From c4e7e50180a45dfb80b453b61e9b94860d5a01d3 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Wed, 19 Jun 2024 14:42:23 -0500
Subject: [PATCH 1/9] Add svclist and svcdiff plugins. Make svcscan more
 modular to support inheritance and cleaner code

---
 .../framework/plugins/windows/svcdiff.py      |  74 ++++++++++++
 .../framework/plugins/windows/svclist.py      |  86 ++++++++++++++
 .../framework/plugins/windows/svcscan.py      | 107 +++++++++++-------
 .../framework/symbols/windows/versions.py     |   9 ++
 4 files changed, 233 insertions(+), 43 deletions(-)
 create mode 100644 volatility3/framework/plugins/windows/svcdiff.py
 create mode 100644 volatility3/framework/plugins/windows/svclist.py

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
new file mode 100644
index 0000000000..03f0afcd37
--- /dev/null
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -0,0 +1,74 @@
+# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0
+# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
+#
+
+# This module attempts to locate skeleton-key like function hooks.
+# It does this by locating the CSystems array through a variety of methods,
+# and then validating the entry for RC4 HMAC (0x17 / 23)
+#
+# For a thorough walkthrough on how the R&D was performed to develop this plugin,
+# please see our blogpost here:
+#
+# https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html
+
+import logging
+
+from volatility3.framework import symbols
+from volatility3.framework.configuration import requirements
+from volatility3.plugins.windows import svclist, svcscan
+from volatility3.framework.symbols.windows import versions
+
+vollog = logging.getLogger(__name__)
+
+class SvcDiff(svclist.SvcList, svcscan.SvcScan):
+    """Compares services found through list walking versus scanning to find rootkits"""
+
+    _required_framework_version = (2, 4, 0)
+
+    @classmethod
+    def get_requirements(cls):
+        # Since we're calling the plugin, make sure we have the plugin's requirements
+        return [
+            requirements.ModuleRequirement(
+                name="kernel",
+                description="Windows kernel",
+                architectures=["Intel32", "Intel64"],
+            ),
+            requirements.VersionRequirement(
+                name="svclist", component=svclist.SvcList, version=(1, 0, 0)
+            ),
+            requirements.VersionRequirement(
+                name="svcscan", component=svcscan.SvcScan, version=(2, 0, 0)
+            ),
+        ]
+
+    def _generator(self):
+        """
+        Finds services by walking the services.exe list on supported Windows 10 versions
+        """
+        kernel = self.context.modules[self.config["kernel"]]
+
+        if not symbols.symbol_table_is_64bit(self.context, kernel.symbol_table_name) or \
+           not versions.is_win10_15063_or_later(context=self.context, symbol_table=kernel.symbol_table_name):
+            vollog.info("This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples")
+            return
+
+        from_scan = set()
+        from_list = set()
+        records = {}
+        
+        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+
+        # collect unique service names from scanning
+        for service in self.service_scan(service_table_name, service_binary_dll_map, filter_func):
+            from_scan.add(service[6])
+            records[service[6]] = service
+
+        # collect services from listing walking
+        for service in self.service_list(service_table_name, service_binary_dll_map, filter_func):
+            from_list.add(service[6])
+
+        # report services found from scanning but not list walking
+        for hidden_service in from_scan-from_list:
+            yield (0, records[hidden_service])
+
diff --git a/volatility3/framework/plugins/windows/svclist.py b/volatility3/framework/plugins/windows/svclist.py
new file mode 100644
index 0000000000..b4541981dc
--- /dev/null
+++ b/volatility3/framework/plugins/windows/svclist.py
@@ -0,0 +1,86 @@
+# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
+# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
+#
+
+import logging
+
+from typing import List
+
+from volatility3.framework import interfaces, exceptions,  symbols
+from volatility3.framework.configuration import requirements
+from volatility3.framework.symbols.windows import versions
+from volatility3.plugins.windows import svcscan, pslist
+from volatility3.framework.layers import scanners
+
+vollog = logging.getLogger(__name__)
+
+
+class SvcList(svcscan.SvcScan):
+    """Lists services contained with the services.exe doubly linked list of services"""
+
+    _version = (1, 0, 0)
+
+    @classmethod
+    def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
+        # Since we're calling the plugin, make sure we have the plugin's requirements
+        return [
+            requirements.PluginRequirement(
+                name="svcscan", plugin=svcscan.SvcScan, version=(2, 0, 0)
+            ),
+        ]
+
+    def _get_exe_range(self, proc):
+        """
+        Returns a tuple of starting,ending address for
+        the VAD containing services.exe
+        """
+
+        vad_root = proc.get_vad_root()
+        for vad in vad_root.traverse():
+            filename = vad.get_file_name()
+            if isinstance(filename, str) and filename.lower().endswith("\\services.exe"):
+                return [(vad.get_start(), vad.get_size())]
+
+        return None
+
+    def service_list(self, service_table_name, service_binary_dll_map, filter_func):
+        kernel = self.context.modules[self.config["kernel"]]
+
+        if not symbols.symbol_table_is_64bit(self.context, kernel.symbol_table_name) or \
+           not versions.is_win10_15063_or_later(context=self.context, symbol_table=kernel.symbol_table_name):
+            vollog.info("This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples")
+            return
+
+        for proc in pslist.PsList.list_processes(
+            context=self.context,
+            layer_name=kernel.layer_name,
+            symbol_table=kernel.symbol_table_name,
+            filter_func=filter_func,
+        ):
+            try:
+                layer_name = proc.add_process_layer()
+            except exceptions.InvalidAddressException:
+                vollog.warning("Unable to access memory of services.exe running with PID: {}".format(proc.UniqueProcessId))
+                continue
+
+            layer = self.context.layers[layer_name]
+
+            exe_range = self._get_exe_range(proc)
+            if not exe_range:
+                vollog.warning("Could not find the application executable VAD for services.exe. Unable to proceed.")
+                continue
+
+            for offset in layer.scan(
+                context=self.context,
+                scanner=scanners.BytesScanner(needle = b"Sc27"),
+                sections=exe_range,
+                ):
+                for record in self.enumerate_vista_or_later_header(service_table_name, service_binary_dll_map, layer_name, offset):
+                    yield record
+
+    def _generator(self):
+        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+        
+        for record in self.service_list(service_table_name, service_binary_dll_map, filter_func):
+            yield (0, record)
+
diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index 10de46e2a5..08d11a9468 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -19,7 +19,7 @@
 from volatility3.framework.renderers import format_hints
 from volatility3.framework.symbols import intermed
 from volatility3.framework.symbols.windows import versions
-from volatility3.framework.symbols.windows.extensions import services
+from volatility3.framework.symbols.windows.extensions import services as services_types
 from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
 from volatility3.plugins.windows.registry import hivelist
 
