Skip to content

Commit 950ab3e

Browse files
ikelosikelos
committed
Add in additional microarchitectures for vmscan
1 parent 5d2a5f9 commit 950ab3e

File tree

3 files changed

+393
-0
lines changed

3 files changed

+393
-0
lines changed

volatility3/symbols/generic/vmcs/nehalem-architecture.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"base_types": {
3+
"pointer": {
4+
"endian": "little",
5+
"kind": "int",
6+
"signed": false,
7+
"size": 8
8+
},
9+
"unsigned char": {
10+
"endian": "little",
11+
"kind": "int",
12+
"signed": false,
13+
"size": 1
14+
},
15+
"unsigned long": {
16+
"endian": "little",
17+
"kind": "int",
18+
"signed": false,
19+
"size": 4
20+
},
21+
"unsigned long long": {
22+
"endian": "little",
23+
"kind": "int",
24+
"signed": false,
25+
"size": 8
26+
},
27+
"unsigned short": {
28+
"endian": "little",
29+
"kind": "int",
30+
"signed": false,
31+
"size": 2
32+
}
33+
},
34+
"enums": {},
35+
"metadata": {
36+
"format": "6.1.0",
37+
"producer": {
38+
"datetime": "2021-07-31T17:37:28.302702",
39+
"name": "vmextract-by-hand",
40+
"version": "0.0.1"
41+
}
42+
},
43+
"symbols": {
44+
"revision_id": {
45+
"address": 0,
46+
"constant_data": "MTQ="
47+
}
48+
},
49+
"user_types": {
50+
"_VMCS": {
51+
"fields": {
52+
"ept": {
53+
"offset": 232,
54+
"type": {
55+
"kind": "struct",
56+
"name": "unsigned long long"
57+
}
58+
},
59+
"executive_vmcs_ptr": {
60+
"offset": 208,
61+
"type": {
62+
"kind": "struct",
63+
"name": "unsigned long long"
64+
}
65+
},
66+
"guest_cr3": {
67+
"offset": 736,
68+
"type": {
69+
"kind": "struct",
70+
"name": "unsigned long long"
71+
}
72+
},
73+
"guest_cr4": {
74+
"offset": 744,
75+
"type": {
76+
"kind": "struct",
77+
"name": "unsigned long long"
78+
}
79+
},
80+
"guest_pdpte": {
81+
"offset": 928,
82+
"type": {
83+
"count": 4,
84+
"kind": "array",
85+
"subtype": {
86+
"kind": "struct",
87+
"name": "unsigned long long"
88+
}
89+
}
90+
},
91+
"guest_physical_addr": {
92+
"offset": 240,
93+
"type": {
94+
"kind": "struct",
95+
"name": "unsigned long long"
96+
}
97+
},
98+
"host_cr3": {
99+
"offset": 832,
100+
"type": {
101+
"kind": "struct",
102+
"name": "unsigned long long"
103+
}
104+
},
105+
"host_cr4": {
106+
"offset": 840,
107+
"type": {
108+
"kind": "struct",
109+
"name": "unsigned long long"
110+
}
111+
},
112+
"vmcs_link_ptr": {
113+
"offset": 248,
114+
"type": {
115+
"kind": "struct",
116+
"name": "unsigned long long"
117+
}
118+
},
119+
"vpid": {
120+
"offset": 752,
121+
"type": {
122+
"kind": "struct",
123+
"name": "unsigned short"
124+
}
125+
}
126+
},
127+
"kind": "struct",
128+
"size": 4096
129+
}
130+
}
131+
}

volatility3/symbols/generic/vmcs/sandybridge-architecture.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"base_types": {
3+
"pointer": {
4+
"endian": "little",
5+
"kind": "int",
6+
"signed": false,
7+
"size": 8
8+
},
9+
"unsigned char": {
10+
"endian": "little",
11+
"kind": "int",
12+
"signed": false,
13+
"size": 1
14+
},
15+
"unsigned long": {
16+
"endian": "little",
17+
"kind": "int",
18+
"signed": false,
19+
"size": 4
20+
},
21+
"unsigned long long": {
22+
"endian": "little",
23+
"kind": "int",
24+
"signed": false,
25+
"size": 8
26+
},
27+
"unsigned short": {
28+
"endian": "little",
29+
"kind": "int",
30+
"signed": false,
31+
"size": 2
32+
}
33+
},
34+
"enums": {},
35+
"metadata": {
36+
"format": "6.1.0",
37+
"producer": {
38+
"datetime": "2021-07-31T17:37:28.311608",
39+
"name": "vmextract-by-hand",
40+
"version": "0.0.1"
41+
}
42+
},
43+
"symbols": {
44+
"revision_id": {
45+
"address": 0,
46+
"constant_data": "MTY="
47+
}
48+
},
49+
"user_types": {
50+
"_VMCS": {
51+
"fields": {
52+
"ept": {
53+
"offset": 232,
54+
"type": {
55+
"kind": "struct",
56+
"name": "unsigned long long"
57+
}
58+
},
59+
"executive_vmcs_ptr": {
60+
"offset": 208,
61+
"type": {
62+
"kind": "struct",
63+
"name": "unsigned long long"
64+
}
65+
},
66+
"guest_cr3": {
67+
"offset": 736,
68+
"type": {
69+
"kind": "struct",
70+
"name": "unsigned long long"
71+
}
72+
},
73+
"guest_cr4": {
74+
"offset": 744,
75+
"type": {
76+
"kind": "struct",
77+
"name": "unsigned long long"
78+
}
79+
},
80+
"guest_pdpte": {
81+
"offset": 928,
82+
"type": {
83+
"count": 4,
84+
"kind": "array",
85+
"subtype": {
86+
"kind": "struct",
87+
"name": "unsigned long long"
88+
}
89+
}
90+
},
91+
"guest_physical_addr": {
92+
"offset": 240,
93+
"type": {
94+
"kind": "struct",
95+
"name": "unsigned long long"
96+
}
97+
},
98+
"host_cr3": {
99+
"offset": 832,
100+
"type": {
101+
"kind": "struct",
102+
"name": "unsigned long long"
103+
}
104+
},
105+
"host_cr4": {
106+
"offset": 840,
107+
"type": {
108+
"kind": "struct",
109+
"name": "unsigned long long"
110+
}
111+
},
112+
"vmcs_link_ptr": {
113+
"offset": 248,
114+
"type": {
115+
"kind": "struct",
116+
"name": "unsigned long long"
117+
}
118+
},
119+
"vpid": {
120+
"offset": 752,
121+
"type": {
122+
"kind": "struct",
123+
"name": "unsigned short"
124+
}
125+
}
126+
},
127+
"kind": "struct",
128+
"size": 4096
129+
}
130+
}
131+
}

volatility3/symbols/generic/vmcs/westmere-architecture.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"base_types": {
3+
"pointer": {
4+
"endian": "little",
5+
"kind": "int",
6+
"signed": false,
7+
"size": 8
8+
},
9+
"unsigned char": {
10+
"endian": "little",
11+
"kind": "int",
12+
"signed": false,
13+
"size": 1
14+
},
15+
"unsigned long": {
16+
"endian": "little",
17+
"kind": "int",
18+
"signed": false,
19+
"size": 4
20+
},
21+
"unsigned long long": {
22+
"endian": "little",
23+
"kind": "int",
24+
"signed": false,
25+
"size": 8
26+
},
27+
"unsigned short": {
28+
"endian": "little",
29+
"kind": "int",
30+
"signed": false,
31+
"size": 2
32+
}
33+
},
34+
"enums": {},
35+
"metadata": {
36+
"format": "6.1.0",
37+
"producer": {
38+
"datetime": "2021-07-31T17:37:28.314801",
39+
"name": "vmextract-by-hand",
40+
"version": "0.0.1"
41+
}
42+
},
43+
"symbols": {
44+
"revision_id": {
45+
"address": 0,
46+
"constant_data": "MTU="
47+
}
48+
},
49+
"user_types": {
50+
"_VMCS": {
51+
"fields": {
52+
"ept": {
53+
"offset": 320,
54+
"type": {
55+
"kind": "struct",
56+
"name": "unsigned long long"
57+
}
58+
},
59+
"executive_vmcs_ptr": {
60+
"offset": 208,
61+
"type": {
62+
"kind": "struct",
63+
"name": "unsigned long long"
64+
}
65+
},
66+
"guest_cr3": {
67+
"offset": 736,
68+
"type": {
69+
"kind": "struct",
70+
"name": "unsigned long long"
71+
}
72+
},
73+
"guest_cr4": {
74+
"offset": 744,
75+
"type": {
76+
"kind": "struct",
77+
"name": "unsigned long long"
78+
}
79+
},
80+
"guest_pdpte": {
81+
"offset": 928,
82+
"type": {
83+
"count": 4,
84+
"kind": "array",
85+
"subtype": {
86+
"kind": "struct",
87+
"name": "unsigned long long"
88+
}
89+
}
90+
},
91+
"guest_physical_addr": {
92+
"offset": 328,
93+
"type": {
94+
"kind": "struct",
95+
"name": "unsigned long long"
96+
}
97+
},
98+
"host_cr3": {
99+
"offset": 832,
100+
"type": {
101+
"kind": "struct",
102+
"name": "unsigned long long"
103+
}
104+
},
105+
"host_cr4": {
106+
"offset": 840,
107+
"type": {
108+
"kind": "struct",
109+
"name": "unsigned long long"
110+
}
111+
},
112+
"vmcs_link_ptr": {
113+
"offset": 248,
114+
"type": {
115+
"kind": "struct",
116+
"name": "unsigned long long"
117+
}
118+
},
119+
"vpid": {
120+
"offset": 220,
121+
"type": {
122+
"kind": "struct",
123+
"name": "unsigned short"
124+
}
125+
}
126+
},
127+
"kind": "struct",
128+
"size": 4096
129+
}
130+
}
131+
}

0 commit comments

Comments
 (0)