ikelos
commented
2 years ago Thanks for the report, could you please attach example output from both volatility 2 and volatility 3 indicating the issue, so we have something to compare?
Closed MATTANDERS0N closed 2 years ago
ikelos
commented
2 years ago Thanks for the report, could you please attach example output from both volatility 2 and volatility 3 indicating the issue, so we have something to compare?
superponible
commented
2 years ago @MATTANDERS0N Just wanted to update this issue and see if you are able to post some output from volatility 2 and volatility 3 to compare and show where vol2 can find data that vol3 doesn't. Might also be helpful to include verbose output (-vvvvvv) for vol3.
Also, do other vol3 plugins work on the sample (windows.pslist, windows.modules, etc)?
MATTANDERS0N
commented
2 years ago I don't know if I still have the same sample to test with. I only found an issue with the one plug-in. Others seemed to work okay. I will see if I can find anything to show.
Jan 6, 2022 11:58:20 AM superponible @.***>:
@MATTANDERS0N[https://github.com/MATTANDERS0N] Just wanted to update this issue and see if you are able to post some output from volatility 2 and volatility 3 to compare and show where vol2 can find data that vol3 doesn't. Might also be helpful to include verbose output (-vvvvvv) for vol3.
Also, do other vol3 plugins work on the sample (windows.pslist, windows.modules, etc)?
— Reply to this email directly, view it on GitHub[https://github.com/volatilityfoundation/volatility3/issues/595#issuecomment-1006796856], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AR5TX6EE36JFR55LACKOZYTUUXJ3ZANCNFSM5JU7MVFQ]. Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub]. You are receiving this because you were mentioned. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD8AAAA/CAYAAABXXxDfAAAAAXNSR0IArs4c6QAAAARzQklUCAgICHwIZIgAAAAmSURBVGiB7cEBDQAAAMKg909tDwcUAAAAAAAAAAAAAAAAAAAAJwY+QwABivJx1AAAAABJRU5ErkJggg==###24x24:true###][Tracking image][https://github.com/notifications/beacon/AR5TX6ETGR4UYIXWFYGTM63UUXJ3ZA5CNFSM5JU7MVF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHQBIAOA.gif]
ikelos
commented
2 years ago This issue has been open over 6 months without further information provided, as such the issue has been closed. If you believe it's still a problem, please feel free to reopen the issue.
Describe the bug The Print Key plugin does not pull back the registry value data back like it does with volatility 2. It was only able to find and display the name of the registry key.
Context Volatility Version: 3 Operating System: Linux remnux 5.4.0-89-generic #100-Ubuntu Python Version: 3.8.10 Suspected Operating System: Win7SP1x86_23418 Command: vol3 -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
To Reproduce Steps to reproduce the behavior: Get a memory dump of a Windows system with a User Run Key and run the command to examine the key. It shows the registry key but not the value data inside the key.
Expected behavior A clear and concise description of what you expected to happen. It should pull back the value data inside the key. This works as expected in version 2 using the profile stated above.
Screenshots If applicable, add screenshots to help explain your problem.
Additional information Add any other information about the problem here.