@@ -140,7 +140,7 @@ def create_service_table(
             config_path,
             os.path.join("windows", "services"),
             symbol_filename,
-            class_types=services.class_types,
+            class_types=services_types.class_types,
             native_types=native_types,
         )
 
@@ -232,28 +232,44 @@ def _get_service_binary_map(
             for service_key in services
         }
 
-    def _generator(self):
-        kernel = self.context.modules[self.config["kernel"]]
+    def enumerate_vista_or_later_header(
+        self,
+        service_table_name,
+        service_binary_dll_map,
+        proc_layer_name,
+        offset
+    ):
+        if offset % 8:
+            return
 
-        service_table_name = self.create_service_table(
-            self.context, kernel.symbol_table_name, self.config_path
+        service_header = self.context.object(
+            service_table_name + constants.BANG + "_SERVICE_HEADER",
+            offset=offset,
+            layer_name=proc_layer_name,
         )
 
-        # Building the dictionary ahead of time is much better for performance
-        # vs looking up each service's DLL individually.
-        services_key = self._get_service_key(kernel)
-        service_binary_dll_map = (
-            self._get_service_binary_map(services_key)
-            if services_key is not None
-            else {}
-        )
+        if not service_header.is_valid():
+            return
+
+        # since we walk the s-list backwards, if we've seen
+        # an object, then we've also seen all objects that
+        # exist before it, thus we can break at that time.
+        for service_record in service_header.ServiceRecord.traverse():
+            service_info = service_binary_dll_map.get(
+                service_record.get_name(),
+                ServiceBinaryInfo(
+                    renderers.UnreadableValue(), renderers.UnreadableValue()
+                ),
+            )
+            yield self.get_record_tuple(service_record, service_info)
+
+    def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
+        kernel = self.context.modules[self.config["kernel"]]
 
         relative_tag_offset = self.context.symbol_space.get_type(
             service_table_name + constants.BANG + "_SERVICE_RECORD"
         ).relative_child_offset("Tag")
 
-        filter_func = pslist.PsList.create_name_filter(["services.exe"])
-
         is_vista_or_later = versions.is_vista_or_later(
             context=self.context, symbol_table=kernel.symbol_table_name
         )
@@ -306,37 +322,42 @@ def _generator(self):
                             renderers.UnreadableValue(), renderers.UnreadableValue()
                         ),
                     )
-                    yield (
-                        0,
-                        self.get_record_tuple(service_record, service_info),
-                    )
+                    yield self.get_record_tuple(service_record, service_info)
                 else:
-                    service_header = self.context.object(
-                        service_table_name + constants.BANG + "_SERVICE_HEADER",
-                        offset=offset,
-                        layer_name=proc_layer_name,
-                    )
-
-                    if not service_header.is_valid():
-                        continue
-
-                    # since we walk the s-list backwards, if we've seen
-                    # an object, then we've also seen all objects that
-                    # exist before it, thus we can break at that time.
-                    for service_record in service_header.ServiceRecord.traverse():
+                    for service_record in self.enumerate_vista_or_later_header(service_table_name, service_binary_dll_map, proc_layer_name, offset):
                         if service_record in seen:
                             break
                         seen.append(service_record)
-                        service_info = service_binary_dll_map.get(
-                            service_record.get_name(),
-                            ServiceBinaryInfo(
-                                renderers.UnreadableValue(), renderers.UnreadableValue()
-                            ),
-                        )
-                        yield (
-                            0,
-                            self.get_record_tuple(service_record, service_info),
-                        )
+                        yield service_record
+
+
+    def get_prereq_info(self):
+        """
+        Data structures and information needed to analyze service information
+        """
+        kernel = self.context.modules[self.config["kernel"]]
+
+        service_table_name = self.create_service_table(
+            self.context, kernel.symbol_table_name, self.config_path
+        )
+
+        services_key = self._get_service_key(kernel)
+
+        service_binary_dll_map = (
+            self._get_service_binary_map(services_key)
+            if services_key is not None
+            else {}
+        )
+
+        filter_func = pslist.PsList.create_name_filter(["services.exe"])
+
+        return service_table_name, service_binary_dll_map, filter_func
+
+    def _generator(self):
+        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+
+        for record in self.service_scan(service_table_name, service_binary_dll_map, filter_func):
+            yield (0, record)
 
     def run(self):
         return renderers.TreeGrid(
diff --git a/volatility3/framework/symbols/windows/versions.py b/volatility3/framework/symbols/windows/versions.py
index e1e74afc05..d8964f575c 100644
--- a/volatility3/framework/symbols/windows/versions.py
+++ b/volatility3/framework/symbols/windows/versions.py
@@ -141,6 +141,15 @@ def __call__(
     ],
 )
 
