[Vol-dev] A doubt about vista_sp0_x86_vtypes.py

neofito vjaviergarcia at ono.com
Wed Jan 26 12:40:38 CST 2011


I feel the delay

I only have a Vista SP2 dump with PAE enabled and find no difference 
between using the symbols of non-pae kernel or pae,

Thanks


El 21/01/2011 1:59, Bradley Schatz escribió:
> Hi Neofito,
>
> Interesting question. I can't recall weather I was working with a PAE enabled Vista at that point or not.
>
> The relevant question here is: "Will make a difference with the current structure layouts relied upon by volatility?"
>
> How does the current profile work in both the PAE and NOPAE environments of Vista?
>
> Thanks,
> Bradley
>
>
> Dr Bradley Schatz  |  Forensic computer scientist
> PhD (Digital Forensics), BSc (Computer Science)
> Director, Schatz Forensic Pty. Ltd.
>
> p: 1 300 364 101  |  f: +61 7 3301 1843  |  m: +61 422 949 039
> e: bradley at schatzforensic.com.au         |  p: PO Box 15972, City East, Brisbane, QLD  4002
> w: www.schatzforensic.com.au
>
>
> -----Original Message-----
> From: vol-dev-bounces at volatilityfoundation.org [mailto:vol-dev-bounces at volatilityfoundation.org] On Behalf Of neofito
> Sent: Thursday, 20 January 2011 8:43 AM
> To: vol-dev at volatilityfoundation.org
> Subject: [Vol-dev] A doubt about vista_sp0_x86_vtypes.py
>
> Hello,
>
>   From "Windows Internals, Fifth Edition":
>
> On 32-bit x86 systems, the flag in the page table entry to mark a page as nonexecutable is available only when processor is running in Physical Address Extension (PAE) mode. Thus, support for hardware DEP on 32-bit systems requires loading the PAE kernel
>
> Why the file used is ntkrnlmp.pdb instead of ntkrpamp.pdb?
>
> Thanks,
> ---
> La verdad nos hara libres
>
> http://neosysforensics.blogspot.com
> http://www.wadalbertia.org
> -<|:-P[G]
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>
>
> -----
> Se certificó que el correo no contiene virus.
> Comprobada por AVG - www.avg.es
> Versión: 10.0.1191 / Base de datos de virus: 1435/3392 - Fecha de la versión: 20/01/2011
>
>
>



More information about the Vol-dev mailing list