[Vol-dev] A doubt about vista_sp0_x86_vtypes.py

Bradley Schatz bradley at schatzforensic.com.au
Thu Jan 20 18:59:20 CST 2011


Hi Neofito,

Interesting question. I can't recall weather I was working with a PAE enabled Vista at that point or not. 

The relevant question here is: "Will make a difference with the current structure layouts relied upon by volatility?" 

How does the current profile work in both the PAE and NOPAE environments of Vista?

Thanks,
Bradley


Dr Bradley Schatz  |  Forensic computer scientist
PhD (Digital Forensics), BSc (Computer Science)
Director, Schatz Forensic Pty. Ltd.

p: 1 300 364 101  |  f: +61 7 3301 1843  |  m: +61 422 949 039
e: bradley at schatzforensic.com.au         |  p: PO Box 15972, City East, Brisbane, QLD  4002
w: www.schatzforensic.com.au


-----Original Message-----
From: vol-dev-bounces at volatilityfoundation.org [mailto:vol-dev-bounces at volatilityfoundation.org] On Behalf Of neofito
Sent: Thursday, 20 January 2011 8:43 AM
To: vol-dev at volatilityfoundation.org
Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py

Hello,

 From "Windows Internals, Fifth Edition":

On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable is available only when processor is running in Physical Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel

Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?

Thanks,
---
La verdad nos hara libres

http://neosysforensics.blogspot.com
http://www.wadalbertia.org
-<|:-P[G]
_______________________________________________
Vol-dev mailing list
Vol-dev at volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev


More information about the Vol-dev mailing list