Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vad commands don't work on Windows 7 #32

Closed
GoogleCodeExporter opened this issue Aug 6, 2015 · 4 comments
Closed

vad commands don't work on Windows 7 #32

GoogleCodeExporter opened this issue Aug 6, 2015 · 4 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86. 
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a 
little different:

kd> dt _EPROCESS 
...
   +0x278 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MMADDRESS_NODE
         +0x000 u1               : <unnamed-tag>
         +0x004 LeftChild        : (null) 
         +0x008 RightChild       : 0x8594b410 _MMADDRESS_NODE
         +0x00c StartingVpn      : 0
         +0x010 EndingVpn        : 0

kd> dt _MMADDRESS_NODE 0x8594b410 
ntdll!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x85389008 _MMADDRESS_NODE
   +0x008 RightChild       : 0x854185f8 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0x75850
   +0x010 EndingVpn        : 0x7585c

So when the vad commands do task.VadRoot.traverse(), the code in 
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:

## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)

if not theType:
    return obj.NoneObject("Tag {0} not knowns".format(tag))

Due to the change in Win7, theType will always be None. At least it appears 
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:

kd> db 0x8594b410-4 L4
8594b40c  56 61 64 20     Vad 

kd> db 0x85389008-4 L4
85389004  56 61 64 53     VadS

Original issue reported on code.google.com by michael.hale@gmail.com on 13 Sep 2010 at 2:14
@GoogleCodeExporter
Copy link
Author 

Thanks.  Looks like we'll have to write an __MM_AVL_TABLE object that has a 
traverse method on it for that verison?  Either that, or find another 
per-profile way of dealing with the different Vad systems.  Any takers for 
helping code this?

Original comment by mike.auty@gmail.com on 13 Sep 2010 at 7:49

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author

Original comment by mike.auty@gmail.com on 23 Nov 2010 at 8:33

@GoogleCodeExporter
Copy link
Author 

Reassigning, because I know MHL's working on this (and I think it's nearly 
done).  5:)

Original comment by mike.auty@gmail.com on 14 Jan 2011 at 6:52

@GoogleCodeExporter
Copy link
Author 

Thanks to MHL, I believe this has officially been FIXED!  Hurrah!  5:)

Original comment by mike.auty@gmail.com on 21 Jan 2011 at 8:38

  • Changed state: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter