Re: [Vol-users] Reading 'address' objects for Wow64 processes

29 May 2016

      What you did ended up doing in the editbox plugin seems reasonable. I
had to do something similar to fix the --fix parameter to dlldump and
procdump. Problem was for wow64 processes, Volatility was using
_IMAGE_OPTIONAL_HEADER64 and not the _IMAGE_OPTIONAL_HEADER (32-bit
version). At this location in the code, we had a pointer to the PE
header but not the _EPROCESS structure so I couldn't use the IsWow64
method. Instead, I checked the _OPTIONAL_HEADER.Magic value and compared
with IMAGE_NT_OPTIONAL_HDR32_MAGIC...and if so I casted the image header
to the 32-bit version.

https://github.com/volatilityfoundation/volatility/commit/c6841586ccbba2f3f…

Cheers,
MHL

On 5/20/16 5:03 PM, Bridgey theGeek wrote:
...
  Hi all,

 Wondering if anybody's come across this scenario...

 I want to read an address from my_offset:
 my_address = obj.Object('address', offset=my_offset, vm=task_vm)

 However, for Wow64 the address should only be 4 bytes, but because we're
 analysing with a 64-bit profile, 'address' will cause 8 bytes to be
 parsed (right?).

 Do I need to replace it with something like:
 if profile_is_32bit or process_is_wow64:
     my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm)
 else:
     my_address = obj.Object('unsigned long long', offset=my_offset,
 vm=task_vm)

 Or do I need to start manually unpacking structs?

 Thanks,
 Adam

 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Reading 'address' objects for Wow64 processes