SvcScan doesn't accurately distinguish between operating systems #139
Comments
|
sorry for the weird font & bolding - that was unintentional |
|
No problem on the formatting. 5;) Can you please test whether other plugins return valid/appropriate results (such as Once we've got a bit more information we should be able to start narrowing in on what might be causing the issue... 5:) |
|
Ok. Please see attached. . |
|
Thanks, I've managed to recreate this with a similar windows version. It seems that the checks we had for "WinX_or_later" were in the wrong order, and the earliest windows was tested first. This should be resolved in commit |
|
@iMHLv2 You might want to look into this further, if people are using symbols without metadata versioning, the fallback checks for |
ikelos
changed the title
|
I installed the 249c3ec commit and it now works - see attached text file for output. |
|
Awesome, thanks for letting us know that fixed it. We'll leave the ticket open so @iMHLv2 can have a review of it and figure out if the solution is a permanent fix or needs more work... 5:) |
…n windows 10 <= 15063 versus >= 16299
…n windows 10 <= 15063 versus >= 16299
|
Ok, cool, looks like we can close this. Thanks everyone! 5:) |
volatility version = Volatility 3 Framework 1.0.0-beta.1
OS used to run Volatility = Linux kali 5.3.0-kali1-amd64 #1 SMP Debian 5.3.7-kali2 (2019-11-04) x86_64 GNU/Linux
Python version = Python 3.7.5
OS of target memory sample = Win10x64_17134
Command line = python3 vol.py -f /mnt/Labs/GBAKER-10L/data.lime windows.svcscan.SvcScan
Did not receive any output yet there are services that were running when memory image was acquired.
Output received:
Volatility 3 Framework 1.0.0-beta.1
Progress: 0.00 Scanning primary2 using PdbSignatureScanner
Offset Order Pid Start State Type Name Display Binary
The text was updated successfully, but these errors were encountered: