Major Perf PoolScan physical layer

volatility3/cli/volargparse.py

@@ -7,7 +7,6 @@
 import re
 from typing import Optional, Sequence, Any, Union
 
-
 # This effectively overrides/monkeypatches the core argparse module to provide more helpful output around choices
 # We shouldn't really steal a private member from argparse, but otherwise we're just duplicating code
 

volatility3/framework/layers/crash.py

@@ -236,7 +236,7 @@ def check_header(
             raise WindowsCrashDumpFormatException(
                 base_layer.name, f"Crashdump header not found at offset {offset}"
             )
-        (signature, validdump) = cls._magic_struct.unpack(header_data)
+        signature, validdump = cls._magic_struct.unpack(header_data)
 
         if signature != cls.SIGNATURE:
             raise WindowsCrashDumpFormatException(

volatility3/framework/layers/elf.py

@@ -10,7 +10,6 @@
 from volatility3.framework.layers import segmented
 from volatility3.framework.symbols import intermed
 
-
 vollog = logging.getLogger(__name__)
 
 
@@ -94,7 +93,7 @@ def _check_header(
                 base_layer.name,
                 f"Offset 0x{offset:0x} does not exist within the base layer",
             )
-        (magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack(
+        magic, elf_class, elf_data_encoding, elf_version = cls._header_struct.unpack(
             header_data
         )
         if magic != cls.MAGIC:

volatility3/framework/layers/lime.py

@@ -76,7 +76,7 @@ def _check_header(
                 base_layer.name,
                 f"Offset 0x{offset:0x} does not exist within the base layer",
             )
-        (magic, version, start, end, reserved) = cls._header_struct.unpack(header_data)
+        magic, version, start, end, reserved = cls._header_struct.unpack(header_data)
         if magic != cls.MAGIC:
             raise LimeFormatException(
                 base_layer.name, f"Bad magic 0x{magic:x} at file offset 0x{offset:x}"

volatility3/framework/layers/xen.py

@@ -141,7 +141,7 @@ def _check_header(
                 base_layer.name,
                 f"Offset 0x{offset:0x} does not exist within the base layer",
             )
-        (magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack(
+        magic, elf_class, elf_data_encoding, elf_version = cls._header_struct.unpack(
             header_data
         )
         if magic != cls.MAGIC:

volatility3/framework/plugins/linux/elfs.py

@@ -17,7 +17,6 @@
 from volatility3.framework.constants import linux as linux_constants
 from volatility3.plugins.linux import pslist
 
-
 vollog = logging.getLogger(__name__)
 
 

volatility3/framework/plugins/linux/kallsyms.py

@@ -11,7 +11,6 @@
 from volatility3.framework.constants import architectures
 from volatility3.framework.symbols.linux import kallsyms
 
-
 vollog = logging.getLogger(__name__)
 
 

volatility3/framework/plugins/linux/library_list.py

@@ -13,7 +13,6 @@
 from volatility3.framework.symbols.linux.extensions import elf
 from volatility3.plugins.linux import pslist
 
-
 vollog = logging.getLogger(__name__)
 
 

volatility3/framework/plugins/linux/mountinfo.py

@@ -12,7 +12,6 @@
 from volatility3.framework.symbols import linux
 from volatility3.plugins.linux import pslist
 
-
 vollog = logging.getLogger(__name__)
 
 MountInfoData = namedtuple(

volatility3/framework/plugins/linux/sockstat.py

@@ -15,7 +15,6 @@
 from volatility3.plugins.linux import pslist
 from volatility3.framework.symbols.linux import network
 
-
 vollog = logging.getLogger(__name__)
 
 

volatility3/framework/plugins/mac/netstat.py

@@ -130,7 +130,7 @@ def _generator(self):
                 vals = socket.get_converted_connection_info()
 
                 if vals:
-                    (lip, lport, rip, rport) = vals
+                    lip, lport, rip, rport = vals
 
                     yield (
                         0,

volatility3/framework/plugins/windows/callbacks.py

@@ -230,6 +230,9 @@ def scan(
             A list of callback objects found by scanning the `layer_name` layer for callback pool signatures
         """
         kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         is_vista_or_later = versions.is_vista_or_later(
             context=context, symbol_table=kernel.symbol_table_name
@@ -248,7 +251,10 @@ def scan(
             mem_object,
             _header,
         ) in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             try:
                 if isinstance(mem_object, callbacks._SHUTDOWN_PACKET):

volatility3/framework/plugins/windows/cmdscan.py

@@ -16,7 +16,6 @@
 from volatility3.framework.renderers import format_hints
 from volatility3.plugins.windows import pslist, consoles
 
