_CM_KEY_BODY.get_full_key_name() change

volatilityfoundation / volatility3

Volatility 3.0 development

http://volatilityfoundation.org/

Other

2.61k stars 447 forks source link

_CM_KEY_BODY.get_full_key_name() change #39

Closed superponible closed 6 years ago

superponible commented 6 years ago

WIn10 14393 changed the path structure of the registry. The current method of walking the ParentKCB members ends up duplicating the hive name (i.e., "SYSTEM", "SOFTWARE", etc. show up twice). One of the entries has a KEY_HIVE_ENTRY flag set, and this one is skipped.

This mirrors the change at https://github.com/volatilityfoundation/volatility/commit/c374159750cfbef445889cfbfae61dbb93cdba3f

superponible commented 6 years ago

See https://github.com/volatilityfoundation/volatility3/commit/009ecede5c672e3e835ffd60e4ac4faa67323f7c

ikelos commented 6 years ago

Cool, did you want to turn it into a pull request?

ikelos commented 6 years ago

Ok, should be all merged.