volatilityfoundation
diff --git a/‎volatility/framework/layers/vmware.py‎
Lines changed: 3 additions & 3 deletions b/‎volatility/framework/layers/vmware.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎volatility/framework/plugins/layerwriter.py‎
Lines changed: 5 additions & 5 deletions b/‎volatility/framework/plugins/layerwriter.py‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎volatility/framework/plugins/mac/socket_filters.py‎
Lines changed: 5 additions & 4 deletions b/‎volatility/framework/plugins/mac/socket_filters.py‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎volatility/framework/plugins/timeliner.py‎
Lines changed: 1 addition & 1 deletion b/‎volatility/framework/plugins/timeliner.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎volatility/framework/plugins/windows/cachedump.py‎
Lines changed: 1 addition & 1 deletion b/‎volatility/framework/plugins/windows/cachedump.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎volatility/framework/plugins/windows/dlllist.py‎
Lines changed: 2 additions & 2 deletions b/‎volatility/framework/plugins/windows/dlllist.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎volatility/framework/plugins/windows/dumpfiles.py‎
Lines changed: 43 additions & 46 deletions b/‎volatility/framework/plugins/windows/dumpfiles.py‎
Lines changed: 43 additions & 46 deletions
diff --git a/‎volatility/framework/plugins/windows/handles.py‎
Lines changed: 2 additions & 2 deletions b/‎volatility/framework/plugins/windows/handles.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎volatility/framework/plugins/windows/malfind.py‎
Lines changed: 2 additions & 2 deletions b/‎volatility/framework/plugins/windows/malfind.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎volatility/framework/plugins/windows/netscan.py‎
Lines changed: 5 additions & 3 deletions b/‎volatility/framework/plugins/windows/netscan.py‎
Lines changed: 5 additions & 3 deletions
@@ -91,9 +91,9 @@ def _read_header(self) -> None:
         if tags[("regionsCount", ())][1] == 0:
             raise VmwareFormatException(self.name, "VMware VMEM is not split into regions")
         for region in range(tags[("regionsCount", ())][1]):
-            offset = tags[("regionPPN", (region,))][1] * self._page_size
-            mapped_offset = tags[("regionPageNum", (region,))][1] * self._page_size
-            length = tags[("regionSize", (region,))][1] * self._page_size
+            offset = tags[("regionPPN", (region, ))][1] * self._page_size
+            mapped_offset = tags[("regionPageNum", (region, ))][1] * self._page_size
+            length = tags[("regionSize", (region, ))][1] * self._page_size
             self._segments.append((offset, mapped_offset, length, length))
 
     @property
 
@@ -80,7 +80,7 @@ def write_layer(
     def _generator(self):
         if self.config['list']:
             for name in self.context.layers:
-                yield 0, (name,)
+                yield 0, (name, )
         else:
             import pdb
             pdb.set_trace()
@@ -94,7 +94,7 @@ def _generator(self):
             for name in self.config['layers']:
                 # Check the layer exists and validate the output file
                 if name not in self.context.layers:
-                    yield 0, ('Layer Name {} does not exist'.format(name),)
+                    yield 0, ('Layer Name {} does not exist'.format(name), )
                 else:
                     output_name = self.config.get('output', ".".join([name, "raw"]))
                     try:
@@ -106,14 +106,14 @@ def _generator(self):
                                                        progress_callback = self._progress_callback)
                         file_handle.close()
                     except IOError as excp:
-                        yield 0, ('Layer cannot be written to {}: {}'.format(self.config['output_name'], excp),)
+                        yield 0, ('Layer cannot be written to {}: {}'.format(self.config['output_name'], excp), )
 
-                    yield 0, ('Layer has been written to {}'.format(output_name),)
+                    yield 0, ('Layer has been written to {}'.format(output_name), )
 
     def _generate_layers(self):
         """List layer names from this run"""
         for name in self.context.layers:
-            yield (0, (name,))
+            yield (0, (name, ))
 
     def run(self):
         if self.config['list']:
 
@@ -39,10 +39,11 @@ def _generator(self):
 
         handlers = mac.MacUtilities.generate_kernel_handler_info(self.context, self.config['primary'], kernel, mods)
 