-
 vollog = logging.getLogger(__name__)
 
 

volatility3/framework/plugins/windows/consoles.py

@@ -21,7 +21,6 @@
 from volatility3.plugins.windows import pslist, info, verinfo
 from volatility3.plugins.windows.registry import hivelist
 
-
 vollog = logging.getLogger(__name__)
 
 
@@ -244,10 +243,8 @@ def determine_conhost_version(
             )
 
             try:
-                (major, minor, product, build) = (
-                    verinfo.VerInfo.get_version_information(
-                        context, pe_table_name, conhost_layer_name, conhost_base
-                    )
+                major, minor, product, build = verinfo.VerInfo.get_version_information(
+                    context, pe_table_name, conhost_layer_name, conhost_base
                 )
                 conhost_mod_version = build
                 vollog.debug(

volatility3/framework/plugins/windows/driverscan.py

@@ -4,10 +4,10 @@
 
 from typing import Iterable, Optional, Tuple
 
-from volatility3.framework import renderers, interfaces, exceptions
+from volatility3.framework import exceptions, interfaces, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.renderers import format_hints
-from volatility3.plugins.windows import poolscanner, modules
+from volatility3.plugins.windows import modules, poolscanner
 
 
 class DriverScan(interfaces.plugins.PluginInterface):
@@ -50,6 +50,9 @@ def scan_drivers(
         """
 
         kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         constraints = poolscanner.PoolScanner.builtin_constraints(
             kernel.symbol_table_name, [b"Dri\xf6", b"Driv"]
@@ -64,7 +67,10 @@ def scan_drivers(
         )
 
         for result in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             _constraint, mem_object, _header = result
 

volatility3/framework/plugins/windows/filescan.py

@@ -4,7 +4,7 @@
 
 from typing import Iterable
 
-from volatility3.framework import renderers, interfaces, exceptions
+from volatility3.framework import exceptions, interfaces, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.renderers import format_hints
 from volatility3.plugins.windows import poolscanner
@@ -46,13 +46,19 @@ def scan_files(
         """
 
         kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         constraints = poolscanner.PoolScanner.builtin_constraints(
             kernel.symbol_table_name, [b"Fil\xe5", b"File"]
         )
 
         for result in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             _constraint, mem_object, _header = result
             yield mem_object

volatility3/framework/plugins/windows/joblinks.py

@@ -53,7 +53,7 @@ def _generator(self) -> Iterator[Tuple]:
                 if not self.config["physical"]:
                     offset = proc.vol.offset
                 else:
-                    (_, _, offset, _, _) = list(
+                    _, _, offset, _, _ = list(
                         memory.mapping(offset=proc.vol.offset, length=0)
                     )[0]
 
@@ -83,7 +83,7 @@ def _generator(self) -> Iterator[Tuple]:
                     if not self.config["physical"]:
                         offset = entry.vol.offset
                     else:
-                        (_, _, offset, _, _) = list(
+                        _, _, offset, _, _ = list(
                             memory.mapping(offset=entry.vol.offset, length=0)
                         )[0]
 

volatility3/framework/plugins/windows/modscan.py

@@ -6,7 +6,7 @@
 
 from volatility3.framework import interfaces
 from volatility3.framework.configuration import requirements
-from volatility3.plugins.windows import poolscanner, modules, pedump
+from volatility3.plugins.windows import modules, pedump, poolscanner
 
 vollog = logging.getLogger(__name__)
 
