diff --git a/development/banner_server.py b/development/banner_server.py index b62477a269..dd1df96abc 100644 --- a/development/banner_server.py +++ b/development/banner_server.py @@ -14,7 +14,6 @@ class BannerCacheGenerator: - def __init__(self, path: str, url_prefix: str): self._path = path self._url_prefix = url_prefix @@ -79,7 +78,6 @@ def run(self): if __name__ == "__main__": - parser = argparse.ArgumentParser() parser.add_argument("--path", default=os.path.dirname(__file__)) parser.add_argument( diff --git a/development/compare-vol.py b/development/compare-vol.py index 717d81d3e4..ccfcd9f4ae 100644 --- a/development/compare-vol.py +++ b/development/compare-vol.py @@ -208,7 +208,6 @@ def plugin_cmd(self, plugin: VolatilityPlugin, image: VolatilityImage) -> List[s class VolatilityTester: - def __init__( self, images: List[VolatilityImage], diff --git a/development/pdbparse-to-json.py b/development/pdbparse-to-json.py index 49b4da009d..fe4b8ab60e 100644 --- a/development/pdbparse-to-json.py +++ b/development/pdbparse-to-json.py @@ -22,7 +22,6 @@ class PDBRetreiver: - def retreive_pdb(self, guid: str, file_name: str) -> Optional[str]: logger.info("Download PDB file...") file_name = ".".join(file_name.split(".")[:-1] + ["pdb"]) diff --git a/development/stock-linux-json.py b/development/stock-linux-json.py index 967cc7e183..713283e668 100644 --- a/development/stock-linux-json.py +++ b/development/stock-linux-json.py @@ -13,7 +13,6 @@ class Downloader: - def __init__(self, url_lists: List[List[str]]) -> None: self.url_lists = url_lists diff --git a/test/plugins/windows/test_scheduled_tasks.py b/test/plugins/windows/test_scheduled_tasks.py index 15d7f79a65..ce66ee23e0 100644 --- a/test/plugins/windows/test_scheduled_tasks.py +++ b/test/plugins/windows/test_scheduled_tasks.py @@ -101,233 +101,1815 @@ def test_decode_all_triggers(self): "1808B", # fmt: off *[ - 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x38, 0x21, 0x41, 0x42, 0x48, 0x48, 0x48, 0x48, - 0xa0, 0x12, 0xa0, 0xa4, 0x48, 0x48, 0x48, 0x48, - 0x0e, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x41, 0x00, 0x75, 0x00, 0x74, 0x00, 0x68, 0x00, - 0x6f, 0x00, 0x72, 0x00, 0x00, 0x00, 0x48, 0x48, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x1c, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x69, 0xce, 0x28, 0x2a, - 0xce, 0xd8, 0x1f, 0x77, 0x37, 0x9c, 0xe2, 0x44, - 0xf4, 0x01, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x40, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x44, 0x00, 0x45, 0x00, 0x53, 0x00, 0x4b, 0x00, - 0x54, 0x00, 0x4f, 0x00, 0x50, 0x00, 0x2d, 0x00, - 0x45, 0x00, 0x33, 0x00, 0x38, 0x00, 0x38, 0x00, - 0x44, 0x00, 0x38, 0x00, 0x50, 0x00, 0x5c, 0x00, - 0x41, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, - 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, - 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x2c, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x80, 0xf4, 0x03, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0xdd, 0xdd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x07, 0x0a, 0x00, 0x00, 0x00, 0x09, 0x00, - 0x80, 0x48, 0x11, 0xf8, 0x36, 0x1a, 0xdb, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, 0x2e, 0xe2, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xc2, 0x31, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0xee, 0xee, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xda, 0xaf, 0x8d, 0x09, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0xcc, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x65, 0x00, 0x78, 0x00, 0x65, 0x00, - 0x22, 0x00, 0x20, 0x00, 0x53, 0x00, 0x74, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x3c, 0x00, 0x51, 0x00, 0x75, 0x00, 0x65, 0x00, - 0x72, 0x00, 0x79, 0x00, 0x4c, 0x00, 0x69, 0x00, - 0x73, 0x00, 0x74, 0x00, 0x3e, 0x00, 0x3c, 0x00, - 0x51, 0x00, 0x75, 0x00, 0x65, 0x00, 0x72, 0x00, - 0x79, 0x00, 0x20, 0x00, 0x49, 0x00, 0x64, 0x00, - 0x3d, 0x00, 0x22, 0x00, 0x30, 0x00, 0x22, 0x00, - 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, 0x74, 0x00, - 0x68, 0x00, 0x3d, 0x00, 0x22, 0x00, 0x49, 0x00, - 0x6e, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, - 0x6e, 0x00, 0x65, 0x00, 0x74, 0x00, 0x20, 0x00, - 0x45, 0x00, 0x78, 0x00, 0x70, 0x00, 0x6c, 0x00, - 0x6f, 0x00, 0x72, 0x00, 0x65, 0x00, 0x72, 0x00, - 0x22, 0x00, 0x3e, 0x00, 0x3c, 0x00, 0x53, 0x00, - 0x65, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x63, 0x00, - 0x74, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00, - 0x74, 0x00, 0x68, 0x00, 0x3d, 0x00, 0x22, 0x00, - 0x49, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x65, 0x00, - 0x72, 0x00, 0x6e, 0x00, 0x65, 0x00, 0x74, 0x00, - 0x20, 0x00, 0x45, 0x00, 0x78, 0x00, 0x70, 0x00, - 0x6c, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x65, 0x00, - 0x72, 0x00, 0x22, 0x00, 0x3e, 0x00, 0x2a, 0x00, - 0x5b, 0x00, 0x53, 0x00, 0x79, 0x00, 0x73, 0x00, - 0x74, 0x00, 0x65, 0x00, 0x6d, 0x00, 0x5b, 0x00, - 0x45, 0x00, 0x76, 0x00, 0x65, 0x00, 0x6e, 0x00, - 0x74, 0x00, 0x49, 0x00, 0x44, 0x00, 0x3d, 0x00, - 0x32, 0x00, 0x5d, 0x00, 0x5d, 0x00, 0x3c, 0x00, - 0x2f, 0x00, 0x53, 0x00, 0x65, 0x00, 0x6c, 0x00, - 0x65, 0x00, 0x63, 0x00, 0x74, 0x00, 0x3e, 0x00, - 0x3c, 0x00, 0x2f, 0x00, 0x51, 0x00, 0x75, 0x00, - 0x65, 0x00, 0x72, 0x00, 0x79, 0x00, 0x3e, 0x00, - 0x3c, 0x00, 0x2f, 0x00, 0x51, 0x00, 0x75, 0x00, - 0x65, 0x00, 0x72, 0x00, 0x79, 0x00, 0x4c, 0x00, - 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x3e, 0x00, - 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x88, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x77, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x01, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x77, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x1c, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x69, 0xce, 0x28, 0x2a, - 0xce, 0xd8, 0x1f, 0x77, 0x37, 0x9c, 0xe2, 0x44, - 0xf4, 0x01, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x40, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x44, 0x00, 0x45, 0x00, 0x53, 0x00, 0x4b, 0x00, - 0x54, 0x00, 0x4f, 0x00, 0x50, 0x00, 0x2d, 0x00, - 0x45, 0x00, 0x33, 0x00, 0x38, 0x00, 0x38, 0x00, - 0x44, 0x00, 0x38, 0x00, 0x50, 0x00, 0x5c, 0x00, - 0x41, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, - 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, - 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x77, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x01, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x77, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x01, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x00, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x1c, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x69, 0xce, 0x28, 0x2a, - 0xce, 0xd8, 0x1f, 0x77, 0x37, 0x9c, 0xe2, 0x44, - 0xf4, 0x01, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x40, 0x00, 0x00, 0x00, 0x48, 0x48, 0x48, 0x48, - 0x44, 0x00, 0x45, 0x00, 0x53, 0x00, 0x4b, 0x00, - 0x54, 0x00, 0x4f, 0x00, 0x50, 0x00, 0x2d, 0x00, - 0x45, 0x00, 0x33, 0x00, 0x38, 0x00, 0x38, 0x00, - 0x44, 0x00, 0x38, 0x00, 0x50, 0x00, 0x5c, 0x00, - 0x41, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, - 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, - 0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - ] + 0x17, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x38, + 0x21, + 0x41, + 0x42, + 0x48, + 0x48, + 0x48, + 0x48, + 0xA0, + 0x12, + 0xA0, + 0xA4, + 0x48, + 0x48, + 0x48, + 0x48, + 0x0E, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x41, + 0x00, + 0x75, + 0x00, + 0x74, + 0x00, + 0x68, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x1C, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x05, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x05, + 0x15, + 0x00, + 0x00, + 0x00, + 0x69, + 0xCE, + 0x28, + 0x2A, + 0xCE, + 0xD8, + 0x1F, + 0x77, + 0x37, + 0x9C, + 0xE2, + 0x44, + 0xF4, + 0x01, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x40, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x44, + 0x00, + 0x45, + 0x00, + 0x53, + 0x00, + 0x4B, + 0x00, + 0x54, + 0x00, + 0x4F, + 0x00, + 0x50, + 0x00, + 0x2D, + 0x00, + 0x45, + 0x00, + 0x33, + 0x00, + 0x38, + 0x00, + 0x38, + 0x00, + 0x44, + 0x00, + 0x38, + 0x00, + 0x50, + 0x00, + 0x5C, + 0x00, + 0x41, + 0x00, + 0x64, + 0x00, + 0x6D, + 0x00, + 0x69, + 0x00, + 0x6E, + 0x00, + 0x69, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x72, + 0x00, + 0x61, + 0x00, + 0x74, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x2C, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x80, + 0xF4, + 0x03, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x07, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0xDD, + 0xDD, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x07, + 0x0A, + 0x00, + 0x00, + 0x00, + 0x09, + 0x00, + 0x80, + 0x48, + 0x11, + 0xF8, + 0x36, + 0x1A, + 0xDB, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x2E, + 0xE2, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xC2, + 0x31, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0xAA, + 0xAA, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0xEE, + 0xEE, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xDA, + 0xAF, + 0x8D, + 0x09, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0xCC, + 0xCC, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x65, + 0x00, + 0x78, + 0x00, + 0x65, + 0x00, + 0x22, + 0x00, + 0x20, + 0x00, + 0x53, + 0x00, + 0x74, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x84, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x3C, + 0x00, + 0x51, + 0x00, + 0x75, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x79, + 0x00, + 0x4C, + 0x00, + 0x69, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x3E, + 0x00, + 0x3C, + 0x00, + 0x51, + 0x00, + 0x75, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x79, + 0x00, + 0x20, + 0x00, + 0x49, + 0x00, + 0x64, + 0x00, + 0x3D, + 0x00, + 0x22, + 0x00, + 0x30, + 0x00, + 0x22, + 0x00, + 0x20, + 0x00, + 0x50, + 0x00, + 0x61, + 0x00, + 0x74, + 0x00, + 0x68, + 0x00, + 0x3D, + 0x00, + 0x22, + 0x00, + 0x49, + 0x00, + 0x6E, + 0x00, + 0x74, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x6E, + 0x00, + 0x65, + 0x00, + 0x74, + 0x00, + 0x20, + 0x00, + 0x45, + 0x00, + 0x78, + 0x00, + 0x70, + 0x00, + 0x6C, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x22, + 0x00, + 0x3E, + 0x00, + 0x3C, + 0x00, + 0x53, + 0x00, + 0x65, + 0x00, + 0x6C, + 0x00, + 0x65, + 0x00, + 0x63, + 0x00, + 0x74, + 0x00, + 0x20, + 0x00, + 0x50, + 0x00, + 0x61, + 0x00, + 0x74, + 0x00, + 0x68, + 0x00, + 0x3D, + 0x00, + 0x22, + 0x00, + 0x49, + 0x00, + 0x6E, + 0x00, + 0x74, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x6E, + 0x00, + 0x65, + 0x00, + 0x74, + 0x00, + 0x20, + 0x00, + 0x45, + 0x00, + 0x78, + 0x00, + 0x70, + 0x00, + 0x6C, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x22, + 0x00, + 0x3E, + 0x00, + 0x2A, + 0x00, + 0x5B, + 0x00, + 0x53, + 0x00, + 0x79, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x65, + 0x00, + 0x6D, + 0x00, + 0x5B, + 0x00, + 0x45, + 0x00, + 0x76, + 0x00, + 0x65, + 0x00, + 0x6E, + 0x00, + 0x74, + 0x00, + 0x49, + 0x00, + 