Convert remaining values to Python primitives

dgmcdona · dgmcdona · commit ebbbe913dc92 · 2025-04-03T17:55:42.000-05:00
diff --git a/volatility3/framework/plugins/windows/mftscan.py b/volatility3/framework/plugins/windows/mftscan.py
@@ -224,11 +224,17 @@ def _generator(self):
             self.config_path,
             self.config["primary"],
         ):
+            # Convert all `objects.PrimitiveObject` to their simpler Python
+            # types. This is normally not something we would do, since it's
+            # lossy and prevents users from getting back to the data source,
+            # but in this case memory usage is so extreme due to the number of
+            # records that it becomes necessary. The rich types are still
+            # exposed through classmethods.
             yield level, (
                 record.offset,
                 record.record_type,
-                record.record_number,
-                record.link_count,
+                int(record.record_number),
+                int(record.link_count),
                 record.mft_type,
                 record.permissions,
                 record.attribute_type,
@@ -341,12 +347,16 @@ def _generator(self):
             self.config["primary"],
         ):
             for record in self.parse_ads_data_records(mft_entry):
-                # Convert to basic strings here __only__ because they'll use so
-                # much memory in the tree otherwise.
+                # Convert all `objects.PrimitiveObject` to their simpler Python
+                # types. This is normally not something we would do, since it's
+                # lossy and prevents users from getting back to the data source,
+                # but in this case memory usage is so extreme due to the number of
+                # records that it becomes necessary. The rich types are still
+                # exposed through classmethods.
                 yield 0, (
                     record.offset,
-                    record.signature,
-                    record.record_number,
+                    str(record.signature),
+                    int(record.record_number),
                     record.attribute_type,
                     (
                         str(record.filename)
@@ -447,7 +457,20 @@ def _generator(self):
         ):
             resident_data_entry = self.parse_resident_data(mft_record)
             if resident_data_entry:
-                yield 0, resident_data_entry
+                # Convert all `objects.PrimitiveObject` to their simpler Python
+                # types. This is normally not something we would do, since it's
+                # lossy and prevents users from getting back to the data source,
+                # but in this case memory usage is so extreme due to the number of
+                # records that it becomes necessary. The rich types are still
+                # exposed through classmethods.
+                yield 0, (
+                    resident_data_entry.offset,
+                    resident_data_entry.signature,
+                    int(resident_data_entry.record_number),
+                    resident_data_entry.attribute_type,
+                    str(resident_data_entry.filename),
+                    resident_data_entry.content,
+                )
 
     def run(self):
         return renderers.TreeGrid(
