What you did ended up doing in the editbox plugin seems reasonable. I had to do something similar to fix the --fix parameter to dlldump and procdump. Problem was for wow64 processes, Volatility was using _IMAGE_OPTIONAL_HEADER64 and not the _IMAGE_OPTIONAL_HEADER (32-bit version). At this location in the code, we had a pointer to the PE header but not the _EPROCESS structure so I couldn't use the IsWow64 method. Instead, I checked the _OPTIONAL_HEADER.Magic value and compared with IMAGE_NT_OPTIONAL_HDR32_MAGIC...and if so I casted the image header to the 32-bit version.
https://github.com/volatilityfoundation/volatility/commit/c6841586ccbba2f3f69a72e2edaff81e0a3c3891 Cheers, MHL On 5/20/16 5:03 PM, Bridgey theGeek wrote: > Hi all, > > Wondering if anybody's come across this scenario... > > I want to read an address from my_offset: > my_address = obj.Object('address', offset=my_offset, vm=task_vm) > > However, for Wow64 the address should only be 4 bytes, but because we're > analysing with a 64-bit profile, 'address' will cause 8 bytes to be > parsed (right?). > > Do I need to replace it with something like: > if profile_is_32bit or process_is_wow64: > my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm) > else: > my_address = obj.Object('unsigned long long', offset=my_offset, > vm=task_vm) > > Or do I need to start manually unpacking structs? > > Thanks, > Adam > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