0x44, + 0x00, + 0x3D, + 0x00, + 0x32, + 0x00, + 0x5D, + 0x00, + 0x5D, + 0x00, + 0x3C, + 0x00, + 0x2F, + 0x00, + 0x53, + 0x00, + 0x65, + 0x00, + 0x6C, + 0x00, + 0x65, + 0x00, + 0x63, + 0x00, + 0x74, + 0x00, + 0x3E, + 0x00, + 0x3C, + 0x00, + 0x2F, + 0x00, + 0x51, + 0x00, + 0x75, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x79, + 0x00, + 0x3E, + 0x00, + 0x3C, + 0x00, + 0x2F, + 0x00, + 0x51, + 0x00, + 0x75, + 0x00, + 0x65, + 0x00, + 0x72, + 0x00, + 0x79, + 0x00, + 0x4C, + 0x00, + 0x69, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x3E, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x88, + 0x88, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x77, + 0x77, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x01, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x03, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x77, + 0x77, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x04, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x1C, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x05, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x05, + 0x15, + 0x00, + 0x00, + 0x00, + 0x69, + 0xCE, + 0x28, + 0x2A, + 0xCE, + 0xD8, + 0x1F, + 0x77, + 0x37, + 0x9C, + 0xE2, + 0x44, + 0xF4, + 0x01, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x40, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x44, + 0x00, + 0x45, + 0x00, + 0x53, + 0x00, + 0x4B, + 0x00, + 0x54, + 0x00, + 0x4F, + 0x00, + 0x50, + 0x00, + 0x2D, + 0x00, + 0x45, + 0x00, + 0x33, + 0x00, + 0x38, + 0x00, + 0x38, + 0x00, + 0x44, + 0x00, + 0x38, + 0x00, + 0x50, + 0x00, + 0x5C, + 0x00, + 0x41, + 0x00, + 0x64, + 0x00, + 0x6D, + 0x00, + 0x69, + 0x00, + 0x6E, + 0x00, + 0x69, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x72, + 0x00, + 0x61, + 0x00, + 0x74, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x77, + 0x77, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x01, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x07, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x77, + 0x77, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0xFF, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x01, + 0x00, + 0x00, + 0x01, + 0xFF, + 0xFF, + 0xFF, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x08, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x1C, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x01, + 0x05, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x05, + 0x15, + 0x00, + 0x00, + 0x00, + 0x69, + 0xCE, + 0x28, + 0x2A, + 0xCE, + 0xD8, + 0x1F, + 0x77, + 0x37, + 0x9C, + 0xE2, + 0x44, + 0xF4, + 0x01, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x40, + 0x00, + 0x00, + 0x00, + 0x48, + 0x48, + 0x48, + 0x48, + 0x44, + 0x00, + 0x45, + 0x00, + 0x53, + 0x00, + 0x4B, + 0x00, + 0x54, + 0x00, + 0x4F, + 0x00, + 0x50, + 0x00, + 0x2D, + 0x00, + 0x45, + 0x00, + 0x33, + 0x00, + 0x38, + 0x00, + 0x38, + 0x00, + 0x44, + 0x00, + 0x38, + 0x00, + 0x50, + 0x00, + 0x5C, + 0x00, + 0x41, + 0x00, + 0x64, + 0x00, + 0x6D, + 0x00, + 0x69, + 0x00, + 0x6E, + 0x00, + 0x69, + 0x00, + 0x73, + 0x00, + 0x74, + 0x00, + 0x72, + 0x00, + 0x61, + 0x00, + 0x74, + 0x00, + 0x6F, + 0x00, + 0x72, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + 0x00, + ], # fmt: on ) triggers = scheduled_tasks.TriggerSet.decode(buf) diff --git a/test/renderers/test_parquet_renderers.py b/test/renderers/test_parquet_renderers.py index aa5474636d..c9c07b2dbe 100644 --- a/test/renderers/test_parquet_renderers.py +++ b/test/renderers/test_parquet_renderers.py @@ -8,9 +8,10 @@ import pyarrow as pa import pyarrow.parquet as pq import pyarrow.compute as pc + HAS_PYARROW = True except ImportError: - # The user doesn't have pyarrow installed, but HAS_PYARROW will be