Comments (5)
First off, a reminder that this outputting scheme was put in place as a stopgap for a proper plugin output format. I'm impressed that it's managed to survive this long still working. It required code changes to each plugin that used it originally, and unfortunately a proper fix looks like it would need the same...
Ok, so the difficulty we have is that only the address space knows whether it's PAE or nonPAE. At the moment, we can fudge whether it's a long (64-bit) address or a short (32-bit) one, based on what the user told us in the profile, because that's in the global config, but whilst the profile can differentiate between 32 and 64, it can't differentiate between PAE and nonPAE. By the time we get to the formatter, all we have is the profile (from the global config). We don't even have the values themselves, because we have to draw the header bar and know the widths of columns before we see the values. Without them, we've no address spaces, so no chance of determining whether it's PAE or not. If anyone else can think of a way of figuring out if the space is PAE from the information we have, do shout! So our options are:
a) leave it as is
b) always display 48-bit address, in case it's PAE
c) write custom detection code in individual plugins that can detect PAE and lengthen the address field when necessary.
I'd recommend b, but it might be disconcerting for 32-bit analysis to be given 6 byte addresses the top two of which are almost always 0. b is a two second fix, but if we decide to go for c, we'll need to figure out which plugins to apply it to and that will take a little more time. Let me know what people think would be best?
from volatility.
Hmm, yeah b would be easiest, but I'm just concerned it will make the output of virtual addresses (and other values we print as hex) on 32-bit systems look unnecessarily expanded. What are your thoughts on preemptively "fixing" this in 3.0? I think I would be OK with option a (leaving it as-is) now if we know a solution would be available in 3.0. For example, maybe a way to ensure the formatting code can easily access the AS/Profile?
from volatility.
Well, in version 3 you'll be handed a whole table of data at once in a standard layout, so you won't have to parse it line by line, or know how you're going to lay it out before you've got all the data in front of you. There's now no reason to convert the objects from what they are (addresses), which should carry a reference to the original translation layer (address space) they came from, so that should be ok. Also, given we have all the values to begin with, we can just run through them and identify the maximum necessary length and 0 pad to that, so there's multiple ways of ensuring everything will come out aligned properly in version 3.0...
from volatility.
OK, I'm fine with leaving it as is for now then.
from volatility.
Marking as "wontfix"
from volatility.
Related Issues (20)
- No module named csv
- I have with add new plugins volatility2.6 . HOT 2
- volatility_2.6_win64_standalone how to add profile?
- No Stand alone version for volatility 2.6.1
- Memory Dump processing
- volatility 2 or 3 linux profile for linux version 5.4.0-33-generic HOT 2
- profile issue in Ubuntu 21.04 while using volatility 2.6 HOT 1
- A translation layer requirement was not fulfilled | A symbol table requirement was not fulfilled
- volatility keeps giving me this messege
- 各位大佬能帮我看下是什么原因吗,用filescan指令时扫到乱码就会报错 HOT 1
- building dwarf2json - go build fails
- ValueError: invalid literal for int() with base 16: '128 (-128)' HOT 2
- Extract images
- 'yara.StringMatch' object is not iterable HOT 1
- No results from plugin windows.handles.Handles HOT 1
- handles page error?
- KeyError: '__int128' with ARM64
- "ArmAddressSpace - EXCEPTION: 'state'"
- Missing parentheses HOT 1
- Infinite determinating profile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility.