PTFinder Version 0.3.05

I'm excited to release version 0.3.05 of PTFinder to the public. This version fixes an endianess issue. It provides support for dumps that where obtained while under the effect of the Intel Physical Address Extension (PAE). Also there's a ready-to-run binary available for the Microsoft Windows platform.

PTFinder didn't execute properly on big-endian machines. This should be fixed now, though I'd appreciate more testing! Thanks to Andy Joyce for bringing this issue to my attention.

Also PTFinder didn't support the Physical Address Extension. This was a documented limitation. I couldn't see any need to support it. Richard McQuown and Carsten Maartmann-Moe reported strange issues, where PTFinder failed to detected any processes beside System and Idle. Finally I was able to reproduce the issue. It is most likely related to a target system running in PAE mode.

In non-PAE mode the CPU's CR3 register points to a Page Directory (PD). The PD occupies a whole page, hence it is aligned on a page boundary. However, when in PAE mode, CR3 points to an array of Page Directory Pointers. The array is not aligned on a page boundary. Consequently the alignment check failed and made PTFinder reject the process candidate.

The new version applies a relaxed check which is tailored to the PAE mode and also works in case of non-PAE images. If this causes any false positives and you're absolutely sure to not work on a PAE image then the --nopae reverts to the old behaviour.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12