volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Why not use NtBuildNumber?

Open VelocityRa opened this issue 5 years ago • 0 comments

NtBuildNumber located in KUSER_SHARED_DATA for Windows 10, contains the build number.

I don't see volatility using this anywhere. Instead it scans the memory to find KDBG for it, which seems a lot slower and more error prone. KUSER_SHARED_DATA is trivial to find, it's at a static offset.

Anything I'm missing?

VelocityRa avatar May 21 '20 18:05 VelocityRa