Vol-users October 2010

vol-users@lists.volatilityfoundation.org

2 participants
2 discussions

by neofito

Following the instructions provided by Bradley Schatz [1] I added a new profile for Windows Vista SP2. since the code is actively revised it's obvious that not all commands work how is expected, but I'm very surprised that the command kpcrscan always get the same value: C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f vistasp2.dmp kpcrscan Volatile Systems Volatility Framework 1.4_rc1 Potential KPCR structure virtual addresses: Phys addr 00150000 Virt addr ffdff000 _KPCR: ffdff000 obviously this is not correct 0: kd> !pcr KPCR for Processor 0 at 81d45800: Major 1 Minor 1 NtTib.ExceptionList: ffffffff NtTib.StackBase: 00000000 NtTib.StackLimit: 00000000 NtTib.SubSystemTib: 80151000 NtTib.Version: 001d39f9 NtTib.UserPointer: 00000001 NtTib.SelfTib: 00000000 SelfPcr: 81d45800 Prcb: 81d45920 Irql: 00000002 IRR: 00000000 IDR: ffffffff InterruptMode: 00000000 IDT: 81bff400 GDT: 81bff000 TSS: 80151000 CurrentThread: 81d49640 NextThread: 00000000 IdleThread: 81d49640 DpcQueue: The volatility code version is the latest available via subversion (r493). [1] http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-… --- La verdad nos hara libres http://neosysforensics.blogspot.com http://www.wadalbertia.org -<|:-P[G]

15 years

New memory profile question

by neofito

First, sorry for my poor english :( Following the instructions provided by Bradley Schatz [1] I dont get load the new profile: C:\Volatility-1.4_rc1>dir plugins\overlays\Windows\vista_* ... 26/09/2010 22:47 2.232 vista_sp0_x86.py 26/09/2010 22:48 2.357 vista_sp0_x86.pyc 26/09/2010 22:47 286.008 vista_sp0_x86_vtypes.py 26/09/2010 22:48 192.774 vista_sp0_x86_vtypes.pyc 01/10/2010 23:18 2.235 vista_sp2_x86.py 01/10/2010 23:19 2.360 vista_sp2_x86.pyc 01/10/2010 22:36 315.748 vista_sp2_x86_vtypes.py 01/10/2010 23:19 207.429 vista_sp2_x86_vtypes.pyc ... C:\Volatility-1.4_rc1>volatility.py --info Volatile Systems Volatility Framework 1.4_rc1 ... PROFILES -------- VistaSP0x86 - A Profile for Windows Vista SP0 x86 Win7SP0x86 - A Profile for Windows 7 SP0 x86 WinXPSP2 - A Profile for Windows XP SP2 WinXPSP3 - A Profile for windows XP SP3 ... What am I doing wrong? [1] http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-… --- La verdad nos hara libres http://neosysforensics.blogspot.com http://www.wadalbertia.org -<|:-P[G]

15 years

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users October 2010