VolReg 0.6, now with BIG_DATA
If you follow Matthieu Suiche's blog (and if you don't, you really should!), you probably saw his post about an undocumented type of registry value -- CM_BIG_DATA. This is a registry optimization introduced by Microsoft with Windows XP that allows for more efficient storage of large amounts of data in the registry.
You can read more about the details of this new way of storing large values in his post, but I wanted to announce the release of a new version of VolReg with experimental support for BIG_DATA values. As always, you can get the latest version of VolReg from my Volatility plugin page. This release also fixes a bug found by AAron Walters where an exception would be raised if the data returned for a value is less than the required amount for that type (e.g., only two bytes being available for a REG_DWORD).
I also updated Volshell, fixing a regression found by J. Hewlett that broke the ability to use the "dt" command to examine a data structure without overlaying it on memory. I also added the ability to pass the "db" and "dd" commands an address space, so that you can now get a hexdump or dword-dump of things like physical memory and registry hive spaces. The syntax for this is "dd(address, space=[addr_space])". More details are available in the online help, which you can read by doing "hh(dd)" or "hh(db)".
You can read more about the details of this new way of storing large values in his post, but I wanted to announce the release of a new version of VolReg with experimental support for BIG_DATA values. As always, you can get the latest version of VolReg from my Volatility plugin page. This release also fixes a bug found by AAron Walters where an exception would be raised if the data returned for a value is less than the required amount for that type (e.g., only two bytes being available for a REG_DWORD).
I also updated Volshell, fixing a regression found by J. Hewlett that broke the ability to use the "dt" command to examine a data structure without overlaying it on memory. I also added the ability to pass the "db" and "dd" commands an address space, so that you can now get a hexdump or dword-dump of things like physical memory and registry hive spaces. The syntax for this is "dd(address, space=[addr_space])". More details are available in the online help, which you can read by doing "hh(dd)" or "hh(db)".
Comments