diff --git a/volatility3/cli/volargparse.py b/volatility3/cli/volargparse.py index dce9cafa6e..660f572ba8 100644 --- a/volatility3/cli/volargparse.py +++ b/volatility3/cli/volargparse.py @@ -7,7 +7,6 @@ import re from typing import Optional, Sequence, Any, Union - # This effectively overrides/monkeypatches the core argparse module to provide more helpful output around choices # We shouldn't really steal a private member from argparse, but otherwise we're just duplicating code diff --git a/volatility3/framework/layers/crash.py b/volatility3/framework/layers/crash.py index a5b25d178b..dd463fbfa5 100644 --- a/volatility3/framework/layers/crash.py +++ b/volatility3/framework/layers/crash.py @@ -236,7 +236,7 @@ def check_header( raise WindowsCrashDumpFormatException( base_layer.name, f"Crashdump header not found at offset {offset}" ) - (signature, validdump) = cls._magic_struct.unpack(header_data) + signature, validdump = cls._magic_struct.unpack(header_data) if signature != cls.SIGNATURE: raise WindowsCrashDumpFormatException( diff --git a/volatility3/framework/layers/elf.py b/volatility3/framework/layers/elf.py index 5777981cb5..a435cf3482 100644 --- a/volatility3/framework/layers/elf.py +++ b/volatility3/framework/layers/elf.py @@ -10,7 +10,6 @@ from volatility3.framework.layers import segmented from volatility3.framework.symbols import intermed - vollog = logging.getLogger(__name__) @@ -94,7 +93,7 @@ def _check_header( base_layer.name, f"Offset 0x{offset:0x} does not exist within the base layer", ) - (magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack( + magic, elf_class, elf_data_encoding, elf_version = cls._header_struct.unpack( header_data ) if magic != cls.MAGIC: diff --git a/volatility3/framework/layers/lime.py b/volatility3/framework/layers/lime.py index 8b93932ab2..371b598e84 100644 --- a/volatility3/framework/layers/lime.py +++ b/volatility3/framework/layers/lime.py @@ -76,7 +76,7 @@ def _check_header( base_layer.name, f"Offset 0x{offset:0x} does not exist within the base layer", ) - (magic, version, start, end, reserved) = cls._header_struct.unpack(header_data) + magic, version, start, end, reserved = cls._header_struct.unpack(header_data) if magic != cls.MAGIC: raise LimeFormatException( base_layer.name, f"Bad magic 0x{magic:x} at file offset 0x{offset:x}" diff --git a/volatility3/framework/layers/xen.py b/volatility3/framework/layers/xen.py index 7f42eb6628..c5380fcb42 100644 --- a/volatility3/framework/layers/xen.py +++ b/volatility3/framework/layers/xen.py @@ -141,7 +141,7 @@ def _check_header( base_layer.name, f"Offset 0x{offset:0x} does not exist within the base layer", ) - (magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack( + magic, elf_class, elf_data_encoding, elf_version = cls._header_struct.unpack( header_data ) if magic != cls.MAGIC: diff --git a/volatility3/framework/plugins/linux/elfs.py b/volatility3/framework/plugins/linux/elfs.py index 34a8d0e7e3..77f4ad6caa 100644 --- a/volatility3/framework/plugins/linux/elfs.py +++ b/volatility3/framework/plugins/linux/elfs.py @@ -17,7 +17,6 @@ from volatility3.framework.constants import linux as linux_constants from volatility3.plugins.linux import pslist - vollog = logging.getLogger(__name__) diff --git a/volatility3/framework/plugins/linux/kallsyms.py b/volatility3/framework/plugins/linux/kallsyms.py index c8bca03f77..5beb62590f 100644 --- a/volatility3/framework/plugins/linux/kallsyms.py +++ b/volatility3/framework/plugins/linux/kallsyms.py @@ -11,7 +11,6 @@ from volatility3.framework.constants import architectures from volatility3.framework.symbols.linux import kallsyms - vollog = logging.getLogger(__name__) diff --git a/volatility3/framework/plugins/linux/library_list.py b/volatility3/framework/plugins/linux/library_list.py index dedd77ade8..25dc342663 100644 --- a/volatility3/framework/plugins/linux/library_list.py +++ b/volatility3/framework/plugins/linux/library_list.py @@ -13,7 +13,6 @@ from volatility3.framework.symbols.linux.extensions import elf from volatility3.plugins.linux import pslist - vollog = logging.getLogger(__name__) diff --git a/volatility3/framework/plugins/linux/mountinfo.py b/volatility3/framework/plugins/linux/mountinfo.py index f00733a548..35a2b7bb3f 100644 --- a/volatility3/framework/plugins/linux/mountinfo.py +++ b/volatility3/framework/plugins/linux/mountinfo.py @@ -12,7 +12,6 @@ from volatility3.framework.symbols import linux from volatility3.plugins.linux import pslist - vollog = logging.getLogger(__name__) MountInfoData = namedtuple( diff --git a/volatility3/framework/plugins/linux/sockstat.py b/volatility3/framework/plugins/linux/sockstat.py index a74e84f92f..a77b7c869d 100644 --- a/volatility3/framework/plugins/linux/sockstat.py +++ b/volatility3/framework/plugins/linux/sockstat.py @@ -15,7 +15,6 @@ from volatility3.plugins.linux import pslist from volatility3.framework.symbols.linux import network - vollog = logging.getLogger(__name__) diff --git a/volatility3/framework/plugins/mac/netstat.py b/volatility3/framework/plugins/mac/netstat.py index 2eb7132f2e..97e7227cd9 100644 --- a/volatility3/framework/plugins/mac/netstat.py +++ b/volatility3/framework/plugins/mac/netstat.py @@ -130,7 +130,7 @@ def _generator(self): vals = socket.get_converted_connection_info() if vals: - (lip, lport, rip, rport) = vals + lip, lport, rip, rport = vals yield ( 0, diff --git a/volatility3/framework/plugins/windows/callbacks.py b/volatility3/framework/plugins/windows/callbacks.py index 2a65f76bbd..201b984bf8 100644 --- a/volatility3/framework/plugins/windows/callbacks.py +++ b/volatility3/framework/plugins/windows/callbacks.py @@ -230,6 +230,9 @@ def scan( A list of callback objects found by scanning the `layer_name` layer for callback pool signatures """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) is_vista_or_later = versions.is_vista_or_later( context=context, symbol_table=kernel.symbol_table_name @@ -248,7 +251,10 @@ def scan( mem_object, _header, ) in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): try: if isinstance(mem_object, callbacks._SHUTDOWN_PACKET): diff --git a/volatility3/framework/plugins/windows/cmdscan.py b/volatility3/framework/plugins/windows/cmdscan.py index 676050b652..ef439a9722 100644 --- a/volatility3/framework/plugins/windows/cmdscan.py +++ b/volatility3/framework/plugins/windows/cmdscan.py @@ -16,7 +16,6 @@ from volatility3.framework.renderers import format_hints from volatility3.plugins.windows import pslist, consoles - vollog = logging.getLogger(__name__) diff --git a/volatility3/framework/plugins/windows/consoles.py b/volatility3/framework/plugins/windows/consoles.py index efc03ad1b5..bf648ae711 100644 --- a/volatility3/framework/plugins/windows/consoles.py +++ b/volatility3/framework/plugins/windows/consoles.py @@ -21,7 +21,6 @@ from volatility3.plugins.windows import pslist, info, verinfo from volatility3.plugins.windows.registry import hivelist - vollog = logging.getLogger(__name__) @@ -244,10 +243,8 @@ def determine_conhost_version( ) try: - (major, minor, product, build) = ( - verinfo.VerInfo.get_version_information( - context, pe_table_name, conhost_layer_name, conhost_base - ) + major, minor, product, build = verinfo.VerInfo.get_version_information( + context, pe_table_name, conhost_layer_name, conhost_base ) conhost_mod_version = build vollog.debug( diff --git a/volatility3/framework/plugins/windows/driverscan.py b/volatility3/framework/plugins/windows/driverscan.py index 57d365d007..9b6b95d878 100644 --- a/volatility3/framework/plugins/windows/driverscan.py +++ b/volatility3/framework/plugins/windows/driverscan.py @@ -4,10 +4,10 @@ from typing import Iterable, Optional, Tuple -from volatility3.framework import renderers, interfaces, exceptions +from volatility3.framework import exceptions, interfaces, renderers from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints -from volatility3.plugins.windows import poolscanner, modules +from volatility3.plugins.windows import modules, poolscanner class DriverScan(interfaces.plugins.PluginInterface): @@ -50,6 +50,9 @@ def scan_drivers( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Dri\xf6", b"Driv"] @@ -64,7 +67,10 @@ def scan_drivers( ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result diff --git a/volatility3/framework/plugins/windows/filescan.py b/volatility3/framework/plugins/windows/filescan.py index f417e3e5e1..ede1eb5d43 100644 --- a/volatility3/framework/plugins/windows/filescan.py +++ b/volatility3/framework/plugins/windows/filescan.py @@ -4,7 +4,7 @@ from typing import Iterable -from volatility3.framework import renderers, interfaces, exceptions +from volatility3.framework import exceptions, interfaces, renderers from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.plugins.windows import poolscanner @@ -46,13 +46,19 @@ def scan_files( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Fil\xe5", b"File"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/joblinks.py b/volatility3/framework/plugins/windows/joblinks.py index a7fa4e709f..568a131dc9 100644 --- a/volatility3/framework/plugins/windows/joblinks.py +++ b/volatility3/framework/plugins/windows/joblinks.py @@ -53,7 +53,7 @@ def _generator(self) -> Iterator[Tuple]: if not self.config["physical"]: offset = proc.vol.offset else: - (_, _, offset, _, _) = list( + _, _, offset, _, _ = list( memory.mapping(offset=proc.vol.offset, length=0) )[0] @@ -83,7 +83,7 @@ def _generator(self) -> Iterator[Tuple]: if not self.config["physical"]: offset = entry.vol.offset else: - (_, _, offset, _, _) = list( + _, _, offset, _, _ = list( memory.mapping(offset=entry.vol.offset, length=0) )[0] diff --git a/volatility3/framework/plugins/windows/modscan.py b/volatility3/framework/plugins/windows/modscan.py index 667fadd11b..06730ba851 100644 --- a/volatility3/framework/plugins/windows/modscan.py +++ b/volatility3/framework/plugins/windows/modscan.py @@ -6,7 +6,7 @@ from volatility3.framework import interfaces from volatility3.framework.configuration import requirements -from volatility3.plugins.windows import poolscanner, modules, pedump +from volatility3.plugins.windows import modules, pedump, poolscanner vollog = logging.getLogger(__name__) @@ -75,13 +75,19 @@ def scan_modules( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"MmLd"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/mutantscan.py b/volatility3/framework/plugins/windows/mutantscan.py index ba2824bfc1..fc7833a435 100644 --- a/volatility3/framework/plugins/windows/mutantscan.py +++ b/volatility3/framework/plugins/windows/mutantscan.py @@ -4,7 +4,7 @@ from typing import Iterable -from volatility3.framework import renderers, interfaces, exceptions +from volatility3.framework import exceptions, interfaces, renderers from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.plugins.windows import poolscanner @@ -46,13 +46,19 @@ def scan_mutants( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Mut\xe1", b"Muta"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/netscan.py b/volatility3/framework/plugins/windows/netscan.py index fa422e103d..d27aefac38 100644 --- a/volatility3/framework/plugins/windows/netscan.py +++ b/volatility3/framework/plugins/windows/netscan.py @@ -375,11 +375,18 @@ def scan( Returns: A list of network objects found by scanning the `layer_name` layer for network pool signatures """ + kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = cls.create_netscan_constraints(context, netscan_symbol_table) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/poolscanner.py b/volatility3/framework/plugins/windows/poolscanner.py index 43dcd0482b..936a5e399a 100644 --- a/volatility3/framework/plugins/windows/poolscanner.py +++ b/volatility3/framework/plugins/windows/poolscanner.py @@ -375,6 +375,7 @@ def generate_pool_scan_extended( kernel_module_name: str, object_symbol_table_name: str, constraints: List[PoolConstraint], + scan_layer_name: Optional[str] = None, ) -> Generator[ Tuple[ PoolConstraint, @@ -393,6 +394,7 @@ def generate_pool_scan_extended( kernel_module_name: The name of the module for the kernel object_symbol_table_name: The name of the symbol table for the object being scanned for constraints: List of pool constraints used to limit the scan results + scan_layer_name: Optional layer name to explicitly scan for pool tags Returns: Iterable of tuples, containing the constraint that matched, the object from memory, the object header used to determine the object """ @@ -420,6 +422,10 @@ def generate_pool_scan_extended( if not is_windows_10: scan_layer = context.layers[scan_layer].config["memory_layer"] + # callers can opt into a specific scan layer to avoid pathological scan ranges + if scan_layer_name is not None: + scan_layer = scan_layer_name + if symbols.symbol_table_is_64bit( context=context, symbol_table_name=kernel.symbol_table_name ): @@ -476,6 +482,7 @@ def generate_pool_scan( context: interfaces.context.ContextInterface, kernel_module_name: str, constraints: List[PoolConstraint], + scan_layer_name: Optional[str] = None, ) -> Generator[ Tuple[ PoolConstraint, @@ -492,6 +499,7 @@ def generate_pool_scan( context: The context to retrieve required elements (layers, symbol tables) from kernel_module_name: The name of the module for the kernel constraints: List of pool constraints used to limit the scan results + scan_layer_name: Optional layer name to explicitly scan for pool tags Returns: Iterable of tuples, containing the constraint that matched, the object from memory, the object header used to determine the object @@ -501,7 +509,11 @@ def generate_pool_scan( # repeat the symbol table to match the original `generate_pool_scan` behaviour yield from cls.generate_pool_scan_extended( - context, kernel_module_name, kernel.symbol_table_name, constraints + context, + kernel_module_name, + kernel.symbol_table_name, + constraints, + scan_layer_name=scan_layer_name, ) @classmethod diff --git a/volatility3/framework/plugins/windows/pslist.py b/volatility3/framework/plugins/windows/pslist.py index db3e5dc99a..cfcb6458db 100644 --- a/volatility3/framework/plugins/windows/pslist.py +++ b/volatility3/framework/plugins/windows/pslist.py @@ -295,7 +295,7 @@ def _generator(self): if not self.config.get("physical", self.PHYSICAL_DEFAULT): offset = proc.vol.offset else: - (_, _, offset, _, _) = list( + _, _, offset, _, _ = list( memory.mapping(offset=proc.vol.offset, length=0) )[0] diff --git a/volatility3/framework/plugins/windows/psscan.py b/volatility3/framework/plugins/windows/psscan.py index de69c23be4..d756741334 100644 --- a/volatility3/framework/plugins/windows/psscan.py +++ b/volatility3/framework/plugins/windows/psscan.py @@ -4,17 +4,15 @@ import datetime import logging -from typing import Iterable, Callable, Optional, Tuple +from typing import Callable, Iterable, Optional, Tuple -from volatility3.framework import renderers, interfaces, layers, exceptions +from volatility3.framework import exceptions, interfaces, layers, renderers from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.framework.symbols import intermed from volatility3.framework.symbols.windows.extensions import pe from volatility3.plugins import timeliner -from volatility3.plugins.windows import info -from volatility3.plugins.windows import poolscanner -from volatility3.plugins.windows import pslist +from volatility3.plugins.windows import info, poolscanner, pslist vollog = logging.getLogger(__name__) @@ -86,9 +84,9 @@ def physical_offset_from_virtual(cls, context, layer_name, proc): if not isinstance(memory, layers.intel.Intel): raise TypeError("Primary layer is not an intel layer") - (_, _, ph_offset, _, _) = list( - memory.mapping(offset=proc.vol.offset, length=0) - )[0] + _, _, ph_offset, _, _ = list(memory.mapping(offset=proc.vol.offset, length=0))[ + 0 + ] return ph_offset @@ -165,13 +163,19 @@ def scan_processes( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Pro\xe3", b"Proc"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result if not filter_func(mem_object): @@ -224,7 +228,7 @@ def virtual_process_from_physical( virtual_process = ethread.owning_process() # Sanity check the bounce. # This compares the original offset with the new one (translated from virtual layer) - (_, _, ph_offset, _, _) = list( + _, _, ph_offset, _, _ = list( context.layers[ntkrnlmp.layer_name].mapping( offset=virtual_process.vol.offset, length=0 ) @@ -299,7 +303,7 @@ def _generator(self): if not self.config["physical"]: offset = proc.vol.offset else: - (_, _, offset, _, _) = list( + _, _, offset, _, _ = list( memory.mapping(offset=proc.vol.offset, length=0) )[0] diff --git a/volatility3/framework/plugins/windows/pstree.py b/volatility3/framework/plugins/windows/pstree.py index c8d9a3f660..f02782afeb 100644 --- a/volatility3/framework/plugins/windows/pstree.py +++ b/volatility3/framework/plugins/windows/pstree.py @@ -92,7 +92,7 @@ def _generator( else: layer_name = kernel.layer_name memory = self.context.layers[layer_name] - (_, _, offset, _, _) = list( + _, _, offset, _, _ = list( memory.mapping(offset=proc.vol.offset, length=0) )[0] diff --git a/volatility3/framework/plugins/windows/registry/cachedump.py b/volatility3/framework/plugins/windows/registry/cachedump.py index 5e138ba990..5e9f7e5a68 100644 --- a/volatility3/framework/plugins/windows/registry/cachedump.py +++ b/volatility3/framework/plugins/windows/registry/cachedump.py @@ -75,7 +75,7 @@ def decrypt_hash(cls, edata: bytes, nlkm: bytes, ch, xp: bool): @classmethod def parse_cache_entry(cls, cache_data: bytes) -> Tuple[int, int, int, bytes, bytes]: - (uname_len, domain_len) = unpack(" Optional[bytes]: - (des_k1, des_k2) = cls.sid_to_key(rid) + des_k1, des_k2 = cls.sid_to_key(rid) des1 = DES.new(des_k1, DES.MODE_ECB) des2 = DES.new(des_k2, DES.MODE_ECB) cipher = AES.new(hbootkey[:16], AES.MODE_CBC, salt) @@ -560,7 +560,7 @@ def sidbytes_to_key(cls, s: bytes) -> bytes: def decrypt_single_hash( cls, rid: int, hbootkey: bytes, enc_hash: bytes, lmntstr: bytes ): - (des_k1, des_k2) = cls.sid_to_key(rid) + des_k1, des_k2 = cls.sid_to_key(rid) des1 = DES.new(des_k1, DES.MODE_ECB) des2 = DES.new(des_k2, DES.MODE_ECB) md5 = hashlib.md5() diff --git a/volatility3/framework/plugins/windows/registry/hivescan.py b/volatility3/framework/plugins/windows/registry/hivescan.py index 2ebc52f538..5257f21425 100644 --- a/volatility3/framework/plugins/windows/registry/hivescan.py +++ b/volatility3/framework/plugins/windows/registry/hivescan.py @@ -4,11 +4,11 @@ from typing import Iterable -from volatility3.framework import renderers, interfaces, symbols +from volatility3.framework import interfaces, renderers, symbols from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.framework.symbols.windows import versions -from volatility3.plugins.windows import poolscanner, bigpools +from volatility3.plugins.windows import bigpools, poolscanner class HiveScan(interfaces.plugins.PluginInterface): @@ -74,9 +74,15 @@ def scan_hives( constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"CM10"] ) + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_name, constraints + context, + kernel_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/symlinkscan.py b/volatility3/framework/plugins/windows/symlinkscan.py index cdcb5d3d34..e058643105 100644 --- a/volatility3/framework/plugins/windows/symlinkscan.py +++ b/volatility3/framework/plugins/windows/symlinkscan.py @@ -5,7 +5,7 @@ import datetime from typing import Iterable -from volatility3.framework import renderers, exceptions, interfaces +from volatility3.framework import exceptions, interfaces, renderers from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.plugins import timeliner @@ -55,13 +55,19 @@ def scan_symlinks( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Sym\xe2", b"Symb"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, kernel_module_name, constraints + context, + kernel_module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/thrdscan.py b/volatility3/framework/plugins/windows/thrdscan.py index 4b2bf47d27..ffef143a17 100644 --- a/volatility3/framework/plugins/windows/thrdscan.py +++ b/volatility3/framework/plugins/windows/thrdscan.py @@ -3,7 +3,7 @@ ## import datetime import logging -from typing import Callable, Dict, NamedTuple, Optional, Union, Tuple, Iterator +from typing import Callable, Dict, Iterator, NamedTuple, Optional, Tuple, Union from volatility3.framework import exceptions, interfaces, objects, renderers from