified')]],
     # Configuration options
     'DTB' : [ 0x0, ['VolatilityDTB', dict(configname = "DTB")]],
Index: volatility/plugins/overlays/windows/windows64.py
===================================================================
--- volatility/plugins/overlays/windows/windows64.py    (revision 1327)
+++ volatility/plugins/overlays/windows/windows64.py    (working copy)
@@ -24,6 +24,7 @@
 windows_overlay = copy.deepcopy(windows.windows_overlay)

 windows_overlay['VOLATILITY_MAGIC'][1]['PoolAlignment'][1] = ['VolatilityMagic', dict(value = 16)]
+windows_overlay['VOLATILITY_MAGIC'][1]['KUSER_SHARED_DATA'][1] = 
['VolatilityMagic', dict(value = 0xFFFFF78000000000)]

 # This is the location of the MMVAD type which controls how to parse the
 # node. It is located before the structure.

Original comment by jamie.l...@gmail.com on 1 Feb 2012 at 8:07

GoogleCodeExporter commented 9 years ago
Ah, you beat me to it.  Looks good, feel free to apply it...  5:)

Original comment by mike.auty@gmail.com on 1 Feb 2012 at 8:10

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r1328.

Original comment by jamie.l...@gmail.com on 1 Feb 2012 at 9:10

GoogleCodeExporter commented 9 years ago
awesome thanks for looking, ikelos!  just committed it :-)

Original comment by jamie.l...@gmail.com on 1 Feb 2012 at 9:10