+is_win10_15063_or_later = OsDistinguisher(
+    version_check=lambda x: x >= (10, 0, 15063),
+    fallback_checks=[
+        ("ObHeaderCookie", None, True),
+        ("_HANDLE_TABLE", "HandleCount", False),
+        ("_EPROCESS", "KeepAliveCounter", False),
+    ],
+)
+
 is_win10_16299_or_later = OsDistinguisher(
     version_check=lambda x: x >= (10, 0, 16299),
     fallback_checks=[

From 91184c7d92f84cdd3371d3a2371cf1784a2eb1a2 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Wed, 19 Jun 2024 14:54:20 -0500
Subject: [PATCH 2/9] Format fixes

---
 .../framework/plugins/windows/svcdiff.py      | 23 ++++++++----
 .../framework/plugins/windows/svclist.py      | 36 +++++++++++++------
 .../framework/plugins/windows/svcscan.py      | 18 +++++-----
 3 files changed, 51 insertions(+), 26 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
index 03f0afcd37..71aa036361 100644
--- a/volatility3/framework/plugins/windows/svcdiff.py
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -48,27 +48,36 @@ def _generator(self):
         """
         kernel = self.context.modules[self.config["kernel"]]
 
-        if not symbols.symbol_table_is_64bit(self.context, kernel.symbol_table_name) or \
-           not versions.is_win10_15063_or_later(context=self.context, symbol_table=kernel.symbol_table_name):
-            vollog.info("This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples")
+        if not symbols.symbol_table_is_64bit(
+            self.context, kernel.symbol_table_name
+        ) or not versions.is_win10_15063_or_later(
+            context=self.context, symbol_table=kernel.symbol_table_name
+        ):
+            vollog.info(
+                "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
+            )
             return
 
         from_scan = set()
         from_list = set()
         records = {}
-        
+
         service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
 
         # collect unique service names from scanning
-        for service in self.service_scan(service_table_name, service_binary_dll_map, filter_func):
+        for service in self.service_scan(
+            service_table_name, service_binary_dll_map, filter_func
+        ):
             from_scan.add(service[6])
             records[service[6]] = service
 
         # collect services from listing walking
-        for service in self.service_list(service_table_name, service_binary_dll_map, filter_func):
+        for service in self.service_list(
+            service_table_name, service_binary_dll_map, filter_func
+        ):
             from_list.add(service[6])
 
         # report services found from scanning but not list walking
-        for hidden_service in from_scan-from_list:
+        for hidden_service in from_scan - from_list:
             yield (0, records[hidden_service])
 
diff --git a/volatility3/framework/plugins/windows/svclist.py b/volatility3/framework/plugins/windows/svclist.py
index b4541981dc..53ca68da74 100644
--- a/volatility3/framework/plugins/windows/svclist.py
+++ b/volatility3/framework/plugins/windows/svclist.py
@@ -6,7 +6,7 @@
 
 from typing import List
 
-from volatility3.framework import interfaces, exceptions,  symbols
+from volatility3.framework import interfaces, exceptions, symbols
 from volatility3.framework.configuration import requirements
 from volatility3.framework.symbols.windows import versions
 from volatility3.plugins.windows import svcscan, pslist
@@ -38,7 +38,9 @@ def _get_exe_range(self, proc):
         vad_root = proc.get_vad_root()
         for vad in vad_root.traverse():
             filename = vad.get_file_name()
-            if isinstance(filename, str) and filename.lower().endswith("\\services.exe"):
+            if isinstance(filename, str) and filename.lower().endswith(
+                "\\services.exe"
+            ):
                 return [(vad.get_start(), vad.get_size())]
 
         return None
@@ -46,9 +48,14 @@ def _get_exe_range(self, proc):
     def service_list(self, service_table_name, service_binary_dll_map, filter_func):
         kernel = self.context.modules[self.config["kernel"]]
 
-        if not symbols.symbol_table_is_64bit(self.context, kernel.symbol_table_name) or \
-           not versions.is_win10_15063_or_later(context=self.context, symbol_table=kernel.symbol_table_name):
-            vollog.info("This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples")
+        if not symbols.symbol_table_is_64bit(
+            self.context, kernel.symbol_table_name
+        ) or not versions.is_win10_15063_or_later(
+            context=self.context, symbol_table=kernel.symbol_table_name
+        ):
+            vollog.info(
+                "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
+            )
             return
 
         for proc in pslist.PsList.list_processes(
@@ -60,27 +67,34 @@ def service_list(self, service_table_name, service_binary_dll_map, filter_func):
             try:
                 layer_name = proc.add_process_layer()
             except exceptions.InvalidAddressException:
-                vollog.warning("Unable to access memory of services.exe running with PID: {}".format(proc.UniqueProcessId))
+                vollog.warning(
+                    "Unable to access memory of services.exe running with PID: {}".format(
+                        proc.UniqueProcessId
+                    )
+                )
                 continue
 
             layer = self.context.layers[layer_name]
 
