@@ -53,7 +53,9 @@ def scan_drivers(
5353
5454 layer = context .layers [layer_name ]
5555 module = context .module (symbol_table , layer_name , 0 )
56- driver_start_offset = module .get_type ("_DRIVER_OBJECT" ).relative_child_offset ("DriverStart" )
56+ driver_start_offset = module .get_type ("_DRIVER_OBJECT" ).relative_child_offset (
57+ "DriverStart"
58+ )
5759
5860 for result in poolscanner .PoolScanner .generate_pool_scan (
5961 context , layer_name , symbol_table , constraints
@@ -71,11 +73,15 @@ def scan_drivers(
7173
7274 # Many/most rootkits zero out their DriverStart member for anti-forensics
7375 # so we accept a driver start that is either 0 or is mapped in kernel memory (the current layer)
74- if mem_object .DriverStart == 0 or layer .is_valid (mem_object .DriverStart , 8 ):
76+ if mem_object .DriverStart == 0 or layer .is_valid (
77+ mem_object .DriverStart , 8
78+ ):
7579 yield mem_object
7680
7781 @classmethod
78- def get_names_for_driver (cls , driver ) -> Tuple [Optional [str ], Optional [str ], Optional [str ]]:
82+ def get_names_for_driver (
83+ cls , driver
84+ ) -> Tuple [Optional [str ], Optional [str ], Optional [str ]]:
7985 """
8086 Convenience method for getting the commonly used
8187 names associated with a driver
@@ -112,7 +118,12 @@ def _generator(self):
112118 driver_name , service_key , name = self .get_names_for_driver (driver )
113119
114120 # Prior to #1481, this plugin reported dozens to hundreds of junk drivers per sample
115- if driver .DriverStart == 0 and not driver_name and not service_key and not name :
121+ if (
122+ driver .DriverStart == 0
123+ and not driver_name
124+ and not service_key
125+ and not name
126+ ):
116127 continue
117128
118129 yield (
0 commit comments