[Vol-dev] New memory profile and kpcrscan question

4 Oct 2010


        First, I'm not a spammer, I promise :)
Following the instructions provided by Bradley Schatz [1] I added a new
profile for
Windows Vista SP2.
since the code is actively revised it's obvious that not all commands
work how is
expected, but I'm very surprised that the command kpcrscan always get
the same value:
C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f
vistasp2.dmp kpcrscan
Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
  _KPCR: ffdff000
obviously this is not correct
0: kd> !pcr
KPCR for Processor 0 at 81d45800:
     Major 1 Minor 1
     NtTib.ExceptionList: ffffffff
         NtTib.StackBase: 00000000
        NtTib.StackLimit: 00000000
      NtTib.SubSystemTib: 80151000
           NtTib.Version: 001d39f9
       NtTib.UserPointer: 00000001
           NtTib.SelfTib: 00000000
                 SelfPcr: 81d45800
                    Prcb: 81d45920
                    Irql: 00000002
                     IRR: 00000000
                     IDR: ffffffff
           InterruptMode: 00000000
                     IDT: 81bff400
                     GDT: 81bff000
                     TSS: 80151000
           CurrentThread: 81d49640
              NextThread: 00000000
              IdleThread: 81d49640
               DpcQueue:
The volatility code version is the latest available via subversion (r493).
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[Vol-dev] New memory profile and kpcrscan question