Windows: SvcScan Binary Info #1069
Conversation
There was a problem hiding this comment.
Thanks, this looks pretty good. Since the get_record_tuple was officially part of the plugin's API there's a little bit of house keeping to ensure backwards compatibility, but the rest of it looks good. I'd appreciate @iMHLv2 having a look, but if he's busy and doesn't get to it in a week or so, gimme a reminder and I'll merge it in once the housekeeping's been done. 5:)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Thanks for the feedback! I think I have resolved all of the issues that you pointed out. I also retested across many samples to ensure that these fixes didn't cause any breaking changes. |
|
Please can you make sure the changes have been formatted using black, and then I'm happy to get this merged (the failed check will contain a diff if you don't want to install black yourself for some reason)... |
Parses the binary or dll associated with each service from the Windows SYSTEM hive and includes it in the output for each service.
There were some changes made to the service structures between certain versions of Windows that caused the PID/binary path to fail to parse across quite a few samples. This adds the appropriate version detection logic and updated symbol files to ensure that services are parsed correctly across Windows versions.
dgmcdona
force-pushed
the
dgmcdona/windows_svcscan
branch
2 times, most recently
from
cba2d41 to
4192e8a
Compare
|
Ok, I rebased onto the latest |
|
Looks good, all merged, thanks! |
In the original volatility framework, the svcscan plugin, in addition to gathering information about running services from the services process, also retrieved the ImagePath and ServiceDll attributes from the Windows registry: https://github.com/volatilityfoundation/volatility/blob/a438e768194a9e05eb4d9ee9338b881c0fa25937/volatility/plugins/malware/svcscan.py#L642.
This PR adds support for that in volatility3. Additionally, during testing, it became clear that the volatility3 svcscan plugin was not working correctly across all versions of Windows. Specifically,
PIDandBinaryvalues were not parsing correctly in some instances, instead producing empty values. This was due to changes in the_SERVICE_RECORDstructure between Windows versions, leading to incorrect offsets for theProcessIdandBinaryPathmembers. This PR also adds updated symbol files for the broken versions of Windows, as well as newOsDistinguisherinstances for correctly detecting those Windows versions where the changes took place. I have tested these new OS versions and symbol files across all relevant versions of Windows to confirm their correctness.