[Vol-dev] Patch for big endian systems
Jesse Kornblum
research at jessekornblum.com
Sat Jul 4 18:06:04 CDT 2009
Attached please find a patch against the SVN version of Volatility
that allows the framework to work properly on big endian systems.
While I know big endian systems are not the majority users, I think
it's easy enough to patch. Most of the changes involve explicitly
telling the decode function that the source data was from a little
endian endian system.
cheers,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: big-endian.patch
Type: application/octet-stream
Size: 4135 bytes
Desc: not available
Url : https://lists.volatilesystems.com/pipermail/vol-dev/attachments/20090704/e4931297/big-endian.obj
-------------- next part --------------
Here's the original version of the framework on a big endian system:
$ python volatility ident -f xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: UNKNOWN
And the patched:
$ python volatility ident -f memory-images/xp-laptop-2005-07-04-1430.img
Image Name: xp-laptop-2005-07-04-1430.img
Image Type: Service Pack 2
VM Type: nopae
DTB: 0x39000
Datetime: Mon Jul 04 14:30:32 2005
--
Jesse
research at jessekornblum.com
More information about the Vol-dev
mailing list