Re: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
20 Jan
2011
20 Jan
'11
1:37 a.m.
neofito,
I would guess that is the file that Bradley was interested in when he
generated the profile. If you would prefer to use types from
ntkrpamp.pdb, please feel free. With all the changes in the upcoming 1.4,
adding new types and profiles has become a lot easier. Hopefully you will
also decide to submit them back and assist with Vista testing.
Have you run into problems with the current profile? Is it not working?
Thanks,
AW
On Wed, 19 Jan 2011, neofito wrote:
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as
nonexecutable is available only when processor is running in Physical Address
Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems
requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev