Merge branch 'develop' into volshell_display_types_pointer_upgrade_2025

Author: eve-mem

.github/workflows/vol3-code-analysis.yml

@@ -0,0 +1,24 @@
+name: Volatility3 Code Analysis
+on: [push, pull_request]
+jobs:
+
+  build:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        python-version: ["3.8"]
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install .[test]
+
+    - name: Testing...
+      run: |
+        python ./test/volatility3_code_analysis.py

API_CHANGES.md

@@ -4,6 +4,100 @@ API Changes
 When an addition to the existing API is made, the minor version is bumped.
 When an API feature or function is removed or changed, the major version is bumped.
 
+2.25.0
+======
+Pointer class now supports `get_raw_value()`.
+`KTIMER` no longer supports `get_raw_dpc()`.
+
+2.24.0
+======
+Support `encoding` parameter for `objects.utility.array_to_string`
+
+2.23.0
+======
+Add support for windows GUI classes and OS distinguishers.
+Add a symbol_table_name for `ExecutiveObject.get_object_header()`/
+
+2.22.0
+======
+Linux net constants added.
+Network objects moved to separate versionable module.
+
+2.21.0
+======
+`uuid` method added to `linux.extensions`.
+
+2.20.0
+======
+NM_TYPES_DESC constants added to linux.
+`latch_tree_root` and `kernel_symbol` added to linux extensions.
+Linux `module` class additions:
+* `get_module_address_boundaries`
+* `section_typetab`
+Linux `task_struct` class additions:
+* `get_address_space_layer`
+* `state`
+Linux `bpf_prog` class additions:
+* `bpf_jit_binary_hdr_address`
+
+2.19.0
+======
+Introduction of `Modules` versionable linux extension module.
+Deprecation of some `LinuxUtilities` functions relating to modules.
+
+2.18.0
+======
+Addition of `scatterlist` linux extension.
+
+2.17.0
+======
+The addition of a `types` member to `SymbolInterface`
+
+2.16.0
+======
+Addition of TAINT_FLAG constants, `TaintFlag` dataclass
+Addition of linux `tainting` versionable module
+
+2.15.0
+======
+Addition of `convert_fourcc_code` to `LinuxUtilities` class
+
+2.14.0
+======
+No significant changes (part of the 2.16.0 PR which took time in development)
+
+2.13.0
+======
+Linux `task` object extension addition of `getppid`
+
+2.12.0
+======
+Changes to the Intel layer to support `PROT_NONE` pages.
+
+2.11.0
+======
+Addition of `get_type` method to windows `CM_KEY_NODE` registry structure
+
+2.10.0
+======
+No significant API changes (CLI changes to the JSONL text renderer)
+
+2.9.0
+=====
+No significant API changes (change to call `linux.LinuxUtilities.get_module_from_volobj_type` to get the kernel)
+
+2.8.0
+=====
+Addition of the `BinOrAbsent`, `HexOrAbsent`, `HexBytesOrAbsent` and `MultiTypeDataOrAbsent` data type renderers
+
+2.7.0
+=====
+Addition of `is_valid`, `get_create_time` and `get_exit_time` to ETHREAD structure
+
+2.6.0
+=====
+No significant changes (again, the version got bump twice in the PR straight to 2.7.0)
+
 2.5.0
 =====
 Add in support for specifying a type override for object_from_symbol
@@ -50,5 +144,3 @@ an absolute offset.  This can be done with `Module.get_absolute_symbol_address`
 * Added context.modules
 * Added ModuleRequirement
 * Added get\_symbols\_by\_absolute\_location
-
-

test/plugins/windows/test_data/windows.registry.userassist.UserAssist.json

@@ -9,7 +9,7 @@
         "Last Write Time": "2025-03-06T17:57:09+00:00",
         "Name": null,
         "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-        "Raw Data": "",
+        "Raw Data": "N/A",
         "Time Focused": null,
         "Type": "Key",
         "__children": [
@@ -23,7 +23,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 90 86 6b 31 ..............k1\nfd 8d db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 90 86 6b 31 fd 8d db 01 00 00 00 00",
                 "Time Focused": "0:00:00.507000",
                 "Type": "Value",
                 "__children": []
@@ -38,7 +38,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Registry Editor.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff f0 82 cf ca ................\n95 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff f0 82 cf ca 95 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.501000",
                 "Type": "Value",
                 "__children": []
@@ -53,7 +53,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 10 67 cf 4d .............g.M\nbe 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 10 67 cf 4d be 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.504000",
                 "Type": "Value",
                 "__children": []
@@ -68,7 +68,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff d0 99 66 6c ..............fl\nc0 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff d0 99 66 6c c0 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.501000",
                 "Type": "Value",
                 "__children": []
@@ -83,7 +83,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 00 62 ba 89 .............b..\nc0 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 00 62 ba 89 c0 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.501000",
                 "Type": "Value",
                 "__children": []
@@ -98,7 +98,7 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff b0 24 49 23 .............$I#\nc1 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff b0 24 49 23 c1 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.502000",
                 "Type": "Value",
                 "__children": []
@@ -113,11 +113,11 @@
                 "Last Write Time": "2025-03-06T17:57:09+00:00",
                 "Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk",
                 "Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
-                "Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 60 3d 89 2e ............`=..\nc1 8e db 01 00 00 00 00                         ........        \"",
+                "Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 60 3d 89 2e c1 8e db 01 00 00 00 00",
                 "Time Focused": "0:00:00.501000",
                 "Type": "Value",
                 "__children": []
             }
         ]
     }
-}
+}

