Abyss-W4tcher

I just tested with the one acquired here : http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/8199e3319bc8404581e451b565d048b81/ntkrnlmp.pdb, and it gave me the `8199e3319bc8404581e451b565d048b8-1.json.xz` file. edit : `python3 volatility3/framework/symbols/windows/pdbconv.py -f ntkrnlmp.pdb -g 8199e3319bc8404581e451b565d048b81`. I am not familiar with...

Ok, I see, I thought it wasn't generating anything, and crashing when reading the TPI layer. I'll investigate rn, but I'm not familiar with this plugin, maybe you'll have to...

I read the TPI layer content (located after the header with a size of 56) : ```diff diff --git a/volatility3/framework/symbols/windows/pdbconv.py b/volatility3/framework/symbols/windows/pdbconv.py index 82ec31cc..e04fd536 100644 --- a/volatility3/framework/symbols/windows/pdbconv.py +++ b/volatility3/framework/symbols/windows/pdbconv.py @@ -274,6...

I don't possess any sample infected by this technique, or by malware performing an RWX allocation, shellcode injection and then changing protection back to RX. Sure, it'd be great to...

Hi @atcuno, any news on the testing of this feature ?

Hi, could you provide us with a run of the `banners` plugin, and a run of linux.pslist with `-vvvvvvvv` debug option please ?

Could you please format your snippets with code blocks, as it increases readability ? Quickly looking at the banner, it seems you are using a `6.5.0-1022.22`, whereas the memory sample...

Alright, a small sentence explaining why "close enough" banners don't work should prevent confusion. A plugin would allow to clearly identify this feature, which also makes me think that adding...

This issue might be related to LiME, I've seen it before, though I can't explain why exactly. https://github.com/microsoft/avml was proven to sometimes resolve the issue, so you should give it...

> @Abyss-W4tcher So both issues are due to LIME collector? Should i try and different collector? Just for context i am using velociraptor offline collector for memory acquisition ( which...