-        members_to_check = ["sf_unregistered", "sf_attach", "sf_detach", "sf_notify", "sf_getpeername",
-                            "sf_getsockname",
-                            "sf_data_in", "sf_data_out", "sf_connect_in", "sf_connect_out", "sf_bind", "sf_setoption",
-                            "sf_getoption", "sf_listen", "sf_ioctl"]
+        members_to_check = [
+            "sf_unregistered", "sf_attach", "sf_detach", "sf_notify", "sf_getpeername", "sf_getsockname", "sf_data_in",
+            "sf_data_out", "sf_connect_in", "sf_connect_out", "sf_bind", "sf_setoption", "sf_getoption", "sf_listen",
+            "sf_ioctl"
+        ]
 
         filter_list = kernel.object_from_symbol(symbol_name = "sock_filter_head")
 
 
@@ -188,7 +188,7 @@ def run(self):
 
                 if isinstance(plugin, TimeLinerInterface):
                     if not len(filter_list) or any(
-                            [filter in plugin.__module__ + '.' + plugin.__class__.__name__ for filter in filter_list]):
+                        [filter in plugin.__module__ + '.' + plugin.__class__.__name__ for filter in filter_list]):
                         plugins_to_run.append(plugin)
             except exceptions.UnsatisfiedException as excp:
                 # Remove the failed plugin from the list and continue
 
@@ -55,7 +55,7 @@ def parse_cache_entry(self, cache_data):
         (uname_len, domain_len) = unpack("<HH", cache_data[:4])
         if len(cache_data[60:62]) == 0:
             return (uname_len, domain_len, 0, '', '')
-        (domain_name_len,) = unpack("<H", cache_data[60:62])
+        (domain_name_len, ) = unpack("<H", cache_data[60:62])
         ch = cache_data[64:80]
         enc_data = cache_data[96:]
         return (uname_len, domain_len, domain_name_len, enc_data, ch)
 
@@ -72,8 +72,8 @@ def dump_pe(cls,
             if layer_name is None:
                 layer_name = dll_entry.vol.layer_name
 
-            file_handle = open_method("{}{}.{:#x}.{:#x}.dmp".format(prefix, ntpath.basename(name),
-                                                                    dll_entry.vol.offset, dll_entry.DllBase))
+            file_handle = open_method("{}{}.{:#x}.{:#x}.dmp".format(prefix, ntpath.basename(name), dll_entry.vol.offset,
+                                                                    dll_entry.DllBase))
 
             dos_header = context.object(pe_table_name + constants.BANG + "_IMAGE_DOS_HEADER",
                                         offset = dll_entry.DllBase,
 
@@ -21,6 +21,7 @@
     "vacb": "SharedCacheMap",
 }
 
+
 class DumpFiles(interfaces.plugins.PluginInterface):
     """Dumps cached file contents from Windows memory samples."""
 
@@ -31,26 +32,25 @@ class DumpFiles(interfaces.plugins.PluginInterface):
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
         # Since we're calling the plugin, make sure we have the plugin's requirements
         return [
-            requirements.TranslationLayerRequirement(name='primary',
-                                                     description='Memory layer for the kernel',
-                                                     architectures=["Intel32", "Intel64"]),
-            requirements.SymbolTableRequirement(name="nt_symbols", description="Windows kernel symbols"),
-            requirements.IntRequirement(name='pid',
-                                        description="Process ID to include (all other processes are excluded)",
-                                        optional=True),
-            requirements.IntRequirement(name='virtaddr',
-                                        description="Dump a single _FILE_OBJECT at this virtual address",
-                                        optional=True),
-            requirements.IntRequirement(name='physaddr',
-                                        description="Dump a single _FILE_OBJECT at this physical address",
-                                        optional=True),
-            requirements.VersionRequirement(name='pslist', component=pslist.PsList, version=(2, 0, 0)),
-            requirements.VersionRequirement(name='handles', component=handles.Handles, version=(1, 0, 0))
+            requirements.TranslationLayerRequirement(name = 'primary',
+                                                     description = 'Memory layer for the kernel',
+                                                     architectures = ["Intel32", "Intel64"]),
+            requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
+            requirements.IntRequirement(name = 'pid',
+                                        description = "Process ID to include (all other processes are excluded)",
+                                        optional = True),
+            requirements.IntRequirement(name = 'virtaddr',
+                                        description = "Dump a single _FILE_OBJECT at this virtual address",
+                                        optional = True),
+            requirements.IntRequirement(name = 'physaddr',
+                                        description = "Dump a single _FILE_OBJECT at this physical address",
+                                        optional = True),
+            requirements.VersionRequirement(name = 'pslist', component = pslist.PsList, version = (2, 0, 0)),
+            requirements.VersionRequirement(name = 'handles', component = handles.Handles, version = (1, 0, 0))
         ]
 
