memoryforensics1 · memoryforensics1 · Sep 29, 2020
diff --git a/volatility/framework/symbols/windows/extensions/__init__.py b/volatility/framework/symbols/windows/extensions/__init__.py
@@ -676,7 +676,10 @@ def environment_variables(self):
 
         try:
             block = self.get_peb().ProcessParameters.Environment
-            block_size = self.get_peb().ProcessParameters.EnvironmentSize
+            try:
+                block_size = self.get_peb().ProcessParameters.EnvironmentSize
+            except AttributeError: # Windows XP
+                block_size = self.get_peb().ProcessParameters.Length
             envars = context.layers[process_space].read(block, block_size).decode("utf-16-le", errors='replace').split('\x00')[:-1]
         except exceptions.InvalidAddressException:
             return renderers.UnreadableValue()
@@ -790,12 +793,29 @@ def get_sids(self) -> Iterable[str]:
 
 
     def privileges(self):
-        "Return a list of privileges for the current token object."
-        for priv_index in range(64):
-            yield (priv_index,
-                   bool(self.Privileges.Present & (2**priv_index)),
-                   bool(self.Privileges.Enabled & (2**priv_index)),
-                   bool(self.Privileges.EnabledByDefault & (2**priv_index)))
+        """Return a list of privileges for the current token object."""
+
+        try:
+            for priv_index in range(64):
+                yield (priv_index,
+                       bool(self.Privileges.Present & (2**priv_index)),
+                       bool(self.Privileges.Enabled & (2**priv_index)),
+                       bool(self.Privileges.EnabledByDefault & (2**priv_index)))
+        except AttributeError: # Windows XP
+            layer_name = self.vol.layer_name
+            kvo = self._context.layers[layer_name].config["kernel_virtual_offset"]        
+            symbol_table = self.get_symbol_table_name()
+            ntkrnlmp = self._context.module(symbol_table,
+                                            layer_name = layer_name,
+                                            offset = kvo)
+            if self.PrivilegeCount < 1024:
+                # This is a pointer to an array of _LUID_AND_ATTRIBUTES
+                for luid in self.Privileges.dereference().cast("array", count=self.PrivilegeCount,
+                                                               subtype=ntkrnlmp.get_type("_LUID_AND_ATTRIBUTES")):
+                    # The Attributes member is a flag 
+                    enabled = luid.Attributes & 2 != 0
+                    default = luid.Attributes & 1 != 0
+                    yield luid.Luid.LowPart, True, enabled, default
 
 
 class KTHREAD(objects.StructType):