I feel the delay
I only have a Vista SP2 dump with PAE enabled and find no difference
between using the symbols of non-pae kernel or pae,
Thanks
El 21/01/2011 1:59, Bradley Schatz escribió:
Hi Neofito,
Interesting question. I can't recall weather I was working with a PAE enabled Vista
at that point or not.
The relevant question here is: "Will make a difference with the current structure
layouts relied upon by volatility?"
How does the current profile work in both the PAE and NOPAE environments of Vista?
Thanks,
Bradley
Dr Bradley Schatz | Forensic computer scientist
PhD (Digital Forensics), BSc (Computer Science)
Director, Schatz Forensic Pty. Ltd.
p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039
e: bradley(a)schatzforensic.com.au | p: PO Box 15972, City East, Brisbane, QLD
4002
w:
www.schatzforensic.com.au
-----Original Message-----
From: vol-dev-bounces(a)volatilityfoundation.org
[mailto:vol-dev-bounces@volatilityfoundation.org] On Behalf Of neofito
Sent: Thursday, 20 January 2011 8:43 AM
To: vol-dev(a)volatilityfoundation.org
Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable
is available only when processor is running in Physical Address Extension (PAE) mode.
Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
-----
Se certificó que el correo no contiene virus.
Comprobada por AVG -
www.avg.es
Versión: 10.0.1191 / Base de datos de virus: 1435/3392 - Fecha de la versión: 20/01/2011