Re: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
by Jamie Levy
neofito,
I thought that you might like to know that we have just committed
profiles for Vista SP1 and SP2. Would you like to test them out on
your Vista images? Let us know if you have any problems.
All the best,
-gleeda
> Date: Wed, 26 Jan 2011 19:25:49 +0100
> From: neofito <vjaviergarcia(a)ono.com>
> Subject: Re: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
> To: vol-dev(a)volatilityfoundation.org
> Message-ID: <4D40672D.9010200(a)ono.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> The current Vista profile is working well, it was just a doubt
>
> Thanks
>
>
> El 20/01/2011 7:37, AAron Walters escribió:
>>
>>
>> neofito,
>>
>> I would guess that is the file that Bradley was interested in when he
>> generated the profile. If you would prefer to use types from
>> ntkrpamp.pdb, please feel free. With all the changes in the upcoming
>> 1.4, adding new types and profiles has become a lot easier. Hopefully
>> you will also decide to submit them back and assist with Vista testing.
>>
>> Have you run into problems with the current profile? Is it not working?
>> Thanks,
>>
>> AW
>>
15 years
- 2
- 1
A doubt about vista_sp0_x86_vtypes.py
by neofito
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page
as nonexecutable is available only when processor is running in Physical
Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit
systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
15 years
- 3
- 5