Comments (2)
The patch is below and you can see that we are utilizing the given_root
option so we can directly use the registry key objects instead of having to traverse for them again:
diff --git a/volatility/plugins/malware/svcscan.py b/volatility/plugins/malware/svcscan.py
index 1373758..2ec90ab 100644
--- a/volatility/plugins/malware/svcscan.py
+++ b/volatility/plugins/malware/svcscan.py
@@ -415,6 +415,15 @@ class SvcScan(common.AbstractWindowsCommand):
if self._config.VERBOSE:
regapi = registryapi.RegistryApi(self._config)
ccs = regapi.reg_get_currentcontrolset()
+ key_name = "{0}\\services".format(ccs)
+ dlls = {}
+ for subkey in regapi.reg_get_all_subkeys(hive_name = "system", key = key_name):
+ for rootkey in regapi.reg_get_all_subkeys(hive_name = "system", key = "", given_root = subkey):
+ if rootkey.Name == "Parameters":
+ service_dll = regapi.reg_get_value(hive_name = "system", key = "", value = "ServiceDll", given_root = rootkey)
+ if service_dll != None:
+ dll = "{0}".format(service_dll)
+ dlls[utils.remove_unprintable(str(subkey.Name))] = service_dll
for rec in data:
# This can't possibly look neat in a table with columns...
@@ -428,10 +437,7 @@ class SvcScan(common.AbstractWindowsCommand):
outfd.write("Binary Path: {0}\n".format(rec.Binary))
if self._config.VERBOSE:
- val = regapi.reg_get_value(
- hive_name = "system",
- key = "{0}\\services\\{1}\\Parameters".format(ccs, rec.ServiceName.dereference()),
- value = "ServiceDll")
+ val = dlls.get("{0}".format(rec.ServiceName.dereference()), None)
if val is not None:
outfd.write("ServiceDll: {0}\n".format(val))
from volatility.
sounds good to me
from volatility.
Related Issues (20)
- I have with add new plugins volatility2.6 . HOT 2
- volatility_2.6_win64_standalone how to add profile?
- No Stand alone version for volatility 2.6.1
- Memory Dump processing
- volatility 2 or 3 linux profile for linux version 5.4.0-33-generic HOT 2
- profile issue in Ubuntu 21.04 while using volatility 2.6 HOT 1
- A translation layer requirement was not fulfilled | A symbol table requirement was not fulfilled
- volatility keeps giving me this messege
- 各位大佬能帮我看下是什么原因吗,用filescan指令时扫到乱码就会报错 HOT 1
- building dwarf2json - go build fails
- ValueError: invalid literal for int() with base 16: '128 (-128)' HOT 2
- Extract images
- 'yara.StringMatch' object is not iterable HOT 1
- No results from plugin windows.handles.Handles HOT 1
- handles page error?
- KeyError: '__int128' with ARM64
- "ArmAddressSpace - EXCEPTION: 'state'"
- Missing parentheses HOT 1
- Infinite determinating profile
- How to plugin other tools for volatility windows version?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility.