iMHLv2

By the way, I started looking at this before the call. The older Windows 10 PDBs have `_MI_VISIBLE_STATE` but without the required `SystemVaRegions` member. There do not appear to be...

@digitalisx I apologize for the delay and thanks for your patience. @ikelos I'm less familiar with the code base changes (`VERSION_PATCH` from 0 to 1 and `_required_framework_version` from 2.0.0 to...

Hi @KDPryor - could you run `-vvvv windows.vadinfo --pid 6988` and paste the full output? This is likely to ultimately result in a similar error, but unlike dumpfiles, it will...

Hi @KDPryor - sorry for the delay. Those are interesting results, because vadinfo didn't have an issue parsing the VADs for pid 6988, but dumpfiles does (and dumpfiles just internally...

@KevinK24 Most acquisition tools that output proprietary formats can either optionally be asked to output raw instead, or they support converting from their custom format to raw after the capture....

Is this the rule in question? ``` rule Smokeloader_2020_32 { strings: $a_01 = { 6A 04 [1-3] C7 [6-10] ?? ?? E8 [4] 6A } $a_02 = { 8B ??...

The equivalent is `memmap --dump`

@paulkermann Thanks for the bug report. I pushed a branch with a proposed fix. Historically, even back to vol2, the `get_end()` function has returned the last accessible byte in the...

> Hello @iMHLv2, Thank you for your good work! It seems that it is not pushed to the development branch and exists only in issue branch. Could you tell me...

You can try this: https://thunderco.re/project/forensics/2016/05/14/volatility-profile-finder/ Or store a volatilityrc file in the directory relative to your sample, with the correct profile embedded.