[Vol-dev] A doubt about vista_sp0_x86_vtypes.py
bradley at schatzforensic.com.au
Thu Jan 20 18:59:20 CST 2011
Interesting question. I can't recall weather I was working with a PAE enabled Vista at that point or not.
The relevant question here is: "Will make a difference with the current structure layouts relied upon by volatility?"
How does the current profile work in both the PAE and NOPAE environments of Vista?
Dr Bradley Schatz | Forensic computer scientist
PhD (Digital Forensics), BSc (Computer Science)
Director, Schatz Forensic Pty. Ltd.
p: 1 300 364 101 | f: +61 7 3301 1843 | m: +61 422 949 039
e: bradley at schatzforensic.com.au | p: PO Box 15972, City East, Brisbane, QLD 4002
From: vol-dev-bounces at volatilityfoundation.org [mailto:vol-dev-bounces at volatilityfoundation.org] On Behalf Of neofito
Sent: Thursday, 20 January 2011 8:43 AM
To: vol-dev at volatilityfoundation.org
Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
From "Windows Internals, Fifth Edition":
On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable is available only when processor is running in Physical Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel
Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
La verdad nos hara libres
Vol-dev mailing list
Vol-dev at volatilityfoundation.org
More information about the Vol-dev