Merge pull request #1632 from volatilityfoundation/fix_poolscanners

ikelos · web-flow · commit 37bdb6cb9959 · 2025-02-23T22:38:32.000Z
Check Win10+ SlushSize member to support Windows 11 pool scanning. Re…
diff --git a/volatility3/framework/plugins/windows/poolscanner.py b/volatility3/framework/plugins/windows/poolscanner.py
@@ -205,6 +205,7 @@ def builtin_constraints(
                 b"AtmT",
                 type_name=symbol_table + constants.BANG + "_RTL_ATOM_TABLE",
                 size=(200, None),
+                # TODO - update this after the GUI code goes on
                 page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
             ),
             # processes on windows before windows 8
@@ -214,7 +215,7 @@ def builtin_constraints(
                 object_type="Process",
                 size=(600, None),
                 skip_type_test=True,
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # processes on windows starting with windows 8
             PoolConstraint(
@@ -223,7 +224,7 @@ def builtin_constraints(
                 object_type="Process",
                 size=(600, None),
                 skip_type_test=True,
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # threads on windows before windows8
             PoolConstraint(
@@ -232,55 +233,55 @@ def builtin_constraints(
                 object_type="Thread",
                 size=(600, None),  # -> 0x0258 - size of struct in win5.1
                 skip_type_test=True,
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # threads on windows starting with windows8
             PoolConstraint(
                 b"Thre",
                 type_name=symbol_table + constants.BANG + "_ETHREAD",
                 object_type="Thread",
                 size=(600, None),  # -> 0x0258 - size of struct in win5.1
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # files on windows before windows 8
             PoolConstraint(
                 b"Fil\xe5",
                 type_name=symbol_table + constants.BANG + "_FILE_OBJECT",
                 object_type="File",
                 size=(150, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # files on windows starting with windows 8
             PoolConstraint(
                 b"File",
                 type_name=symbol_table + constants.BANG + "_FILE_OBJECT",
                 object_type="File",
                 size=(150, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # mutants on windows before windows 8
             PoolConstraint(
                 b"Mut\xe1",
                 type_name=symbol_table + constants.BANG + "_KMUTANT",
                 object_type="Mutant",
                 size=(64, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # mutants on windows starting with windows 8
             PoolConstraint(
                 b"Muta",
                 type_name=symbol_table + constants.BANG + "_KMUTANT",
                 object_type="Mutant",
                 size=(64, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # drivers on windows before windows 8
             PoolConstraint(
                 b"Dri\xf6",
                 type_name=symbol_table + constants.BANG + "_DRIVER_OBJECT",
                 object_type="Driver",
                 size=(248, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
                 additional_structures=["_DRIVER_EXTENSION"],
             ),
             # drivers on windows starting with windows 8
@@ -289,37 +290,37 @@ def builtin_constraints(
                 type_name=symbol_table + constants.BANG + "_DRIVER_OBJECT",
                 object_type="Driver",
                 size=(248, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # kernel modules
             PoolConstraint(
                 b"MmLd",
                 type_name=symbol_table + constants.BANG + "_LDR_DATA_TABLE_ENTRY",
                 size=(76, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # symlinks on windows before windows 8
             PoolConstraint(
                 b"Sym\xe2",
                 type_name=symbol_table + constants.BANG + "_OBJECT_SYMBOLIC_LINK",
                 object_type="SymbolicLink",
                 size=(72, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # symlinks on windows starting with windows 8
             PoolConstraint(
                 b"Symb",
                 type_name=symbol_table + constants.BANG + "_OBJECT_SYMBOLIC_LINK",
                 object_type="SymbolicLink",
                 size=(72, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.NONPAGED | PoolType.FREE,
             ),
             # registry hives
             PoolConstraint(
                 b"CM10",
                 type_name=symbol_table + constants.BANG + "_CMHIVE",
                 size=(800, None),
-                page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
+                page_type=PoolType.PAGED | PoolType.FREE,
                 skip_type_test=True,
             ),
         ]
diff --git a/volatility3/framework/symbols/windows/__init__.py b/volatility3/framework/symbols/windows/__init__.py
@@ -48,7 +48,9 @@ def __init__(self, *args, **kwargs) -> None:
 
         # This doesn't exist in very specific versions of windows
         with contextlib.suppress(ValueError):
-            if self.get_type("_POOL_TRACKER_BIG_PAGES").has_member("PoolType"):
+            if self.get_type("_POOL_TRACKER_BIG_PAGES").has_member(
+                "PoolType"
+            ) or self.get_type("_POOL_TRACKER_BIG_PAGES").has_member("SlushSize"):
                 self.set_type_class("_POOL_HEADER", pool.POOL_HEADER_VISTA)
             else:
                 self.set_type_class("_POOL_HEADER", pool.POOL_HEADER)
