dumpfiles.py is now consistent with master and runs correctly

mtressler · ikelos · commit 49acf443027c · 2020-12-10T15:37:40.000Z
diff --git a/volatility/framework/plugins/windows/dumpfiles.py b/volatility/framework/plugins/windows/dumpfiles.py
@@ -10,7 +10,7 @@
 from volatility.framework.configuration import requirements
 from volatility.framework.renderers import format_hints
 from volatility.framework.objects import utility
-from typing import List, Tuple
+from typing import List, Tuple, Type
 vollog = logging.getLogger(__name__)
 
 FILE_DEVICE_DISK = 0x7
@@ -24,6 +24,7 @@
 class DumpFiles(interfaces.plugins.PluginInterface):
     """Dumps cached file contents from Windows memory samples."""
 
+    _required_framework_version = (2, 0, 0)
     _version = (1, 0, 0)
 
     @classmethod
@@ -49,6 +50,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
 
     def dump_file_producer(self, file_object: interfaces.objects.ObjectInterface,
                            memory_object: interfaces.objects.ObjectInterface,
+                           open_method: Type[interfaces.plugins.FileHandlerInterface],
                            layer: interfaces.layers.DataLayerInterface,
                            desired_file_name: str) -> str:
         """Produce a file from the memory object's get_available_pages() interface.
@@ -59,23 +61,24 @@ def dump_file_producer(self, file_object: interfaces.objects.ObjectInterface,
         :param desired_file_name: name of the output file
         :return: result status
         """
-        filedata = interfaces.plugins.FileInterface(desired_file_name)
+        filedata = open_method(desired_file_name)
         try:
             # Description of these variables:
             #   memoffset: offset in the specified layer where the page begins
             #   fileoffset: write to this offset in the destination file
             #   datasize: size of the page
+
+            # track number of bytes written so we don't write empty files to disk
+            bytes_written = 0
             for memoffset, fileoffset, datasize in memory_object.get_available_pages():
                 data = layer.read(memoffset, datasize, pad = True)
-                filedata.data.seek(fileoffset)
-                filedata.data.write(data)
+                bytes_written += len(data)
+                filedata.seek(fileoffset)
+                filedata.write(data)
 
-            # Avoid writing files to disk if they are going to be empty or all zeros.
-            cached_length = len(filedata.data.getvalue())
-            if cached_length == 0 or filedata.data.getvalue().count(0) == cached_length:
+            if not bytes_written:
                 result_text = "No data is cached for the file at {0:#x}".format(file_object.vol.offset)
             else:
-                self.produce_file(filedata)
                 result_text = "Stored {}".format(filedata.preferred_filename)
         except exceptions.InvalidAddressException:
             result_text = "Unable to dump file at {0:#x}".format(file_object.vol.offset)
@@ -141,7 +144,7 @@ def process_file_object(self, file_obj: interfaces.objects.ObjectInterface) -> T
                                                                         ntpath.basename(obj_name),
                                                                         extension)
 
-            result_text = self.dump_file_producer(file_obj, memory_object, layer, desired_file_name)
+            result_text = self.dump_file_producer(file_obj, memory_object, self.open, layer, desired_file_name)
 
             yield (cache_name, format_hints.Hex(file_obj.vol.offset),
                 ntpath.basename(obj_name), # temporary, so its easier to visualize output