             exe_range = self._get_exe_range(proc)
             if not exe_range:
-                vollog.warning("Could not find the application executable VAD for services.exe. Unable to proceed.")
+                vollog.warning(
+                    "Could not find the application executable VAD for services.exe. Unable to proceed."
+                )
                 continue
 
             for offset in layer.scan(
                 context=self.context,
-                scanner=scanners.BytesScanner(needle = b"Sc27"),
+                scanner=scanners.BytesScanner(needle=b"Sc27"),
                 sections=exe_range,
+            ):
+                for record in self.enumerate_vista_or_later_header(
+                    service_table_name, service_binary_dll_map, layer_name, offset
                 ):
-                for record in self.enumerate_vista_or_later_header(service_table_name, service_binary_dll_map, layer_name, offset):
                     yield record
 
     def _generator(self):
         service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
-        
+
         for record in self.service_list(service_table_name, service_binary_dll_map, filter_func):
             yield (0, record)
-
diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index 08d11a9468..c991ec943a 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -233,11 +233,7 @@ def _get_service_binary_map(
         }
 
     def enumerate_vista_or_later_header(
-        self,
-        service_table_name,
-        service_binary_dll_map,
-        proc_layer_name,
-        offset
+        self, service_table_name, service_binary_dll_map, proc_layer_name, offset
     ):
         if offset % 8:
             return
@@ -324,13 +320,17 @@ def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
                     )
                     yield self.get_record_tuple(service_record, service_info)
                 else:
-                    for service_record in self.enumerate_vista_or_later_header(service_table_name, service_binary_dll_map, proc_layer_name, offset):
+                    for service_record in self.enumerate_vista_or_later_header(
+                        service_table_name,
+                        service_binary_dll_map,
+                        proc_layer_name,
+                        offset
+                    ):
                         if service_record in seen:
                             break
                         seen.append(service_record)
                         yield service_record
 
-
     def get_prereq_info(self):
         """
         Data structures and information needed to analyze service information
@@ -356,7 +356,9 @@ def get_prereq_info(self):
     def _generator(self):
         service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
 
-        for record in self.service_scan(service_table_name, service_binary_dll_map, filter_func):
+        for record in self.service_scan(
+            service_table_name, service_binary_dll_map, filter_func
+        ):
             yield (0, record)
 
     def run(self):

From d42fb0a1451ca0a0cc00ee4a2a431be092c193b9 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Wed, 19 Jun 2024 14:56:57 -0500
Subject: [PATCH 3/9] Format fixes

---
 volatility3/framework/plugins/windows/svclist.py | 4 +++-
 volatility3/framework/plugins/windows/svcscan.py | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svclist.py b/volatility3/framework/plugins/windows/svclist.py
index 53ca68da74..1938dd182e 100644
--- a/volatility3/framework/plugins/windows/svclist.py
+++ b/volatility3/framework/plugins/windows/svclist.py
@@ -96,5 +96,7 @@ def service_list(self, service_table_name, service_binary_dll_map, filter_func):
     def _generator(self):
         service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
 
-        for record in self.service_list(service_table_name, service_binary_dll_map, filter_func):
+        for record in self.service_list(
+            service_table_name, service_binary_dll_map, filter_func
+        ):
             yield (0, record)
diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index c991ec943a..07274f03d0 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -324,7 +324,7 @@ def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
                         service_table_name,
                         service_binary_dll_map,
                         proc_layer_name,
-                        offset
+                        offset,
                     ):
                         if service_record in seen:
                             break

From f6a053d7b3db2421c9d4d8501eff1fcb78001f1f Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Wed, 19 Jun 2024 14:58:05 -0500
Subject: [PATCH 4/9] Format fixes

---
 volatility3/framework/plugins/windows/svcdiff.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
index 71aa036361..8090649464 100644
--- a/volatility3/framework/plugins/windows/svcdiff.py
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -20,6 +20,7 @@
 
 vollog = logging.getLogger(__name__)
 
+
 class SvcDiff(svclist.SvcList, svcscan.SvcScan):
     """Compares services found through list walking versus scanning to find rootkits"""
 
@@ -80,4 +81,3 @@ def _generator(self):
         # report services found from scanning but not list walking
         for hidden_service in from_scan - from_list:
             yield (0, records[hidden_service])
-

From 8da046530fd7ccd3f8a75fbe4e0b63d213207117 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Thu, 18 Jul 2024 14:57:31 -0500
Subject: [PATCH 5/9] Address feedback

---
 .../framework/plugins/windows/svcdiff.py      | 22 ++++---
 .../framework/plugins/windows/svclist.py      | 58 +++++++++++--------
 .../framework/plugins/windows/svcscan.py      | 43 ++++++++------
 3 files changed, 69 insertions(+), 54 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
index 8090649464..c41a7b86c8 100644
--- a/volatility3/framework/plugins/windows/svcdiff.py
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -20,8 +20,7 @@
 
 vollog = logging.getLogger(__name__)
 
-
-class SvcDiff(svclist.SvcList, svcscan.SvcScan):
+class SvcDiff(svcscan.SvcScan):
     """Compares services found through list walking versus scanning to find rootkits"""
 
