5:42 p.m.
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page
as nonexecutable is available only when processor is running in Physical
Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit
systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
1:37 a.m.
neofito,
I would guess that is the file that Bradley was interested in when he
generated the profile. If you would prefer to use types from
ntkrpamp.pdb, please feel free. With all the changes in the upcoming 1.4,
adding new types and profiles has become a lot easier. Hopefully you will
also decide to submit them back and assist with Vista testing.
Have you run into problems with the current profile? Is it not working?
Thanks,
AW
On Wed, 19 Jan 2011, neofito wrote:
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as
nonexecutable is available only when processor is running in Physical Address
Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems
requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
1:25 p.m.
The current Vista profile is working well, it was just a doubt
Thanks
El 20/01/2011 7:37, AAron Walters escribió:
neofito,
I would guess that is the file that Bradley was interested in when he
generated the profile. If you would prefer to use types from
ntkrpamp.pdb, please feel free. With all the changes in the upcoming
1.4, adding new types and profiles has become a lot easier. Hopefully
you will also decide to submit them back and assist with Vista testing.
Have you run into problems with the current profile? Is it not working?
Thanks,
AW
On Wed, 19 Jan 2011, neofito wrote:
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a
page as nonexecutable is available only when processor is running in
Physical Address Extension (PAE) mode. Thus, support for hardware DEP
on 32-bit systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
-----
Se certifico que el correo no contiene virus.
Comprobada por AVG - www.avg.es
Version: 10.0.1191 / Base de datos de virus: 1435/3392 - Fecha de la
version: 20/01/2011
9:29 p.m.
Please let us know if you experience any issues.
Thanks,
AW
On Wed, 26 Jan 2011, neofito wrote:
The current Vista profile is working well, it was just
a doubt
Thanks
El 20/01/2011 7:37, AAron Walters escribió:
neofito,
I would guess that is the file that Bradley was interested in when he
generated the profile. If you would prefer to use types from ntkrpamp.pdb,
please feel free. With all the changes in the upcoming 1.4, adding new
types and profiles has become a lot easier. Hopefully you will also decide
to submit them back and assist with Vista testing.
Have you run into problems with the current profile? Is it not working?
Thanks,
AW
On Wed, 19 Jan 2011, neofito wrote:
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as
nonexecutable is available only when processor is running in Physical
Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit
systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
-----
Se certifico que el correo no contiene virus.
Comprobada por AVG - www.avg.es
Version: 10.0.1191 / Base de datos de virus: 1435/3392 - Fecha de la
version: 20/01/2011
7:59 p.m.
Hi Neofito,
Interesting question. I can't recall weather I was working with a PAE enabled Vista at
that point or not.
The relevant question here is: "Will make a difference with the current structure
layouts relied upon by volatility?"
How does the current profile work in both the PAE and NOPAE environments of Vista?
Thanks,
Bradley
Dr Bradley Schatz | Forensic computer scientist
PhD (Digital Forensics), BSc (Computer Science)
Director, Schatz Forensic Pty. Ltd.
p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039
e: bradley(a)schatzforensic.com.au | p: PO Box 15972, City East, Brisbane, QLD
4002
w: www.schatzforensic.com.au
-----Original Message-----
From: vol-dev-bounces(a)volatilityfoundation.org
[mailto:vol-dev-bounces@volatilityfoundation.org] On Behalf Of neofito
Sent: Thursday, 20 January 2011 8:43 AM
To: vol-dev(a)volatilityfoundation.org
Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable is
available only when processor is running in Physical Address Extension (PAE) mode. Thus,
support for hardware DEP on 32-bit systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
1:40 p.m.
I feel the delay
I only have a Vista SP2 dump with PAE enabled and find no difference
between using the symbols of non-pae kernel or pae,
Thanks
El 21/01/2011 1:59, Bradley Schatz escribió:
Hi Neofito,
Interesting question. I can't recall weather I was working with a PAE enabled Vista
at that point or not.
The relevant question here is: "Will make a difference with the current structure
layouts relied upon by volatility?"
How does the current profile work in both the PAE and NOPAE environments of Vista?
Thanks,
Bradley
Dr Bradley Schatz | Forensic computer scientist
PhD (Digital Forensics), BSc (Computer Science)
Director, Schatz Forensic Pty. Ltd.
p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039
e: bradley(a)schatzforensic.com.au | p: PO Box 15972, City East, Brisbane, QLD
4002
w: www.schatzforensic.com.au
-----Original Message-----
From: vol-dev-bounces(a)volatilityfoundation.org
[mailto:vol-dev-bounces@volatilityfoundation.org] On Behalf Of neofito
Sent: Thursday, 20 January 2011 8:43 AM
To: vol-dev(a)volatilityfoundation.org
Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
Hello,
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable
is available only when processor is running in Physical Address Extension (PAE) mode.
Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
Thanks,
---
La verdad nos hara libres
http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
-----
Se certificó que el correo no contiene virus.
Comprobada por AVG - www.avg.es
Versión: 10.0.1191 / Base de datos de virus: 1435/3392 - Fecha de la versión: 20/01/2011
5252
days inactive
5260
days old
vol-dev@lists.volatilityfoundation.org
5 comments
3 participants
participants (3)
-
AAron Walters -
Bradley Schatz -
neofito