[Tracker] Plugins that fail on profiles other than XPSP2

[GoogleCodeExporter]

This is a meta-bug about all the plugins that fail to work with Windows 7.

Any bugs that refer to Windows 7 breakage should be noted and added to *this* 
bug's "Blocked On" field.  This will help us keep a track of what needs fixing 
and how far we have to go.

Original issue reported on code.google.com by mike.auty@gmail.com on 18 Aug 2010 at 10:27

• Blocked on: psscan relies on WorkingSetLock which isn't in vtypes for windows 7 x86 images #1, OBJECT_TYPE handling needs extending to work on Windows 7 images #5, win32/network functions rely on hardcoded offsets into tcpip.sys - need updating and moving to profiles #6, 'connections' plugin breaks with InvalidOffsetError on windows 7 x86 image #7, ssdt plugin needs updating to work on windows 7 image #10, PoolScanning signatures need some multi-profile support #17, vad commands don't work on Windows 7 #32

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 18 Aug 2010 at 10:27

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 18 Aug 2010 at 10:45

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 26 Aug 2010 at 12:24

• Added labels: Milestone-Release1.4

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 26 Aug 2010 at 12:25

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 27 Aug 2010 at 9:04

• Changed title: [Tracker] Plugins that fail on profiles other than XPSP2

[GoogleCodeExporter]

The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86. 
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a 
little different:

kd> dt _EPROCESS 
...
   +0x278 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MMADDRESS_NODE
         +0x000 u1               : <unnamed-tag>
         +0x004 LeftChild        : (null) 
         +0x008 RightChild       : 0x8594b410 _MMADDRESS_NODE
         +0x00c StartingVpn      : 0
         +0x010 EndingVpn        : 0

kd> dt _MMADDRESS_NODE 0x8594b410 
ntdll!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x85389008 _MMADDRESS_NODE
   +0x008 RightChild       : 0x854185f8 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0x75850
   +0x010 EndingVpn        : 0x7585c

So when the vad commands do task.VadRoot.traverse(), the code in 
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:

## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)

if not theType:
    return obj.NoneObject("Tag {0} not knowns".format(tag))

Due to the change in Win7, theType will always be None. At least it appears 
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:

kd> db 0x8594b410-4 L4
8594b40c  56 61 64 20     Vad 

kd> db 0x85389008-4 L4
85389004  56 61 64 53     VadS

Original comment by michael.hale@gmail.com on 10 Sep 2010 at 3:06

[GoogleCodeExporter]

Ok, thanks.  Would you mind copy/pasting that into a separate bug, and then 
I'll mark this as blocked on the new issue?  This one's just for tracking the 
problems, and then we can deal with the individual problems in their own 
issues.  Hope that's ok?

Original comment by mike.auty@gmail.com on 10 Sep 2010 at 3:11

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 13 Sep 2010 at 7:46

[GoogleCodeExporter]

Closing this, since we're now using the milestones to keep track of what's due 
when.

Original comment by mike.auty@gmail.com on 30 Jan 2011 at 6:22

• Changed state: Done

[GoogleCodeExporter]

Sorry for the bugspam, but better to get this right now than later once it's 
more in use.

Original comment by mike.auty@gmail.com on 4 Feb 2011 at 9:34

• Added labels: Milestone-1.4.x
• Removed labels: Milestone-Release1.4