2020from volatility3 .framework .symbols import intermed
2121from volatility3 .framework .symbols .windows import versions
2222from volatility3 .framework .symbols .windows .extensions import services as services_types
23- from volatility3 .plugins .windows import poolscanner , pslist , vadyarascan
23+ from volatility3 .plugins .windows import poolscanner , pslist
2424from volatility3 .plugins .windows .registry import hivelist
2525
2626vollog = logging .getLogger (__name__ )
@@ -39,7 +39,7 @@ class SvcScan(interfaces.plugins.PluginInterface):
3939 """Scans for windows services."""
4040
4141 _required_framework_version = (2 , 0 , 0 )
42- _version = (3 , 0 , 0 )
42+ _version = (3 , 0 , 1 )
4343
4444 def __init__ (self , * args , ** kwargs ):
4545 super ().__init__ (* args , ** kwargs )
@@ -60,9 +60,6 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
6060 requirements .PluginRequirement (
6161 name = "poolscanner" , plugin = poolscanner .PoolScanner , version = (1 , 0 , 0 )
6262 ),
63- requirements .PluginRequirement (
64- name = "vadyarascan" , plugin = vadyarascan .VadYaraScan , version = (1 , 0 , 0 )
65- ),
6663 requirements .PluginRequirement (
6764 name = "hivelist" , plugin = hivelist .HiveList , version = (1 , 0 , 0 )
6865 ),
@@ -317,10 +314,17 @@ def service_scan(
317314
318315 layer = context .layers [proc_layer_name ]
319316
317+ # get process sections for scanning
318+ sections = []
319+ for vad in task .get_vad_root ().traverse ():
320+ base = vad .get_start ()
321+ if vad .get_size ():
322+ sections .append ((base , vad .get_size ()))
323+
320324 for offset in layer .scan (
321325 context = context ,
322326 scanner = scanners .BytesScanner (needle = service_tag ),
323- sections = vadyarascan . VadYaraScan . get_vad_maps ( task ) ,
327+ sections = sections ,
324328 ):
325329 if not is_vista_or_later :
326330 service_record = context .object (
0 commit comments