9:02 a.m.
Mike,
I'm running the version pulled from SVN this morning, 1.3.1
(08.09.2009). How would I list the candidate DTB addresses? The way I
found out about this problem originally was to just email Peter the
error from memorize. He instantly recognized the problem. Also, how
would I get the 1.4 branch to try out? Apologies for the dumb questions.
I'm reasonably bright, but I only use this thing about once every four
months.
Thanks lots
John
-----Original Message-----
From: Mike Auty [mailto:mike.auty@gmail.com]
Sent: Wednesday, January 06, 2010 7:48 AM
To: McCash John-GKJN37
Subject: Re: [Vol-dev] Possible Volatility Bug
Hiya John,
First off could you please specify which version of volatility you're
using (whether you're using a tarball, or the sources from subversion)?
Also, whilst I can't comment too well on the 1.3 branch, I don't think
Windows 2003 is supported, I believe it's mostly aimed at XP SP2.
Having said that, it is possible to manually specify a DTB in the 1.4
branch using --dtb and in the 1.3 branch using -b (although for 1.3 this
is probably plugin dependent).
I'll leave it to someone who's been working with Volatility longer to
give you a more in-depth answer once you let us know which version you
were using, but hopefully this'll let you work around the problem for a
bit... 5:)
Mike 5:)
9:21 a.m.
New subject: Possible Volatility Bug
Hiya John!
I'm running the version pulled from SVN this
morning, 1.3.1
(08.09.2009). How would I list the candidate DTB addresses?
I'm not sure it
comes up with candidates, as I said my knowledge of the
1.3 branch is pretty poor. It looks as though it'll do finding of a DTB
in [1]. My guess is that you could alter the code around line 117 to
print out any potential matches it found, and then remove the return so
that the loop keeps going. It probably won't find you multiple matches
that are very close to each other (BLOCKSIZE close, in fact), but it'll
get you started...
In the 1.4 branch this all happens in [2], but the code is very similar.
It's slightly more generic, in that it looks for an EPROCESS structure
(which I guess could exist under linux), but still checks to see if the
process is called Idle. You can see from the comment there that the
value's specific to x86 XP, I dunno whether 2003 will use the same value.
Converting this to a generator and allowing people to try out the
different possibilities in case there's a system that's sneakily been
setup with multiple DTBs could work, but it would need time to sort out...
The way I
found out about this problem originally was to just email Peter the
error from memorize. He instantly recognized the problem.
I guess because it looks
for an Idle process and then returns based on
that, if you had an old Idle process, you'd get the wrong value, but one
of the main volatility devs might be able to give you a better
explanation. I've only been working on volatility for a few months, and
I learnt most of what I know from the source code itself! 5:)
Also, how would I get the 1.4 branch to try out?
You can check it out from subversion at [3], it's pretty much the same
as the experimental branch but without the text formatting
work-in-progress that Michael Cohen's been implementing in his (rare)
free time. 5:)
Apologies for the dumb questions.
Hehehehehe, no
problem, if you don't know the answers they're not stupid
questions! 5:)
Mike 5:)
[1]
http://code.google.com/p/volatility/source/browse/tags/Volatility-1.3.1/for…
[2]
http://code.google.com/p/volatility/source/browse/branches/Volatility-1.4_b…
[3] http://volatility.googlecode.com/svn/branches/Volatility-1.4_beta1
5426
days inactive
5426
days old
vol-dev@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
McCash John-GKJN37 -
Mike Auty