     _required_framework_version = (2, 4, 0)
@@ -39,22 +38,23 @@ def get_requirements(cls):
                 name="svclist", component=svclist.SvcList, version=(1, 0, 0)
             ),
             requirements.VersionRequirement(
-                name="svcscan", component=svcscan.SvcScan, version=(2, 0, 0)
+                name="svcscan", component=svcscan.SvcScan, version=(3, 0, 0)
             ),
         ]
 
     def _generator(self):
         """
-        Finds services by walking the services.exe list on supported Windows 10 versions
+        On Windows 10 version 15063+ 64bit Windows memory samples, walk the services list
+        and scan for services then report differences
         """
-        kernel = self.context.modules[self.config["kernel"]]
+        kernel, service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
 
         if not symbols.symbol_table_is_64bit(
             self.context, kernel.symbol_table_name
         ) or not versions.is_win10_15063_or_later(
             context=self.context, symbol_table=kernel.symbol_table_name
         ):
-            vollog.info(
+            vollog.warning(
                 "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
             )
             return
@@ -63,18 +63,16 @@ def _generator(self):
         from_list = set()
         records = {}
 
-        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
-
         # collect unique service names from scanning
-        for service in self.service_scan(
-            service_table_name, service_binary_dll_map, filter_func
+        for service in svcscan.SvcScan.service_scan(
+            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
         ):
             from_scan.add(service[6])
             records[service[6]] = service
 
         # collect services from listing walking
-        for service in self.service_list(
-            service_table_name, service_binary_dll_map, filter_func
+        for service in svclist.SvcList.service_list(
+            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
         ):
             from_list.add(service[6])
 
diff --git a/volatility3/framework/plugins/windows/svclist.py b/volatility3/framework/plugins/windows/svclist.py
index 1938dd182e..832b3d1294 100644
--- a/volatility3/framework/plugins/windows/svclist.py
+++ b/volatility3/framework/plugins/windows/svclist.py
@@ -4,7 +4,7 @@
 
 import logging
 
-from typing import List
+from typing import List, Optional, Tuple
 
 from volatility3.framework import interfaces, exceptions, symbols
 from volatility3.framework.configuration import requirements
@@ -20,16 +20,26 @@ class SvcList(svcscan.SvcScan):
 
     _version = (1, 0, 0)
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._enumeration_method = self.service_list
+
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
         # Since we're calling the plugin, make sure we have the plugin's requirements
         return [
             requirements.PluginRequirement(
-                name="svcscan", plugin=svcscan.SvcScan, version=(2, 0, 0)
+                name="svcscan", plugin=svcscan.SvcScan, version=(3, 0, 0)
+            ),
+            requirements.ModuleRequirement(
+                name="kernel",
+                description="Windows kernel",
+                architectures=["Intel32", "Intel64"],
             ),
         ]
 
-    def _get_exe_range(self, proc):
+    @classmethod
+    def _get_exe_range(cls, proc) -> Optional[Tuple[int, int]]:
         """
         Returns a tuple of starting,ending address for
         the VAD containing services.exe
@@ -45,21 +55,27 @@ def _get_exe_range(self, proc):
 
         return None
 
-    def service_list(self, service_table_name, service_binary_dll_map, filter_func):
-        kernel = self.context.modules[self.config["kernel"]]
-
+    @classmethod
+    def service_list(
+        cls,
+        context: interfaces.context.ContextInterface,
+        kernel,
+        service_table_name: str,
+        service_binary_dll_map,
+        filter_func,
+    ):
         if not symbols.symbol_table_is_64bit(
-            self.context, kernel.symbol_table_name
+            context, kernel.symbol_table_name
         ) or not versions.is_win10_15063_or_later(
-            context=self.context, symbol_table=kernel.symbol_table_name
+            context=context, symbol_table=kernel.symbol_table_name
         ):
-            vollog.info(
+            vollog.warning(
                 "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
             )
             return
 
         for proc in pslist.PsList.list_processes(
-            context=self.context,
+            context=context,
             layer_name=kernel.layer_name,
             symbol_table=kernel.symbol_table_name,
             filter_func=filter_func,
@@ -74,9 +90,9 @@ def service_list(self, service_table_name, service_binary_dll_map, filter_func):
                 )
                 continue
 
-            layer = self.context.layers[layer_name]
+            layer = context.layers[layer_name]
 
-            exe_range = self._get_exe_range(proc)
+            exe_range = cls._get_exe_range(proc)
             if not exe_range:
                 vollog.warning(
                     "Could not find the application executable VAD for services.exe. Unable to proceed."
@@ -84,19 +100,15 @@ def service_list(self, service_table_name, service_binary_dll_map, filter_func):
                 continue
 
             for offset in layer.scan(
-                context=self.context,
+                context=context,
                 scanner=scanners.BytesScanner(needle=b"Sc27"),
                 sections=exe_range,
             ):
-                for record in self.enumerate_vista_or_later_header(
-                    service_table_name, service_binary_dll_map, layer_name, offset
+                for record in cls.enumerate_vista_or_later_header(
+                    context,
+                    service_table_name,
+                    service_binary_dll_map,
+                    layer_name,
+                    offset,
                 ):
                     yield record
-
-    def _generator(self):
-        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
-
-        for record in self.service_list(
-            service_table_name, service_binary_dll_map, filter_func
-        ):
-            yield (0, record)
diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index 07274f03d0..4368b83ce0 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -39,7 +39,11 @@ class SvcScan(interfaces.plugins.PluginInterface):
     """Scans for windows services."""
 
