volatility icon indicating copy to clipboard operation
volatility copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Add fix for missing cookie value when using a Windows 10 profile

Open oold opened this issue 4 years ago • 2 comments

Use YARA and the DiscontigYaraScanner from malfind to find the address of nt!ObGetObjectType. Also put in a safeguard against TypeError when the nt!ObHeaderCookie value can't be obtained.

Fixes #436.

oold avatar Jun 30 '20 18:06 oold

Hello,

Which versions of Windows 10 did you test this signature with?

Thanks

atcuno avatar Jul 08 '20 16:07 atcuno

The 64-bit signature was taken from issue #436 (build 14393) and validated to work on build 17763, the 32-bit signature was extracted from build 19041 and, due to missing profiles, not validated. I couldn't get my hands on an earlier build, so someone else needs to validate that.

oold avatar Jul 08 '20 16:07 oold