RE: [Vol-dev] New memory profile and kpcrscan question

Neofito, It strikes me as strange that it is finding it as the old fixed KPCR address. Two things come immediately to mind: 1. A change in the KPCR structure in SP2; and 2. Regression in the configury code relying on a fixed address. Have you dumped the KPCR structure under windbg and SP2 and compared against (6) at http://blog.schatzforensic.com.au/2010/07/finding-object-roots-in-vista- kpcr/ ? Thanks, Bradley Dr. Bradley Schatz | Forensic computer scientist Ph.D. (Computer Forensics), B.Sc. (Computer Science) Director, Schatz Forensic Pty. Ltd. p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039 e: bradley(a)schatzforensic.com.au | p: PO Box 15972, City East, Brisbane, QLD 4002 w: www.schatzforensic.com.au -----Original Message----- From: vol-dev-bounces(a)volatilityfoundation.org [mailto:vol-dev-bounces@volatilityfoundation.org] On Behalf Of neofito Sent: Tuesday, 5 October 2010 4:58 AM To: vol-dev(a)volatilityfoundation.org Subject: [Vol-dev] New memory profile and kpcrscan question First, I'm not a spammer, I promise :) Following the instructions provided by Bradley Schatz [1] I added a new profile for Windows Vista SP2. since the code is actively revised it's obvious that not all commands work how is expected, but I'm very surprised that the command kpcrscan always get the same value: C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f vistasp2.dmp kpcrscan Volatile Systems Volatility Framework 1.4_rc1 Potential KPCR structure virtual addresses: Phys addr 00150000 Virt addr ffdff000 _KPCR: ffdff000 obviously this is not correct 0: kd> !pcr KPCR for Processor 0 at 81d45800: Major 1 Minor 1 NtTib.ExceptionList: ffffffff NtTib.StackBase: 00000000 NtTib.StackLimit: 00000000 NtTib.SubSystemTib: 80151000 NtTib.Version: 001d39f9 NtTib.UserPointer: 00000001 NtTib.SelfTib: 00000000 SelfPcr: 81d45800 Prcb: 81d45920 Irql: 00000002 IRR: 00000000 IDR: ffffffff InterruptMode: 00000000 IDT: 81bff400 GDT: 81bff000 TSS: 80151000 CurrentThread: 81d49640 NextThread: 00000000 IdleThread: 81d49640 DpcQueue: The volatility code version is the latest available via subversion (r493). [1] http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitio ns-to-volatility/ --- La verdad nos hara libres http://neosysforensics.blogspot.com http://www.wadalbertia.org -<|:-P[G] _______________________________________________ Vol-dev mailing list Vol-dev(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev