ikelos
ikelos
Thanks, I'd just like @iMHLv2 to check it out again before we merge it...
I'm not sure this is really a bug. Volatility is informing you that it can't read the LSA key (which it finds from the registry in the memory, so you...
If you've got a full capture of the memory, then permissions shouldn't be enforced (I don't know of any function in windows that can explicitly filter certain chunks of physical...
For the `printkey` command, you'll like want to supply the registry hive (in this case, the security one so `-o 0xe10c7e9bc000`) and that will list the top level, then you...
> So it means the memory capture didn't include that? if so i really need to do a re-acquisition of the memory dump? Yep, I'm afraid it does mean those...
It's also possible that the plugin that was contributed only supports recovering the LSA secrets up to a particular version of windows and that Microsoft changed how it works for...
Hi @chris200712, I'm afraid you haven't really described the issue. At the moment it just looks as though the memory image you've tried to run the plugin isn't consistent, which...
Hmmmm, good question. Apart from adding some plugins that work on it, you'll need to tinker with the automagic code a bit. The automagic should automatically choose itself based on...
There was another student that did some work on this but unfortunately never got far enough to commit it. I've added @npetroni since I believe he was more aware of...
Correct, the stacker is purely to stack a layer and I don't believe any symbol tables that may be used are copied across. If a particular layer requires a symbol...