     _required_framework_version = (2, 0, 0)
-    _version = (2, 0, 0)
+    _version = (3, 0, 0)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._enumeration_method = self.service_scan
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -232,13 +236,14 @@ def _get_service_binary_map(
             for service_key in services
         }
 
+    @classmethod
     def enumerate_vista_or_later_header(
-        self, service_table_name, service_binary_dll_map, proc_layer_name, offset
+        cls, context, service_table_name, service_binary_dll_map, proc_layer_name, offset
     ):
         if offset % 8:
             return
 
-        service_header = self.context.object(
+        service_header =context.object(
             service_table_name + constants.BANG + "_SERVICE_HEADER",
             offset=offset,
             layer_name=proc_layer_name,
@@ -257,17 +262,16 @@ def enumerate_vista_or_later_header(
                     renderers.UnreadableValue(), renderers.UnreadableValue()
                 ),
             )
-            yield self.get_record_tuple(service_record, service_info)
-
-    def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
-        kernel = self.context.modules[self.config["kernel"]]
+            yield cls.get_record_tuple(service_record, service_info)
 
-        relative_tag_offset = self.context.symbol_space.get_type(
+    @classmethod
+    def service_scan(cls, context: interfaces.context.ContextInterface, kernel, service_table_name: str, service_binary_dll_map, filter_func):
+        relative_tag_offset = context.symbol_space.get_type(
             service_table_name + constants.BANG + "_SERVICE_RECORD"
         ).relative_child_offset("Tag")
 
         is_vista_or_later = versions.is_vista_or_later(
-            context=self.context, symbol_table=kernel.symbol_table_name
+            context=context, symbol_table=kernel.symbol_table_name
         )
 
         if is_vista_or_later:
@@ -278,7 +282,7 @@ def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
         seen = []
 
         for task in pslist.PsList.list_processes(
-            context=self.context,
+            context=context,
             layer_name=kernel.layer_name,
             symbol_table=kernel.symbol_table_name,
             filter_func=filter_func,
@@ -295,15 +299,15 @@ def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
                 )
                 continue
 
-            layer = self.context.layers[proc_layer_name]
+            layer = context.layers[proc_layer_name]
 
             for offset in layer.scan(
-                context=self.context,
+                context=context,
                 scanner=scanners.BytesScanner(needle=service_tag),
                 sections=vadyarascan.VadYaraScan.get_vad_maps(task),
             ):
                 if not is_vista_or_later:
-                    service_record = self.context.object(
+                    service_record = context.object(
                         service_table_name + constants.BANG + "_SERVICE_RECORD",
                         offset=offset - relative_tag_offset,
                         layer_name=proc_layer_name,
@@ -318,9 +322,10 @@ def service_scan(self, service_table_name, service_binary_dll_map, filter_func):
                             renderers.UnreadableValue(), renderers.UnreadableValue()
                         ),
                     )
-                    yield self.get_record_tuple(service_record, service_info)
+                    yield cls.get_record_tuple(service_record, service_info)
                 else:
-                    for service_record in self.enumerate_vista_or_later_header(
+                    for service_record in cls.enumerate_vista_or_later_header(
+                        context,
                         service_table_name,
                         service_binary_dll_map,
                         proc_layer_name,
@@ -351,13 +356,13 @@ def get_prereq_info(self):
 
         filter_func = pslist.PsList.create_name_filter(["services.exe"])
 
-        return service_table_name, service_binary_dll_map, filter_func
+        return kernel, service_table_name, service_binary_dll_map, filter_func
 
     def _generator(self):
-        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+        kernel, service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
 
-        for record in self.service_scan(
-            service_table_name, service_binary_dll_map, filter_func
+        for record in self._enumeration_method(
+            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
         ):
             yield (0, record)
 

From a7af052509417c08eae702cd59fbfaa5306cc686 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Thu, 18 Jul 2024 14:59:40 -0500
Subject: [PATCH 6/9] Black fixes

---
 .../framework/plugins/windows/svcdiff.py        | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
index c41a7b86c8..4325771dbd 100644
--- a/volatility3/framework/plugins/windows/svcdiff.py
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -20,6 +20,7 @@
 
 vollog = logging.getLogger(__name__)
 
+
 class SvcDiff(svcscan.SvcScan):
     """Compares services found through list walking versus scanning to find rootkits"""
 
@@ -47,7 +48,9 @@ def _generator(self):
         On Windows 10 version 15063+ 64bit Windows memory samples, walk the services list
         and scan for services then report differences
         """
-        kernel, service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+        kernel, service_table_name, service_binary_dll_map, filter_func = (
+            self.get_prereq_info()
+        )
 
         if not symbols.symbol_table_is_64bit(
             self.context, kernel.symbol_table_name
@@ -65,14 +68,22 @@ def _generator(self):
 
         # collect unique service names from scanning
         for service in svcscan.SvcScan.service_scan(
-            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
+            self.context,
+            kernel,
+            service_table_name,
+            service_binary_dll_map,
+            filter_func,
         ):
             from_scan.add(service[6])
             records[service[6]] = service
 
         # collect services from listing walking
         for service in svclist.SvcList.service_list(
-            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
+            self.context,
+            kernel,
+            service_table_name,
+            service_binary_dll_map,
+            filter_func,
         ):
             from_list.add(service[6])
 

From 2a5e94a0946e4c74f92588df6ceafdd89acd0be4 Mon Sep 17 00:00:00 2001
From: atcuno <atcuno@gmail.com>
Date: Thu, 18 Jul 2024 15:01:10 -0500
Subject: [PATCH 7/9] Black fixes

---
 .../framework/plugins/windows/svcscan.py      | 28 +++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index 4368b83ce0..8b97066255 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -238,12 +238,17 @@ def _get_service_binary_map(
 
     @classmethod
     def enumerate_vista_or_later_header(
-        cls, context, service_table_name, service_binary_dll_map, proc_layer_name, offset
+        cls,
+        context,
+        service_table_name,
+        service_binary_dll_map,
+        proc_layer_name,
+        offset,
     ):
         if offset % 8:
             return
 
