Major Perf PoolScan physical layer

[forensicxlab]

This PR addresses major performance issues I am facing in Windows 10/11 memory images for poolscan-based plugins (for example windows.filescan).

Poolscan consumers currently scan the Win10/11 virtual kernel layer by default, which can traverse very large sparse address ranges and spend most time in translation/read overhead before yielding results.

We have added an optional scan_layer_name parameter to the following:

• PoolScanner.generate_pool_scan_extended

• PoolScanner.generate_pool_scan
  We updated poolscan-based Windows plugins to pass memory_layer when available (fallback to original layer if not):

• windows.filescan.FileScan

• windows.psscan.PsScan

• windows.thrdscan.ThrdScan

• windows.driverscan.DriverScan

• windows.modscan.ModScan

• windows.mutantscan.MutantScan

• windows.symlinkscan.SymlinkScan

• windows.netscan.NetScan

• windows.callbacks.Callbacks

• windows.windowstations.WindowStations

• windows.registry.hivescan.HiveScan (poolscan path).

• windows.filescan
  previous behavior: timed out at 3600s in control run
  patched: finished in ~68.8s, 5666 results

• windows.psscan
  previous behavior: timed out at 3600s, 0 results
  patched: finished in ~63.6s, 286 results

  I can privately share a sample image to do test. Let me know by contacting me at felix.guyard@forensicxlab.com.

  Kind regards.

[forensicxlab]

Hi,
Looking at the unit test result failed for the windows 10 image. This is linked to the new offsets that are now representing an offset in the physical memory layer. If you agree to this change I can also update the tests.