[Vol-users] Volatility Call for Bugs
a.schuster at yendor.net
Wed Jul 8 06:47:08 CDT 2009
Maybe I can help with the test case. I could reactivate the VM that I
created to research the non-paged pool persistence about a year ago. It's a
clean install of Windows XP, 32 bit, Service Pack 2, and only a few
background services running.
What are your opinions on the following test plan:
1. start VM, boot Windows
2. enable hibernation
3. suspend VM
4. copy VMEM to prehib.vmem
5. resume VM
6. cause system to hibernate, VM stops
7. map system disk
8. copy hiberfil.sys
9. unmap system disk
10. start VM, resume Windows
11. suspend VM
12. copy VMEM to posthib.vmem
13. Compare prehib.vmem and posthib.vmem page by page (assuming a page size
of 4kiB, and neglecting large pages here). Assume, that identical pages
also were unchanged at time of hibernation.
14. Process hiberfil.sys by tool of choice. Verify, that unchanged pages
(step 13) match.
This would give us a first estimate of quality. A thorough test would
require a hiberfil.sys that has been constructed such that every possible
code path (in the original algorithm) is executed at least once. But,
unfortunately, that exceeds my abilities.
More information about the Vol-users