-        service_header =context.object(
+        service_header = context.object(
             service_table_name + constants.BANG + "_SERVICE_HEADER",
             offset=offset,
             layer_name=proc_layer_name,
@@ -265,7 +270,14 @@ def enumerate_vista_or_later_header(
             yield cls.get_record_tuple(service_record, service_info)
 
     @classmethod
-    def service_scan(cls, context: interfaces.context.ContextInterface, kernel, service_table_name: str, service_binary_dll_map, filter_func):
+    def service_scan(
+        cls,
+        context: interfaces.context.ContextInterface,
+        kernel,
+        service_table_name: str,
+        service_binary_dll_map,
+        filter_func,
+    ):
         relative_tag_offset = context.symbol_space.get_type(
             service_table_name + constants.BANG + "_SERVICE_RECORD"
         ).relative_child_offset("Tag")
@@ -359,10 +371,16 @@ def get_prereq_info(self):
         return kernel, service_table_name, service_binary_dll_map, filter_func
 
     def _generator(self):
-        kernel, service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info()
+        kernel, service_table_name, service_binary_dll_map, filter_func = (
+            self.get_prereq_info()
+        )
 
         for record in self._enumeration_method(
-            self.context, kernel, service_table_name, service_binary_dll_map, filter_func
+            self.context,
+            kernel,
+            service_table_name,
+            service_binary_dll_map,
+            filter_func,
         ):
             yield (0, record)
 

From 21396185d0faaab15a217cff2072aa7de2652b67 Mon Sep 17 00:00:00 2001
From: Andrew Case <andrew@dfir.org>
Date: Sun, 21 Jul 2024 11:10:38 -0500
Subject: [PATCH 8/9] Address feedback

---
 .../framework/plugins/windows/svcdiff.py      | 37 ++++++++++-----
 .../framework/plugins/windows/svclist.py      | 11 +++--
 .../framework/plugins/windows/svcscan.py      | 47 +++++++++++--------
 3 files changed, 58 insertions(+), 37 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcdiff.py b/volatility3/framework/plugins/windows/svcdiff.py
index 4325771dbd..84d06a6951 100644
--- a/volatility3/framework/plugins/windows/svcdiff.py
+++ b/volatility3/framework/plugins/windows/svcdiff.py
@@ -13,7 +13,7 @@
 
 import logging
 
-from volatility3.framework import symbols
+from volatility3.framework import symbols, interfaces
 from volatility3.framework.configuration import requirements
 from volatility3.plugins.windows import svclist, svcscan
 from volatility3.framework.symbols.windows import versions
@@ -26,6 +26,10 @@ class SvcDiff(svcscan.SvcScan):
 
     _required_framework_version = (2, 4, 0)
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._enumeration_method = self.service_diff
+
     @classmethod
     def get_requirements(cls):
         # Since we're calling the plugin, make sure we have the plugin's requirements
@@ -43,19 +47,24 @@ def get_requirements(cls):
             ),
         ]
 
-    def _generator(self):
+    @classmethod
+    def service_diff(
+        cls,
+        context: interfaces.context.ContextInterface,
+        layer_name: str,
+        symbol_table: str,
+        service_table_name: str,
+        service_binary_dll_map,
+        filter_func,
+    ):
         """
         On Windows 10 version 15063+ 64bit Windows memory samples, walk the services list
         and scan for services then report differences
         """
-        kernel, service_table_name, service_binary_dll_map, filter_func = (
-            self.get_prereq_info()
-        )
-
         if not symbols.symbol_table_is_64bit(
-            self.context, kernel.symbol_table_name
+            context, symbol_table
         ) or not versions.is_win10_15063_or_later(
-            context=self.context, symbol_table=kernel.symbol_table_name
+            context=context, symbol_table=symbol_table
         ):
             vollog.warning(
                 "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
@@ -68,8 +77,9 @@ def _generator(self):
 
         # collect unique service names from scanning
         for service in svcscan.SvcScan.service_scan(
-            self.context,
-            kernel,
+            context,
+            layer_name,
+            symbol_table,
             service_table_name,
             service_binary_dll_map,
             filter_func,
@@ -79,8 +89,9 @@ def _generator(self):
 
         # collect services from listing walking
         for service in svclist.SvcList.service_list(
-            self.context,
-            kernel,
+            context,
+            layer_name,
+            symbol_table,
             service_table_name,
             service_binary_dll_map,
             filter_func,
@@ -89,4 +100,4 @@ def _generator(self):
 
         # report services found from scanning but not list walking
         for hidden_service in from_scan - from_list:
-            yield (0, records[hidden_service])
+            yield records[hidden_service]
diff --git a/volatility3/framework/plugins/windows/svclist.py b/volatility3/framework/plugins/windows/svclist.py
index 832b3d1294..a59581063b 100644
--- a/volatility3/framework/plugins/windows/svclist.py
+++ b/volatility3/framework/plugins/windows/svclist.py
@@ -59,15 +59,16 @@ def _get_exe_range(cls, proc) -> Optional[Tuple[int, int]]:
     def service_list(
         cls,
         context: interfaces.context.ContextInterface,
-        kernel,
+        layer_name: str,
+        symbol_table: str,
         service_table_name: str,
         service_binary_dll_map,
         filter_func,
     ):
         if not symbols.symbol_table_is_64bit(
-            context, kernel.symbol_table_name
+            context, symbol_table
         ) or not versions.is_win10_15063_or_later(
-            context=context, symbol_table=kernel.symbol_table_name
+            context=context, symbol_table=symbol_table
         ):
             vollog.warning(
                 "This plugin only supports Windows 10 version 15063+ 64bit Windows memory samples"
@@ -76,8 +77,8 @@ def service_list(
 
         for proc in pslist.PsList.list_processes(
             context=context,
-            layer_name=kernel.layer_name,
-            symbol_table=kernel.symbol_table_name,
+            layer_name=layer_name,
+            symbol_table=symbol_table,
             filter_func=filter_func,
         ):
             try:
diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index 8b97066255..bf676acb76 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -148,14 +148,17 @@ def create_service_table(
             native_types=native_types,
         )
 
