This post follows on from the last post. In the last post I described how I extended Volatility to work with the symbols for Window XP SP3. In this one, I describe how I applied the approach to Vista SP0.

1. Downloaded Windows Vista RTM x86 retail symbols from Microsoft. I installed them to C:\dev\VistaSP0x86\vista-x86

2. I then ran the tpi_vtypes.py program against the symbol file which corresponds to the general Vista kernel, ntkrnlmp.pdb, generating a python symbol definition file for volatility in the process.

C:\mysrc\pdbparse>c:\Python25\python.exe tpi_vtypes.py c:\dev\VistaSP0x86\symbols\EXE\ntkrnlmp.pdb > vista_sp0_x86_vtypes.py

3. Moved vista_sp0_x86_vtypes.py to the \plugins\overlays\windows folder within the volatility source tree.

4. Created a new profile implementation called vista_sp0_x86.py. I based this off the existing windows XP SP2 profile, modifying to suit. In essence, the new profile is composed of three things:

1. a definition of native types (these appear to generally apply to 32bit windows operating systems (I simply took the exiting windows definitions);
2. a definition of the specific structural types which I just generated (contained in vista_sp0_x86_vtypes.py);
3. an overlay definition (I simply reused the existing XP SP2 one with the fixups from the last post.

vistasp0x86overlays = copy.deepcopy(vtypes.xpsp2overlays)

vistasp0x86overlays['_MMVAD_SHORT'][1]['Flags'][0] =  lambda x: x['u'][0]
vistasp0x86overlays['_CONTROL_AREA'][1]['Flags'][0] =  lambda x: x['u'][0]
vistasp0x86overlays['_MMVAD_LONG'][1]['Flags'][0] =  lambda x: x['u'][0]
vistasp0x86overlays['_MMVAD_LONG'][1]['Flags2'][0] =  lambda x: x['u'][0]

vista_sp0_x86_vtypes.ntkrnlmp_types.update(crashdump.crash_vtypes)
vista_sp0_x86_vtypes.ntkrnlmp_types.update(hibernate_vtypes.hibernate_vtypes)

class VistaSP0x86(xp_sp2.WinXPSP2):
    """ A Profile for Windows Vista SP0 x86 """
   native_types = vtypes.x86_native_types_32bit
   abstract_types = vista_sp0_x86_vtypes.ntkrnlmp_types
   overlay = vistasp0x86overlays

The next post will cover the modifications to volatility needed to find KdDebuggerDataBlock – the root of kernel objects required to find active modules and processes amongst other things.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

This entry was posted on Wednesday, July 7th, 2010 at 9:53 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.