@@ -75,13 +75,19 @@ def scan_modules(
         """
 
         kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         constraints = poolscanner.PoolScanner.builtin_constraints(
             kernel.symbol_table_name, [b"MmLd"]
         )
 
         for result in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             _constraint, mem_object, _header = result
             yield mem_object

volatility3/framework/plugins/windows/mutantscan.py

@@ -4,7 +4,7 @@
 
 from typing import Iterable
 
-from volatility3.framework import renderers, interfaces, exceptions
+from volatility3.framework import exceptions, interfaces, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.renderers import format_hints
 from volatility3.plugins.windows import poolscanner
@@ -46,13 +46,19 @@ def scan_mutants(
         """
 
         kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         constraints = poolscanner.PoolScanner.builtin_constraints(
             kernel.symbol_table_name, [b"Mut\xe1", b"Muta"]
         )
 
         for result in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             _constraint, mem_object, _header = result
             yield mem_object

volatility3/framework/plugins/windows/netscan.py

@@ -375,11 +375,18 @@ def scan(
         Returns:
             A list of network objects found by scanning the `layer_name` layer for network pool signatures
         """
+        kernel = context.modules[kernel_module_name]
+        scan_layer_name = context.layers[kernel.layer_name].config.get(
+            "memory_layer", kernel.layer_name
+        )
 
         constraints = cls.create_netscan_constraints(context, netscan_symbol_table)
 
         for result in poolscanner.PoolScanner.generate_pool_scan(
-            context, kernel_module_name, constraints
+            context,
+            kernel_module_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         ):
             _constraint, mem_object, _header = result
             yield mem_object

volatility3/framework/plugins/windows/poolscanner.py

@@ -375,6 +375,7 @@ def generate_pool_scan_extended(
         kernel_module_name: str,
         object_symbol_table_name: str,
         constraints: List[PoolConstraint],
+        scan_layer_name: Optional[str] = None,
     ) -> Generator[
         Tuple[
             PoolConstraint,
@@ -393,6 +394,7 @@ def generate_pool_scan_extended(
             kernel_module_name: The name of the module for the kernel
             object_symbol_table_name: The name of the symbol table for the object being scanned for
             constraints: List of pool constraints used to limit the scan results
+            scan_layer_name: Optional layer name to explicitly scan for pool tags
         Returns:
             Iterable of tuples, containing the constraint that matched, the object from memory, the object header used to determine the object
         """
@@ -420,6 +422,10 @@ def generate_pool_scan_extended(
         if not is_windows_10:
             scan_layer = context.layers[scan_layer].config["memory_layer"]
 
+        # callers can opt into a specific scan layer to avoid pathological scan ranges
+        if scan_layer_name is not None:
+            scan_layer = scan_layer_name
+
         if symbols.symbol_table_is_64bit(
             context=context, symbol_table_name=kernel.symbol_table_name
         ):
@@ -476,6 +482,7 @@ def generate_pool_scan(
         context: interfaces.context.ContextInterface,
         kernel_module_name: str,
         constraints: List[PoolConstraint],
+        scan_layer_name: Optional[str] = None,
     ) -> Generator[
         Tuple[
             PoolConstraint,
@@ -492,6 +499,7 @@ def generate_pool_scan(
             context: The context to retrieve required elements (layers, symbol tables) from
             kernel_module_name: The name of the module for the kernel
             constraints: List of pool constraints used to limit the scan results
+            scan_layer_name: Optional layer name to explicitly scan for pool tags
 
         Returns:
             Iterable of tuples, containing the constraint that matched, the object from memory, the object header used to determine the object
@@ -501,7 +509,11 @@ def generate_pool_scan(
 
         # repeat the symbol table to match the original `generate_pool_scan` behaviour
         yield from cls.generate_pool_scan_extended(
-            context, kernel_module_name, kernel.symbol_table_name, constraints
+            context,
+            kernel_module_name,
+            kernel.symbol_table_name,
+            constraints,
+            scan_layer_name=scan_layer_name,
         )
 
     @classmethod

volatility3/framework/plugins/windows/pslist.py

@@ -295,7 +295,7 @@ def _generator(self):
             if not self.config.get("physical", self.PHYSICAL_DEFAULT):
                 offset = proc.vol.offset
             else:
-                (_, _, offset, _, _) = list(
+                _, _, offset, _, _ = list(
                     memory.mapping(offset=proc.vol.offset, length=0)
                 )[0]