drakvuf
drakvuf copied to clipboard
tklengyel
Windows XP SP3 support
Hi,
I think is still in use (broader than most of us could believe) at least on ATM here in Europe but take this just as a heads up for getting proper support (although I don't tested it). :)
Hi,
Windows XP is not supported by DRAKVUF because the way drakvuf identifies the current running process doesn't work on Windows XP.
More specifically, it locates the current thread via KPCR, and then attempts to locate the current EPROCESS via the Process field of the KTHREAD.
Unfortunately, this field only appeared since Windows Vista. I think Drakvuf should exit at initialization if a field is missing from the rekall profile.
Instead, in our situation, it reads garbage from the KTHREAD and the program crashes afterwards.
Surprisingly, the syscalls plugin doesn't crash, but only display a (null) process.
I hope that helps.
@tklengyel do yo have an opinion on the matter ? Thanks.
It's not surprising syscalls works, that's expected. The kpcr being mapped through fs/gs does not apply to xp but there are other ways to get the current thread which drakvuf doesn't currently implement.
get the current thread
getting the current process you mean ? getting the thread is fine.
which drakvuf doesn't currently implement.
Apart from iterating over the process list and building a hash with [cr3] -> [process] for performance, do you have other methods ?
The way drakvuf get's the current process is by getting the thread first. If you have the thread, you can get to the process directly. There are specific tricks for XP that allowed for finding processes faster, but it has been a good several years since I looked at that so I don't remember the details from the top of my head.