volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Windows: Add support for missing callback types

Open dgmcdona opened this issue 2 years ago • 2 comments

This PR updates the windows.callbacks.Callbacks plugin to support callback types that were present in the original volatility framework but have not yet been added to volatility3. These callback types include:

  • IoRegisterShutdownNotification
  • IoRegisterFsRegistrationChange
  • GenericKernelCallback
  • EventCategoryHardwareProfileChange
  • EventCategoryDeviceInterfaceChange
  • EventCategoryTargetDeviceChange
  • DbgSetDebugPrintCallback

This required updates to the callbacks JSON symbol files, the creation of a _SHUTDOWN_PACKET extension, and updates to the plugin itself. Because it introduces three new requirements (handles, driverirp, and poolscanner), I have incremented the major version number for the callbacks plugin. No other plugins depend on the callbacks plugin at this time, so it was not necessary to increase version numbers in other plugins.

dgmcdona avatar Mar 05 '24 20:03 dgmcdona

@iMHLv2 could you give this a scan over to check there's nothing subtle I've missed please?

ikelos avatar Mar 13 '24 19:03 ikelos