Windows: Fix VAD offset canonicalization #969

Author: ikelos

volatility3/framework/plugins/windows/vadinfo.py

@@ -198,6 +198,7 @@ def vad_dump(
 
     def _generator(self, procs):
         kernel = self.context.modules[self.config["kernel"]]
+        kernel_layer = self.context.layers[kernel.layer_name]
 
         def passthrough(_: interfaces.objects.ObjectInterface) -> bool:
             return False
@@ -229,7 +230,7 @@ def filter_function(x: interfaces.objects.ObjectInterface) -> bool:
                     (
                         proc.UniqueProcessId,
                         process_name,
-                        format_hints.Hex(vad.vol.offset),
+                        format_hints.Hex(kernel_layer.canonicalize(vad.vol.offset)),
                         format_hints.Hex(vad.get_start()),
                         format_hints.Hex(vad.get_end()),
                         vad.get_tag(),