-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SvcScan doesn't accurately distinguish between operating systems #139
Comments
sorry for the weird font & bolding - that was unintentional |
No problem on the formatting. 5;) Can you please test whether other plugins return valid/appropriate results (such as Once we've got a bit more information we should be able to start narrowing in on what might be causing the issue... 5:) |
Ok. Please see attached. . |
Thanks, I've managed to recreate this with a similar windows version. It seems that the checks we had for "WinX_or_later" were in the wrong order, and the earliest windows was tested first. This should be resolved in commit |
@iMHLv2 You might want to look into this further, if people are using symbols without metadata versioning, the fallback checks for |
I installed the 249c3ec commit and it now works - see attached text file for output. |
Awesome, thanks for letting us know that fixed it. We'll leave the ticket open so @iMHLv2 can have a review of it and figure out if the solution is a permanent fix or needs more work... 5:) |
…n windows 10 <= 15063 versus >= 16299
…n windows 10 <= 15063 versus >= 16299
Ok, cool, looks like we can close this. Thanks everyone! 5:) |
volatility version = Volatility 3 Framework 1.0.0-beta.1
OS used to run Volatility = Linux kali 5.3.0-kali1-amd64 #1 SMP Debian 5.3.7-kali2 (2019-11-04) x86_64 GNU/Linux
Python version = Python 3.7.5
OS of target memory sample = Win10x64_17134
Command line = python3 vol.py -f /mnt/Labs/GBAKER-10L/data.lime windows.svcscan.SvcScan
Did not receive any output yet there are services that were running when memory image was acquired.
Output received:
Volatility 3 Framework 1.0.0-beta.1
Progress: 0.00 Scanning primary2 using PdbSignatureScanner
Offset Order Pid Start State Type Name Display Binary
The text was updated successfully, but these errors were encountered: