Merge pull request #970 from volatilityfoundation/issues/issue969

ikelos · web-flow · commit e17cb1532bf4 · 2023-06-16T19:01:21.000+01:00
Windows: Fix VAD offset canonicalization
diff --git a/volatility3/framework/plugins/windows/vadinfo.py b/volatility3/framework/plugins/windows/vadinfo.py
@@ -198,6 +198,7 @@ def vad_dump(
 
     def _generator(self, procs):
         kernel = self.context.modules[self.config["kernel"]]
+        kernel_layer = self.context.layers[kernel.layer_name]
 
         def passthrough(_: interfaces.objects.ObjectInterface) -> bool:
             return False
@@ -229,7 +230,7 @@ def filter_function(x: interfaces.objects.ObjectInterface) -> bool:
                     (
                         proc.UniqueProcessId,
                         process_name,
-                        format_hints.Hex(vad.vol.offset),
+                        format_hints.Hex(kernel_layer.canonicalize(vad.vol.offset)),
                         format_hints.Hex(vad.get_start()),
                         format_hints.Hex(vad.get_end()),
                         vad.get_tag(),
