Update fix for 32-bit Windows

Author: Oliver Old

volatility/plugins/overlays/windows/win10.py

@@ -223,12 +223,14 @@ def findcookie(self, kernel_space):
 
         addr = nt_mod.getprocaddress("ObGetObjectType")
         if addr == None:
-            if not has_yara or model == "32bit":
+            if not has_yara:
                 debug.warning("Cannot find nt!ObGetObjectType")
                 return False
             # Did not find nt!ObGetObjectType, trying with YARA instead.
-            # TODO: Need signature for 32-bit.
-            s = "48 8D 41 D0 0F B6 49 E8"
+            if model == "32bit":
+                s = "8B FF 55 8B EC 8B 4D 08"
+            else:
+                s = "48 8D 41 D0 0F B6 49 E8"
             rules = yara.compile(sources = {
                 'n': 'rule r1 {strings: $a = {' + s + '} condition: $a}'
             })