So by default you don't have to issue an offset anymore:
$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29
Subkeys:
Values:
REG_SZ ComputerName : (S) GINEVRA
And keys from multiple hives will also appear with a separator:
$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:23
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Winlogon (S)
Last updated: 2008-11-26 07:39:40
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:53
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-09-19 20:29:52
Subkeys:
Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
No comments:
Post a Comment