[Vol-dev] New memory profile and kpcrscan question

4 Oct 2010

        First, I'm not a spammer, I promise :)

Following the instructions provided by Bradley Schatz [1] I added a new 
profile for
Windows Vista SP2.

since the code is actively revised it's obvious that not all commands 
work how is
expected, but I'm very surprised that the command kpcrscan always get 
the same value:

C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f 
vistasp2.dmp kpcrscan
Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
  _KPCR: ffdff000

obviously this is not correct

0: kd> !pcr
KPCR for Processor 0 at 81d45800:
     Major 1 Minor 1
     NtTib.ExceptionList: ffffffff
         NtTib.StackBase: 00000000
        NtTib.StackLimit: 00000000
      NtTib.SubSystemTib: 80151000
           NtTib.Version: 001d39f9
       NtTib.UserPointer: 00000001
           NtTib.SelfTib: 00000000

                 SelfPcr: 81d45800
                    Prcb: 81d45920
                    Irql: 00000002
                     IRR: 00000000
                     IDR: ffffffff
           InterruptMode: 00000000
                     IDT: 81bff400
                     GDT: 81bff000
                     TSS: 80151000

           CurrentThread: 81d49640
              NextThread: 00000000
              IdleThread: 81d49640

               DpcQueue:

The volatility code version is the latest available via subversion (r493).

[1] 
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…

---
La verdad nos hara libres

http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[Vol-dev] New memory profile and kpcrscan question