     @classmethod
-    def dump_file_producer(cls,
-                           file_object: interfaces.objects.ObjectInterface,
+    def dump_file_producer(cls, file_object: interfaces.objects.ObjectInterface,
                            memory_object: interfaces.objects.ObjectInterface,
                            open_method: Type[interfaces.plugins.FileHandlerInterface],
                            layer: interfaces.layers.DataLayerInterface,
@@ -86,14 +86,11 @@ def dump_file_producer(cls,
                 vollog.debug("Stored {}".format(filedata.preferred_filename))
                 return filedata
         except exceptions.InvalidAddressException:
-            vollog.debug("Unable to dump file at {0:#x}".format(
-                file_object.vol.offset))
+            vollog.debug("Unable to dump file at {0:#x}".format(file_object.vol.offset))
             return None
 
     @classmethod
-    def process_file_object(cls, 
-                            context: interfaces.context.ContextInterface, 
-                            primary_layer_name: str,
+    def process_file_object(cls, context: interfaces.context.ContextInterface, primary_layer_name: str,
                             open_method: Type[interfaces.plugins.FileHandlerInterface],
                             file_obj: interfaces.objects.ObjectInterface) -> Tuple:
         """Given a FILE_OBJECT, dump data to separate files for each of the three file caches.
@@ -153,10 +150,8 @@ def process_file_object(cls,
         for memory_object, layer, extension in dump_parameters:
             cache_name = EXTENSION_CACHE_MAP[extension]
             desired_file_name = "file.{0:#x}.{1:#x}.{2}.{3}.{4}".format(file_obj.vol.offset,
-                                                                        memory_object.vol.offset,
-                                                                        cache_name,
-                                                                        ntpath.basename(obj_name),
-                                                                        extension)
+                                                                        memory_object.vol.offset, cache_name,
+                                                                        ntpath.basename(obj_name), extension)
 
             file_handle = DumpFiles.dump_file_producer(file_obj, memory_object, open_method, layer, desired_file_name)
 
@@ -165,8 +160,10 @@ def process_file_object(cls,
                 file_handle.close()
                 file_output = file_handle.preferred_filename
 
-            yield (cache_name, format_hints.Hex(file_obj.vol.offset),
-                ntpath.basename(obj_name), # temporary, so its easier to visualize output
+            yield (
+                cache_name,
+                format_hints.Hex(file_obj.vol.offset),
+                ntpath.basename(obj_name),  # temporary, so its easier to visualize output
                 file_output)
 
     def _generator(self, procs: List, offsets: List):
@@ -176,13 +173,13 @@ def _generator(self, procs: List, offsets: List):
             # private variables, so we need an instance (for now, anyway). We _could_ call Handles._generator()
             # to do some of the other work that is duplicated here, but then we'd need to parse the TreeGrid
             # results instead of just dealing with them as direct objects here.
-            handles_plugin = handles.Handles(context=self.context, config_path=self._config_path)
-            type_map = handles_plugin.get_type_map(context=self.context,
-                                                   layer_name=self.config["primary"],
-                                                   symbol_table=self.config["nt_symbols"])
-            cookie = handles_plugin.find_cookie(context=self.context,
-                                                layer_name=self.config["primary"],
-                                                symbol_table=self.config["nt_symbols"])
+            handles_plugin = handles.Handles(context = self.context, config_path = self._config_path)
+            type_map = handles_plugin.get_type_map(context = self.context,
+                                                   layer_name = self.config["primary"],
+                                                   symbol_table = self.config["nt_symbols"])
+            cookie = handles_plugin.find_cookie(context = self.context,
+                                                layer_name = self.config["primary"],
+                                                symbol_table = self.config["nt_symbols"])
 
             for proc in procs:
 
@@ -198,7 +195,8 @@ def _generator(self, procs: List, offsets: List):
                         obj_type = entry.get_object_type(type_map, cookie)
                         if obj_type == "File":
                             file_obj = entry.Body.cast("_FILE_OBJECT")
-                            for result in self.process_file_object(self.context, self.config["primary"], self.open, file_obj):
+                            for result in self.process_file_object(self.context, self.config["primary"], self.open,
+                                                                   file_obj):
                                 yield (0, result)
                     except exceptions.InvalidAddressException:
                         vollog.log(constants.LOGLEVEL_VVV,
@@ -221,7 +219,8 @@ def _generator(self, procs: List, offsets: List):
                         if not file_obj.is_valid():
                             continue
 
