2:58 p.m.
First, I'm not a spammer, I promise :)
Following the instructions provided by Bradley Schatz [1] I added a new
profile for
Windows Vista SP2.
since the code is actively revised it's obvious that not all commands
work how is
expected, but I'm very surprised that the command kpcrscan always get
the same value:
C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f
vistasp2.dmp kpcrscan
Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
_KPCR: ffdff000
obviously this is not correct
0: kd> !pcr
KPCR for Processor 0 at 81d45800:
Major 1 Minor 1
NtTib.ExceptionList: ffffffff
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80151000
NtTib.Version: 001d39f9
NtTib.UserPointer: 00000001
NtTib.SelfTib: 00000000
SelfPcr: 81d45800
Prcb: 81d45920
Irql: 00000002
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 81bff400
GDT: 81bff000
TSS: 80151000
CurrentThread: 81d49640
NextThread: 00000000
IdleThread: 81d49640
DpcQueue:
The volatility code version is the latest available via subversion (r493).
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
1:38 a.m.
Neofito,
It strikes me as strange that it is finding it as the old fixed KPCR
address. Two things come immediately to mind:
1. A change in the KPCR structure in SP2; and
2. Regression in the configury code relying on a fixed address.
Have you dumped the KPCR structure under windbg and SP2 and compared
against (6) at
http://blog.schatzforensic.com.au/2010/07/finding-object-roots-in-vista-
kpcr/ ?
Thanks,
Bradley
Dr. Bradley Schatz | Forensic computer scientist
Ph.D. (Computer Forensics), B.Sc. (Computer Science)
Director, Schatz Forensic Pty. Ltd.
p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039
e: bradley(a)schatzforensic.com.au | p: PO Box 15972, City East,
Brisbane, QLD 4002
w: www.schatzforensic.com.au
-----Original Message-----
From: vol-dev-bounces(a)volatilityfoundation.org
[mailto:vol-dev-bounces@volatilityfoundation.org] On Behalf Of neofito
Sent: Tuesday, 5 October 2010 4:58 AM
To: vol-dev(a)volatilityfoundation.org
Subject: [Vol-dev] New memory profile and kpcrscan question
First, I'm not a spammer, I promise :)
Following the instructions provided by Bradley Schatz [1] I added a new
profile for Windows Vista SP2.
since the code is actively revised it's obvious that not all commands
work how is expected, but I'm very surprised that the command kpcrscan
always get the same value:
C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f
vistasp2.dmp kpcrscan Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
_KPCR: ffdff000
obviously this is not correct
0: kd> !pcr
KPCR for Processor 0 at 81d45800:
Major 1 Minor 1
NtTib.ExceptionList: ffffffff
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80151000
NtTib.Version: 001d39f9
NtTib.UserPointer: 00000001
NtTib.SelfTib: 00000000
SelfPcr: 81d45800
Prcb: 81d45920
Irql: 00000002
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 81bff400
GDT: 81bff000
TSS: 80151000
CurrentThread: 81d49640
NextThread: 00000000
IdleThread: 81d49640
DpcQueue:
The volatility code version is the latest available via subversion
(r493).
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitio
ns-to-volatility/
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
11:14 a.m.
Sorry for the confusion,
I should've posted to the list but we solved this offline. The Vista
profile was based mostly off of XPSP2, hence the VolatilityMagic request
for the KPCR was returning the same fixed KPCR as for XPSP2. Inheriting
the appropriate line from the win7_x86_sp0 overlay:
win7sp0x86overlays['VOLATILITY_MAGIC'][1]['KPCR'][1] =
['VolatilityKPCR']
solves the problem by using the KPCR scanner to carry out the check.
I've now modified the kpcrscan plugin to ensure it always scans, rather
than asking VolatiltiyMagic for an answer, but that was what was causing
the original problem. The Vista profile hasn't been updated in the main
tree yet either, but we're working on getting Windows 7 going first, and
then porting all the relevant change across to Vista...
Mike 5:)
5097
days inactive
5108
days old
vol-dev@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
Bradley Schatz -
Mike Auty -
neofito