This post follows on from the last post. In the last post I described how I extended Volatility to work with the symbols for Window XP SP3. In this one, I describe how I applied the approach to Vista SP0.
Downloaded Windows Vista RTM x86 retail symbols from Microsoft. I installed them to C:devVistaSP0x86vista-x86
I then ran the tpi_vtypes.py program against the symbol file which corresponds to the general Vista kernel, ntkrnlmp.pdb, generating a python symbol definition file for volatility in the process.
C:mysrcpdbparse>c:Python25python.exe tpi_vtypes.py c:devVistaSP0x86symbolsEXEntkrnlmp.pdb > vista_sp0_x86_vtypes.py
Moved vista_sp0_x86_vtypes.py to the pluginsoverlayswindows folder within the volatility source tree.
Created a new profile implementation called vista_sp0_x86.py. I based this off the existing windows XP SP2 profile, modifying to suit. In essence, the new profile is composed of three things:
a definition of native types (these appear to generally apply to 32bit windows operating systems (I simply took the exiting windows definitions);
a definition of the specific structural types which I just generated (contained in vista_sp0_x86_vtypes.py);
an overlay definition (I simply reused the existing XP SP2 one with the fixups from the last post.
vistasp0x86overlays = copy.deepcopy(vtypes.xpsp2overlays) vistasp0x86overlays['_MMVAD_SHORT']['Flags'] = lambda x: x['u'] vistasp0x86overlays['_CONTROL_AREA']['Flags'] = lambda x: x['u'] vistasp0x86overlays['_MMVAD_LONG']['Flags'] = lambda x: x['u'] vistasp0x86overlays['_MMVAD_LONG']['Flags2'] = lambda x: x['u'] vista_sp0_x86_vtypes.ntkrnlmp_types.update(crashdump.crash_vtypes) vista_sp0_x86_vtypes.ntkrnlmp_types.update(hibernate_vtypes.hibernate_vtypes) class VistaSP0x86(xp_sp2.WinXPSP2): """ A Profile for Windows Vista SP0 x86 """ native_types = vtypes.x86_native_types_32bit abstract_types = vista_sp0_x86_vtypes.ntkrnlmp_types overlay = vistasp0x86overlays
The next post will cover the modifications to volatility needed to find KdDebuggerDataBlock – the root of kernel objects required to find active modules and processes amongst other things.