[Vol-users] Volatility Call for Bugs

Andreas Schuster a.schuster at yendor.net
Wed Jul 8 06:47:08 CDT 2009


Maybe I can help with the test case. I could reactivate the VM that I 
created to research the non-paged pool persistence about a year ago. It's a 
clean install of Windows XP, 32 bit, Service Pack 2, and only a few 
background services running.

What are your opinions on the following test plan:

1. start VM, boot Windows
2. enable hibernation
3. suspend VM
4. copy VMEM to prehib.vmem
5. resume VM
6. cause system to hibernate, VM stops
7. map system disk
8. copy hiberfil.sys
9. unmap system disk
10. start VM, resume Windows
11. suspend VM
12. copy VMEM to posthib.vmem

13. Compare prehib.vmem and posthib.vmem page by page (assuming a page size 
of 4kiB, and neglecting large pages here). Assume, that identical pages 
also were unchanged at time of hibernation.

14. Process hiberfil.sys by tool of choice. Verify, that unchanged pages 
(step 13) match.

This would give us a first estimate of quality. A thorough test would 
require a hiberfil.sys that has been constructed such that every possible 
code path (in the original algorithm) is executed at least once. But, 
unfortunately, that exceeds my abilities.