-                        for result in self.process_file_object(self.context, self.config["primary"], self.open, file_obj):
+                        for result in self.process_file_object(self.context, self.config["primary"], self.open,
+                                                               file_obj):
                             yield (0, result)
                     except exceptions.InvalidAddressException:
                         vollog.log(constants.LOGLEVEL_VVV,
@@ -237,14 +236,13 @@ def _generator(self, procs: List, offsets: List):
                         layer_name = self.context.layers[layer_name].config["memory_layer"]
 
                     file_obj = self.context.object(self.config["nt_symbols"] + constants.BANG + "_FILE_OBJECT",
-                                                   layer_name=layer_name,
-                                                   native_layer_name=self.config["primary"],
-                                                   offset=offset)
+                                                   layer_name = layer_name,
+                                                   native_layer_name = self.config["primary"],
+                                                   offset = offset)
                     for result in self.process_file_object(self.context, self.config["primary"], self.open, file_obj):
                         yield (0, result)
                 except exceptions.InvalidAddressException:
-                    vollog.log(constants.LOGLEVEL_VVV,
-                               "Cannot extract file at {0:#x}".format(offset))
+                    vollog.log(constants.LOGLEVEL_VVV, "Cannot extract file at {0:#x}".format(offset))
 
     def run(self):
         # a list of tuples (<int>, <bool>) where <int> is the address and <bool> is True for virtual.
@@ -261,8 +259,7 @@ def run(self):
             procs = pslist.PsList.list_processes(self.context,
                                                  self.config["primary"],
                                                  self.config["nt_symbols"],
-                                                 filter_func=filter_func)
+                                                 filter_func = filter_func)
 
-        return renderers.TreeGrid(
-            [("Cache", str), ("FileObject", format_hints.Hex), ("FileName", str), ("Result", str)],
-            self._generator(procs, offsets))
+        return renderers.TreeGrid([("Cache", str), ("FileObject", format_hints.Hex), ("FileName", str),
+                                   ("Result", str)], self._generator(procs, offsets))
@@ -90,8 +90,8 @@ def _get_item(self, handle_table_entry, handle_value):
                 if not has_capstone:
                     raise AttributeError("Unable to find the SAR value for decoding handle table pointers")
                 else:
-                    raise exceptions.MissingModuleException("capstone",
-                                                            "Unable to find the SAR value for decoding handle table pointers")
+                    raise exceptions.MissingModuleException(
+                        "capstone", "Unable to find the SAR value for decoding handle table pointers")
 
             offset = self._decode_pointer(handle_table_entry.LowValue, magic)
             # print("LowValue: {0:#x} Magic: {1:#x} Offset: {2:#x}".format(handle_table_entry.InfoTable, magic, offset))
 
@@ -105,8 +105,8 @@ def list_injections(
                 continue
 
             if (vad.get_private_memory() == 1
-                and vad.get_tag() == "VadS") or (vad.get_private_memory() == 0
-                                                 and protection_string != "PAGE_EXECUTE_WRITECOPY"):
+                    and vad.get_tag() == "VadS") or (vad.get_private_memory() == 0
+                                                     and protection_string != "PAGE_EXECUTE_WRITECOPY"):
                 if cls.is_vad_empty(proc_layer, vad):
                     continue
 
 
@@ -185,7 +185,7 @@ def determine_tcpip_version(cls, context: interfaces.context.ContextInterface, l
             }
 
         # special use case: Win10_18363 is not recognized by windows.info as 18363
-        # because all kernel file headers and debug structures report 18363 as 
+        # because all kernel file headers and debug structures report 18363 as
         # "10.0.18362.1198" with the last part being incremented. However, we can use
         # os_distinguisher to differentiate between 18362 and 18363
         if vers_minor_version == 18362 and is_18363_or_later:
@@ -202,9 +202,11 @@ def determine_tcpip_version(cls, context: interfaces.context.ContextInterface, l
             # no match on filename means that we possibly have a version newer than those listed here.
             # try to grab the latest supported version of the current image NT version. If that symbol
             # version does not work, support has to be added manually.
-            current_versions = [key for key in list(version_dict.keys()) if key[0] == nt_major_version and key[1] == nt_minor_version]
+            current_versions = [
+                key for key in list(version_dict.keys()) if key[0] == nt_major_version and key[1] == nt_minor_version
+            ]
             current_versions.sort()
-    
+
             if current_versions:
                 latest_version = current_versions[-1]