[Vol-users] Volatility Call for Bugs

AAron Walters awalters at 4tphi.net
Wed Jul 8 16:32:23 CDT 2009


Andreas,

Any help would be greatly appreciated! Especially if you have access to 
the tools.  I think your testing methodology is along the correct path. 
The most important aspect from my perspective will be to compare the two 
converted samples and enumerate any differences.  Then compare those 
differences to the pages found in either prehib.vmem or posthib.vmem. 
Leveraging those samples as a form of ground truth. Depending on the load 
on the system you may need to compare the converted samples from within 
the virtual address space.

I'm extremely interested to see your results.  I know moyix did a lot of 
testing before we released the hibernation support.

Feel free to move this discussion to vol-dev or the IRC channel. They are 
probably better forums.

Thanks,

AW

On Wed, 8 Jul 2009, Andreas Schuster wrote:

> All,
>
> Maybe I can help with the test case. I could reactivate the VM that I created 
> to research the non-paged pool persistence about a year ago. It's a clean 
> install of Windows XP, 32 bit, Service Pack 2, and only a few background 
> services running.
>
> What are your opinions on the following test plan:
>
> 1. start VM, boot Windows
> 2. enable hibernation
> 3. suspend VM
> 4. copy VMEM to prehib.vmem
> 5. resume VM
> 6. cause system to hibernate, VM stops
> 7. map system disk
> 8. copy hiberfil.sys
> 9. unmap system disk
> 10. start VM, resume Windows
> 11. suspend VM
> 12. copy VMEM to posthib.vmem
>
> 13. Compare prehib.vmem and posthib.vmem page by page (assuming a page size 
> of 4kiB, and neglecting large pages here). Assume, that identical pages also 
> were unchanged at time of hibernation.
>
> 14. Process hiberfil.sys by tool of choice. Verify, that unchanged pages 
> (step 13) match.
>
> This would give us a first estimate of quality. A thorough test would require 
> a hiberfil.sys that has been constructed such that every possible code path 
> (in the original algorithm) is executed at least once. But, unfortunately, 
> that exceeds my abilities.
>
> Cheers,
> Andreas
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list