-    def _get_service_key(self, kernel) -> Optional[objects.StructType]:
+    @classmethod
+    def _get_service_key(
+        cls, context, config_path: str, layer_name: str, symbol_table: str
+    ) -> Optional[objects.StructType]:
         for hive in hivelist.HiveList.list_hives(
-            context=self.context,
+            context=context,
             base_config_path=interfaces.configuration.path_join(
-                self.config_path, "hivelist"
+                config_path, "hivelist"
             ),
-            layer_name=kernel.layer_name,
-            symbol_table=kernel.symbol_table_name,
+            layer_name=layer_name,
+            symbol_table=symbol_table,
             filter_string="machine\\system",
         ):
             # Get ControlSet\Services.
@@ -273,7 +276,8 @@ def enumerate_vista_or_later_header(
     def service_scan(
         cls,
         context: interfaces.context.ContextInterface,
-        kernel,
+        layer_name: str,
+        symbol_table: str,
         service_table_name: str,
         service_binary_dll_map,
         filter_func,
@@ -283,7 +287,7 @@ def service_scan(
         ).relative_child_offset("Tag")
 
         is_vista_or_later = versions.is_vista_or_later(
-            context=context, symbol_table=kernel.symbol_table_name
+            context=context, symbol_table=symbol_table
         )
 
         if is_vista_or_later:
@@ -295,8 +299,8 @@ def service_scan(
 
         for task in pslist.PsList.list_processes(
             context=context,
-            layer_name=kernel.layer_name,
-            symbol_table=kernel.symbol_table_name,
+            layer_name=layer_name,
+            symbol_table=symbol_table,
             filter_func=filter_func,
         ):
             proc_id = "Unknown"
@@ -348,36 +352,41 @@ def service_scan(
                         seen.append(service_record)
                         yield service_record
 
-    def get_prereq_info(self):
+    @classmethod
+    def get_prereq_info(cls, context, config_path, layer_name: str, symbol_table: str):
         """
         Data structures and information needed to analyze service information
         """
-        kernel = self.context.modules[self.config["kernel"]]
 
-        service_table_name = self.create_service_table(
-            self.context, kernel.symbol_table_name, self.config_path
+        service_table_name = cls.create_service_table(
+            context, symbol_table, config_path
         )
 
-        services_key = self._get_service_key(kernel)
+        services_key = cls._get_service_key(
+            context, config_path, layer_name, symbol_table
+        )
 
         service_binary_dll_map = (
-            self._get_service_binary_map(services_key)
+            cls._get_service_binary_map(services_key)
             if services_key is not None
             else {}
         )
 
         filter_func = pslist.PsList.create_name_filter(["services.exe"])
 
-        return kernel, service_table_name, service_binary_dll_map, filter_func
+        return service_table_name, service_binary_dll_map, filter_func
 
     def _generator(self):
-        kernel, service_table_name, service_binary_dll_map, filter_func = (
-            self.get_prereq_info()
+        kernel = self.context.modules[self.config["kernel"]]
+
+        service_table_name, service_binary_dll_map, filter_func = self.get_prereq_info(
+            self.context, self.config_path, kernel.layer_name, kernel.symbol_table_name
         )
 
         for record in self._enumeration_method(
             self.context,
-            kernel,
+            kernel.layer_name,
+            kernel.symbol_table_name,
             service_table_name,
             service_binary_dll_map,
             filter_func,

From 111873e173b1bc639754b851ce46ff5056f8edb8 Mon Sep 17 00:00:00 2001
From: Andrew Case <andrew@dfir.org>
Date: Sun, 21 Jul 2024 11:54:06 -0500
Subject: [PATCH 9/9] Fix class vs static method and leading underscores

---
 volatility3/framework/plugins/windows/svcscan.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py
index bf676acb76..52ed5e759e 100644
--- a/volatility3/framework/plugins/windows/svcscan.py
+++ b/volatility3/framework/plugins/windows/svcscan.py
@@ -110,7 +110,7 @@ def get_record_tuple(
     ]
 
     @staticmethod
-    def create_service_table(
+    def _create_service_table(
         context: interfaces.context.ContextInterface,
         symbol_table: str,
         config_path: str,
@@ -148,9 +148,9 @@ def create_service_table(
             native_types=native_types,
         )
 
-    @classmethod
+    @staticmethod
     def _get_service_key(
-        cls, context, config_path: str, layer_name: str, symbol_table: str
+        context, config_path: str, layer_name: str, symbol_table: str
     ) -> Optional[objects.StructType]:
         for hive in hivelist.HiveList.list_hives(
             context=context,
@@ -358,7 +358,7 @@ def get_prereq_info(cls, context, config_path, layer_name: str, symbol_table: st
         Data structures and information needed to analyze service information
         """
 
-        service_table_name = cls.create_service_table(
+        service_table_name = cls._create_service_table(
             context, symbol_table, config_path
         )