I've got a problem getting correct PTE data. Below are the details.
OS is Windows 7 SP1 x64.
The screenshot below illustrates the data (PXE/PPE/PDE/PTE part) I'm after but instead my code produces a bit different data. I have also included my code. In my VMware image there is just one calc.exe process running.
This is my code:
for proc in eprocesses_all:
if str(proc.ImageFileName) == "calc.exe":
break
for vad, vad_as in proc.get_vads():
vaddr = vad.StartingVpn.v() << 12
pte_offs = vaddr >> 9
pte = obj.Object("_MMPTE", 0xfffff68000000000 + pte_offs, vm = vad_as)
if pte:
pfn = (pte.u.Long & 0xffffffff) >> 12
print "VADDR=0x%08x contains 0x%016x -- PFN=0x%08x" % (vaddr, pte.u.Long, pfn)
ghost
commented
8 years ago
Hello,
I've got a problem getting correct PTE data. Below are the details.
OS is Windows 7 SP1 x64.
The screenshot below illustrates the data (PXE/PPE/PDE/PTE part) I'm after but instead my code produces a bit different data. I have also included my code. In my VMware image there is just one calc.exe process running.
This is my code:
My code produces this:
VADDR=0x00020000 contains 0x9b30000018e7a005 -- PFN=0x00018e7a VADDR=0x00010000 contains 0x8940000009c42847 -- PFN=0x00009c42
Above PFN values looks the same as in the screenshot below i got using !vtop command. Not shifted to left by 12 tho.
So my question is, how can I get PFN values 0x7ca1 of VA 0x10000 and b06d of VA 0x20000 using volatility?