computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

Adding Vista structure definitions to Volatility

This post follows on from the last post. In the last post I described how I extended Volatility to work with the symbols for Window XP SP3. In this one, I describe how I applied the approach to Vista SP0.

  1. Downloaded Windows Vista RTM x86 retail symbols from Microsoft. I installed them to C:devVistaSP0x86vista-x86

  2. I then ran the tpi_vtypes.py program against the symbol file which corresponds to the general Vista kernel, ntkrnlmp.pdb, generating a python symbol definition file for volatility in the process.

C:mysrcpdbparse>c:Python25python.exe tpi_vtypes.py c:devVistaSP0x86symbolsEXEntkrnlmp.pdb > vista_sp0_x86_vtypes.py
  1. Moved vista_sp0_x86_vtypes.py to the pluginsoverlayswindows folder within the volatility source tree.

  2. Created a new profile implementation called vista_sp0_x86.py. I based this off the existing windows XP SP2 profile, modifying to suit. In essence, the new profile is composed of three things:

  3. a definition of native types (these appear to generally apply to 32bit windows operating systems (I simply took the exiting windows definitions);

  4. a definition of the specific structural types which I just generated (contained in vista_sp0_x86_vtypes.py);

  5. an overlay definition (I simply reused the existing XP SP2 one with the fixups from the last post.

vistasp0x86overlays = copy.deepcopy(vtypes.xpsp2overlays) 

vistasp0x86overlays['_MMVAD_SHORT'][1]['Flags'][0] = lambda x: x['u'][0]        
vistasp0x86overlays['_CONTROL_AREA'][1]['Flags'][0] = lambda x: x['u'][0]         
vistasp0x86overlays['_MMVAD_LONG'][1]['Flags'][0] = lambda x: x['u'][0]         
vistasp0x86overlays['_MMVAD_LONG'][1]['Flags2'][0] = lambda x: x['u'][0] 

vista_sp0_x86_vtypes.ntkrnlmp_types.update(crashdump.crash_vtypes)        
vista_sp0_x86_vtypes.ntkrnlmp_types.update(hibernate_vtypes.hibernate_vtypes) 

class VistaSP0x86(xp_sp2.WinXPSP2):        
	""" A Profile for Windows Vista SP0 x86 """         
	native_types = vtypes.x86_native_types_32bit         
	abstract_types = vista_sp0_x86_vtypes.ntkrnlmp_types         
	overlay = vistasp0x86overlays

The next post will cover the modifications to volatility needed to find KdDebuggerDataBlock – the root of kernel objects required to find active modules and processes amongst other things.