test/plugins/windows/windows.py

@@ -1,10 +1,10 @@
-import json
+import contextlib
 import hashlib
+import json
+import os
 import shutil
-import contextlib
 import tempfile
-import os
-from test import test_volatility, WindowsSamples
+from test import WindowsSamples, test_volatility
 
 
 class TestWindowsVolshell:
@@ -843,20 +843,22 @@ def test_windows_specific_mftscan_ads_xp(self, volatility, python):
             {
                 "ADS Filename": "Zone.Identifier",
                 "Filename": "libby_hoeler_part1.wmv",
-                "Hexdump": '"\n5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer]..\n5a 6f 6e 65 49 64 3d 33 0d 0a                   ZoneId=3..      "',
+                "Hexdump": "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a",
                 "MFT Type": "DATA",
                 "Offset": 55926304,
                 "Record Number": 323,
                 "Record Type": "FILE",
+                "__children": [],
             },
             {
                 "ADS Filename": "Zone.Identifier",
                 "Filename": "NetZeroQuickHelpLite.exe",
-                "Hexdump": '"\n5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer]..\n5a 6f 6e 65 49 64 3d 33 0d 0a                   ZoneId=3..      "',
+                "Hexdump": "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a",
                 "MFT Type": "DATA",
                 "Offset": 56102400,
                 "Record Number": 347,
                 "Record Type": "FILE",
+                "__children": [],
             },
         ]
         for expected_row in expected_rows:
@@ -877,20 +879,22 @@ def test_windows_specific_mftscan_ads_win10(self, volatility, python):
             {
                 "ADS Filename": "$Max",
                 "Filename": "$UsnJrnl",
-                "Hexdump": '"\n00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................\nb9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00 .....s.........."',
+                "Hexdump": "00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 b9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00",
                 "MFT Type": "DATA",
-                "Offset": 1058018088,
+                "Offset": 26235616,
                 "Record Number": 107240,
                 "Record Type": "FILE",
+                "__children": [],
             },
             {
-                "ADS Filename": "$Config",
-                "Filename": "$Repair",
-                "Hexdump": '"\n01 00 00 00 03 00 00 00                         ........        "',
+                "ADS Filename": "$SRAT",
+                "Filename": "$Bitmap",
+                "Hexdump": "a4 5f fd 60 38 00 01 03 10 00 0c 00 04 00 00 00 01 00 00 00 01 00 00 00 8d 4e 16 00 02 00 00 00 a0 00 00 00 00 00 06 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 7b 01 00 00 00 00 00",
                 "MFT Type": "DATA",
-                "Offset": 5009678688,
-                "Record Number": 28,
+                "Offset": 1052277088,
+                "Record Number": 6,
                 "Record Type": "FILE",
+                "__children": [],
             },
         ]
         for expected_row in expected_rows:
@@ -924,15 +928,15 @@ def test_windows_specific_mftscan_residentdata_win10(self, volatility, python):
         expected_rows = [
             {
                 "Filename": "index",
-                "Hexdump": '"\n30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 0\\r..m..........\n00 00 00 00 00 00 00 00                         ........        "',
+                "Hexdump": "30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
                 "MFT Type": "DATA",
                 "Offset": 4961536280,
                 "Record Number": 116474,
                 "Record Type": "FILE",
             },
             {
                 "Filename": "0.2.filtertrie.intermediate.txt",
-                "Hexdump": '"\n30 09 32 0d 0a                                  0.2..           "',
+                "Hexdump": "30 09 32 0d 0a",
                 "MFT Type": "DATA",
                 "Offset": 619242944,
                 "Record Number": 113013,
@@ -1411,4 +1415,3 @@ def test_windows_specific_virtmap(self, volatility, python):
         )
         for expected_row in expected_rows:
             assert test_volatility.match_output_row(expected_row, json_out)
-