volatility3.framework.configuration import requirements @@ -76,13 +76,19 @@ def scan_threads( """ kernel = context.modules[module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) constraints = poolscanner.PoolScanner.builtin_constraints( kernel.symbol_table_name, [b"Thr\xe5", b"Thre"] ) for result in poolscanner.PoolScanner.generate_pool_scan( - context, module_name, constraints + context, + module_name, + constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result yield mem_object diff --git a/volatility3/framework/plugins/windows/verinfo.py b/volatility3/framework/plugins/windows/verinfo.py index d2722418b8..38fc25458e 100644 --- a/volatility3/framework/plugins/windows/verinfo.py +++ b/volatility3/framework/plugins/windows/verinfo.py @@ -178,7 +178,7 @@ def _generator( self.context, session_layers, mod.DllBase ) try: - (major, minor, product, build) = self.get_version_information( + major, minor, product, build = self.get_version_information( self._context, pe_table_name, session_layer_name, mod.DllBase ) except ( @@ -187,7 +187,7 @@ def _generator( TypeError, AttributeError, ): - (major, minor, product, build) = [renderers.UnreadableValue()] * 4 + major, minor, product, build = [renderers.UnreadableValue()] * 4 if ( not isinstance(BaseDllName, renderers.UnreadableValue) and physical_layer_name is not None @@ -197,7 +197,7 @@ def _generator( self._context, physical_layer_name, BaseDllName ) if result is not None: - (major, minor, product, build) = result + major, minor, product, build = result # the pid and process are not applicable for kernel modules yield ( @@ -238,11 +238,11 @@ def _generator( DllBase = renderers.UnreadableValue() try: - (major, minor, product, build) = self.get_version_information( + major, minor, product, build = self.get_version_information( self._context, pe_table_name, proc_layer_name, entry.DllBase ) except (exceptions.InvalidAddressException, ValueError, AttributeError): - (major, minor, product, build) = [renderers.UnreadableValue()] * 4 + major, minor, product, build = [renderers.UnreadableValue()] * 4 yield ( 0, diff --git a/volatility3/framework/plugins/windows/windowstations.py b/volatility3/framework/plugins/windows/windowstations.py index 1f95b05314..dc23f809cd 100644 --- a/volatility3/framework/plugins/windows/windowstations.py +++ b/volatility3/framework/plugins/windows/windowstations.py @@ -3,15 +3,15 @@ # import logging import os -from typing import List, Tuple, Iterator, Generator, Dict +from typing import Dict, Generator, Iterator, List, Tuple -from volatility3.framework import interfaces, renderers, symbols, exceptions +from volatility3.framework import exceptions, interfaces, renderers, symbols from volatility3.framework.configuration import requirements from volatility3.framework.renderers import format_hints from volatility3.framework.symbols import intermed from volatility3.framework.symbols.windows import versions -from volatility3.plugins.windows import poolscanner, modules from volatility3.framework.symbols.windows.extensions import gui +from volatility3.plugins.windows import modules, poolscanner vollog = logging.getLogger(__name__) @@ -150,6 +150,9 @@ def scan_gui_object( """ kernel = context.modules[kernel_module_name] + scan_layer_name = context.layers[kernel.layer_name].config.get( + "memory_layer", kernel.layer_name + ) gui_table_name = cls.create_gui_table( context, kernel.symbol_table_name, config_path @@ -166,6 +169,7 @@ def scan_gui_object( kernel_module_name=kernel_module_name, object_symbol_table_name=gui_table_name, constraints=constraints, + scan_layer_name=scan_layer_name, ): _constraint, mem_object, _header = result diff --git a/volatility3/framework/symbols/linux/extensions/network.py b/volatility3/framework/symbols/linux/extensions/network.py index 37fa5a41f3..4ddeb381f3 100644 --- a/volatility3/framework/symbols/linux/extensions/network.py +++ b/volatility3/framework/symbols/linux/extensions/network.py @@ -9,7 +9,6 @@ from volatility3.framework.renderers import conversion import socket as socket_module - vollog = logging.getLogger(__name__)