volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Windows: update psscan to fix issue #591

Open eve-mem opened this issue 8 months ago • 5 comments

Hello :wave:

This is a continuation of PR https://github.com/volatilityfoundation/volatility3/pull/1215 but I completely messed up that branch with a rebase that went very wrong, and my git-fu isn't strong enough to fix it.

This fixes an issue where if you attempt to use the --physical option on some windows samples psscan will crash. This PR fixes those issues and includes the changes suggested by @ikelos in the previous PR.

:fox_face:

eve-mem avatar Apr 25 '25 13:04 eve-mem

I'll get that test fixed!

eve-mem avatar Apr 25 '25 14:04 eve-mem

@ikelos that's a really good point. I've just been focused on getting rid of the back trace for @garanews rather than looking at the plugin as a whole.

The windows psscan is very different to the linux one. Linux will always scan the 'memory layer' and produce results from that, e.g. always physical addresses and it doesn't scan an intel layer.

What are peoples thoughts on changing the windows one to be closer to the linux counterpart? It's a bigger change to how psscan works but to my knowledge there aren't any public plugins that rely on psscan. It would make the logic a lot simpler.

eve-mem avatar Apr 28 '25 06:04 eve-mem

I think as long as we don't lose functionality (ie, it can still give you virtual addresses, if that's what you expect) then it should be fine?

ikelos avatar Apr 28 '25 08:04 ikelos

What is the latest on this @eve-mem ?

atcuno avatar May 16 '25 14:05 atcuno

No progress on this from me - thank you for the nudge.

eve-mem avatar May 16 '25 16:05 eve-mem