5:11 p.m.
Hi,
I'm playing with a 5GB Windows 7 SP0 64bit memory dump and I have some
problems with processes mapped over 4GB.
Pslist only shows System process. Maybe it's because System is the
only process mapped under 4GB?
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 pslist
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8005355b30 System 4 0 91 --------
------ 0 2012-06-14 19:42:15
H:\Volatility>python vol.py -f Windows Seven.vmem --profile=Win7SP0x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
0x0000000008755b30 System 4 0 0x0000000000187000
2012-06-14 19:42:15
0x0000000174a4a800 VMwareTray.exe 2028 1164 0x000000018c7c3000
2012-06-14 19:42:47
0x0000000174a55b30 VMwareUser.exe 1324 1164 0x000000018af49000
2012-06-14 19:42:47
0x0000000174a923f0 SearchIndexer. 240 552 0x000000018895a000
2012-06-14 19:42:53
0x0000000174aebb30 SearchFilterHo 2108 240 0x0000000188146000
2012-06-14 19:42:54
0x0000000174b00060 SearchProtocol 2076 240 0x00000001964b2000
2012-06-14 19:42:54
0x0000000174db7630 explorer.exe 1164 1976 0x000000019a477000
2012-06-14 19:42:46
0x0000000174f52b30 vmtoolsd.exe 1392 552 0x0000000190f88000
2012-06-14 19:42:39
0x0000000175015060 svchost.exe 316 552 0x000000019bdd9000
2012-06-14 19:42:33
0x0000000175021b30 spoolsv.exe 1088 552 0x00000001a2a65000
2012-06-14 19:42:38
0x00000001750fb060 svchost.exe 816 552 0x0000000196cde000
2012-06-14 19:42:36
0x0000000175241060 svchost.exe 900 552 0x00000001a020e000
2012-06-14 19:42:29
0x0000000175276060 svchost.exe 828 552 0x00000001a6621000
2012-06-14 19:42:29
0x000000017528c060 audiodg.exe 968 828 0x000000019ddc2000
2012-06-14 19:42:32
0x0000000175294630 VMUpgradeHelpe 1460 552 0x000000019f527000
2012-06-14 19:42:40
0x00000001752b8b30 svchost.exe 1284 552 0x0000000192402000
2012-06-14 19:42:39
0x000000017531b9b0 taskhost.exe 1936 552 0x000000019a163000
2012-06-14 19:42:45
0x000000017531c880 dwm.exe 2008 868 0x000000019b4fc000
2012-06-14 19:42:46
0x000000017538a5f0 svchost.exe 1136 552 0x00000001a3870000
2012-06-14 19:42:38
0x0000000175517b30 csrss.exe 364 356 0x000000000032c000
2012-06-14 19:42:22
0x0000000175521060 svchost.exe 668 552 0x00000001a2b4d000
2012-06-14 19:42:27
0x000000017554bb30 wininit.exe 436 356 0x00000000be0b2000
2012-06-14 19:42:24
0x0000000175553b30 csrss.exe 460 448 0x00000000be284000
2012-06-14 19:42:24
0x0000000175592960 winlogon.exe 504 448 0x00000000bff4a000
2012-06-14 19:42:24
0x00000001755bf060 svchost.exe 744 552 0x00000001a1251000
2012-06-14 19:42:28
0x00000001755d1b30 services.exe 552 436 0x00000001a7184000
2012-06-14 19:42:25
0x00000001755d8060 svchost.exe 868 552 0x00000001a0309000
2012-06-14 19:42:29
0x00000001755e2b30 lsass.exe 560 436 0x00000001a9128000
2012-06-14 19:42:25
0x00000001755e6910 lsm.exe 568 436 0x00000001a9470000
2012-06-14 19:42:25
0x0000000175deb060 userinit.exe 1976 504 0x000000019b3ee000
2012-06-14 19:42:45
0x0000000176263b30 WmiPrvSE.exe 1848 668 0x00000001a8947000
2012-06-14 19:42:45
0x00000001763ff950 smss.exe 264 4 0x0000000041470000
2012-06-14 19:42:15
Does the problem can be related to the vtop function in amd64?
For a physical page size of 4KB, vtop() in amd64.py convert the address:
1- get pml4e
2- get pdpte
3- get pde
4- get pte
5- return get_phys_addr
The function get_phys_addr() in step #5 is in intel.py and is 32bit only:
def get_phys_addr(self, vaddr, pte_value):
return (pte_value & 0xfffff000) | (vaddr & 0xfff)
If the pte_value is 64bit, it get cuts in the get_phys_addr()?
Thanks for your help,
Sébastien