[Vol-dev] A doubt about vista_sp0_x86_vtypes.py

AAron Walters awalters at 4tphi.net
Thu Jan 20 00:37:09 CST 2011



neofito,

I would guess that is the file that Bradley was interested in when he 
generated the profile.  If you would prefer to use types from 
ntkrpamp.pdb, please feel free. With all the changes in the upcoming 1.4, 
adding new types and profiles has become a lot easier. Hopefully you will 
also decide to submit them back and assist with Vista testing.

Have you run into problems with the current profile?  Is it not working?

Thanks,

AW




On Wed, 19 Jan 2011, neofito wrote:

> Hello,
>
> From "Windows Internals, Fifth Edition":
>
> On 32-bit x86 systems, the flag in the page table entry to mark a page as 
> nonexecutable is available only when processor is running in Physical Address 
> Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems 
> requires loading the PAE kernel
>
> Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
>
> Thanks,
> ---
> La verdad nos hara libres
>
> http://neosysforensics.blogspot.com
> http://www.wadalbertia.org
> -<|:-P[G]
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>


More information about the Vol-dev mailing list