false so just continue + # The user doesn't have pyarrow installed, but HAS_PYARROW will be false so just continue pass @@ -41,10 +42,33 @@ def test_windows_generic_pslist(self, volatility, python, image): table = self._get_table_from_output(out) assert table.num_rows > 10 - assert table.filter(pc.match_substring(pc.utf8_lower(table.column('ImageFileName')), "system")).num_rows > 0 - assert table.filter(pc.match_substring(pc.utf8_lower(table.column('ImageFileName')), "csrss.exe")).num_rows > 0 - assert table.filter(pc.match_substring(pc.utf8_lower(table.column('ImageFileName')), "svchost.exe")).num_rows > 0 - assert table.filter(pc.greater(table.column('PID'), 0)).num_rows == table.num_rows + assert ( + table.filter( + pc.match_substring( + pc.utf8_lower(table.column("ImageFileName")), "system" + ) + ).num_rows + > 0 + ) + assert ( + table.filter( + pc.match_substring( + pc.utf8_lower(table.column("ImageFileName")), "csrss.exe" + ) + ).num_rows + > 0 + ) + assert ( + table.filter( + pc.match_substring( + pc.utf8_lower(table.column("ImageFileName")), "svchost.exe" + ) + ).num_rows + > 0 + ) + assert ( + table.filter(pc.greater(table.column("PID"), 0)).num_rows == table.num_rows + ) def test_linux_generic_pslist(self, volatility, python, image): rc, out, _err = test_volatility.runvol_plugin( @@ -59,12 +83,23 @@ def test_linux_generic_pslist(self, volatility, python, image): table = self._get_table_from_output(out) assert table.num_rows > 10 - init_rows = table.filter(pc.match_substring(pc.utf8_lower(table.column('COMM')), "init")) - systemd_rows = table.filter(pc.match_substring(pc.utf8_lower(table.column('COMM')), "systemd")) + init_rows = table.filter( + pc.match_substring(pc.utf8_lower(table.column("COMM")), "init") + ) + systemd_rows = table.filter( + pc.match_substring(pc.utf8_lower(table.column("COMM")), "systemd") + ) assert (init_rows.num_rows > 0) or (systemd_rows.num_rows > 0) - assert table.filter(pc.match_substring(pc.utf8_lower(table.column('COMM')), "watchdog")).num_rows > 0 - assert table.filter(pc.greater(table.column('PID'), 0)).num_rows == table.num_rows + assert ( + table.filter( + pc.match_substring(pc.utf8_lower(table.column("COMM")), "watchdog") + ).num_rows + > 0 + ) + assert ( + table.filter(pc.greater(table.column("PID"), 0)).num_rows == table.num_rows + ) def test_windows_generic_handles(self, volatility, python, image): rc, out, _err = test_volatility.runvol_plugin( @@ -79,7 +114,14 @@ def test_windows_generic_handles(self, volatility, python, image): table = self._get_table_from_output(out) assert table.num_rows > 500 - assert table.filter(pc.match_substring(pc.utf8_lower(table.column('Name')), "machine\\system")).num_rows > 0 + assert ( + table.filter( + pc.match_substring( + pc.utf8_lower(table.column("Name")), "machine\\system" + ) + ).num_rows + > 0 + ) def test_linux_generic_lsof(self, volatility, python, image): rc, out, _err = test_volatility.runvol_plugin( @@ -94,6 +136,7 @@ def test_linux_generic_lsof(self, volatility, python, image): table = self._get_table_from_output(out) assert table.num_rows > 35 + class TestParquetRenderer(TestArrowRendererBase): renderer_format = "parquet" @@ -106,4 +149,3 @@ class TestArrowRenderer(TestArrowRendererBase): def _get_table_from_output(self, output_bytes): return pa.ipc.open_stream(io.BytesIO(output_bytes)).read_all() - diff --git a/test/volatility3_code_analysis.py b/test/volatility3_code_analysis.py index 100ad3074a..43fed459bb 100644 --- a/test/volatility3_code_analysis.py +++ b/test/volatility3_code_analysis.py @@ -82,7 +82,6 @@ def __str__(self): class UnrequiredVersionableUsage(CodeViolation): - def __init__( self, module: types.ModuleType, @@ -107,7 +106,6 @@ def __str__(self) -> str: class DirectVolatilityImportUsage(CodeViolation): - def __init__( self, module: types.ModuleType, @@ -174,8 +172,11 @@ def _check_vol3_import_from(self, node: ast.ImportFrom): """ if ( node.module - and node.module.startswith("volatility3.") # Give a pass to volatility3 module - and node.module != "volatility3.framework.constants._version" # make an exception for this + and node.module.startswith( + "volatility3." + ) # Give a pass to volatility3 module + and node.module + != "volatility3.framework.constants._version" # make an exception for this ): for name in node.names: try: @@ -204,7 +205,6 @@ def _check_vol3_import_from(self, node: ast.ImportFrom): def enter_ImportFrom(self, node: ast.ImportFrom): self._check_vol3_import_from(node) - def enter_ClassDef(self, node: ast.ClassDef) -> Any: logger.debug("Entering class %s", node.name) clazz = None diff --git a/volatility3/__init__.py b/volatility3/__init__.py index 94a6721e13..9867f5d94f 100644 --- a/volatility3/__init__.py +++ b/volatility3/__init__.py @@ -2,6 +2,7 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # """Volatility 3 - An open-source memory forensics framework""" + import inspect import sys from importlib import abc diff --git a/volatility3/cli/__init__.py b/volatility3/cli/__init__.py index 4c379a15ea..15e6cc7b44 100644 --- a/volatility3/cli/__init__.py +++ b/volatility3/cli/__init__.py @@ -10,6 +10,7 @@ * run the plugin * display the results """ + import argparse import inspect import io @@ -458,8 +459,9 @@ def run(self): raise ValueError( "Invalid extension (extensions must be of the format \"conf.path.value='value'\")" ) - address, value = extension[: extension.find("=")], json.loads( - extension[extension.find("=") + 1 :] + address, value = ( + extension[: extension.find("=")], + json.loads(extension[extension.find("=") + 1 :]), ) ctx.config[address] = value @@ -574,7 +576,7 @@ def load_system_defaults( delayed_logs.append( ( logging.DEBUG, - f"Loaded configuration: {json.dumps(result, indent = 2, sort_keys = True)}", + f"Loaded configuration: {json.dumps(result, indent=2, sort_keys=True)}", ) ) return delayed_logs, result @@ -763,7 +765,7 @@ def order_extra_verbose_levels(self): constants.LOGLEVEL_VVVV, ] ): - logging.addLevelName(level_value, f"DETAIL {level+1}") + logging.addLevelName(level_value, f"DETAIL {level + 1}") def file_handler_class_factory(self, direct=True): output_dir = self.output_dir diff --git a/volatility3/cli/text_renderer.py b/volatility3/cli/text_renderer.py index 1e437a0be7..d552013718 100644 --- a/volatility3/cli/text_renderer.py +++ b/volatility3/cli/text_renderer.py @@ -278,7 +278,6 @@ def ignored_columns( class QuickTextRenderer(CLIRenderer): - name = "quick" def get_render_options(self): @@ -348,7 +347,6 @@ def render(self, grid: interfaces.renderers.TreeGrid) -> None: class CSVRenderer(CLIRenderer): - name = "csv" structured_output = True diff --git a/volatility3/cli/volshell/__init__.py b/volatility3/cli/volshell/__init__.py index 0affe5d597..5bc29f220f 100644 --- a/volatility3/cli/volshell/__init__.py +++ b/volatility3/cli/volshell/__init__.py @@ -344,8 +344,9 @@ def run(self): raise ValueError( "Invalid extension (extensions must be of the format \"conf.path.value='value'\")" ) - address, value = extension[: extension.find("=")], json.loads( - extension[extension.find("=") + 1 :] + address, value = ( + extension[: extension.find("=")], + json.loads(extension[extension.find("=") + 1 :]), ) ctx.config[address] = value diff --git a/volatility3/cli/volshell/generic.py b/volatility3/cli/volshell/generic.py index ace4b2119a..2a8039ff2d 100644 --- a/volatility3/cli/volshell/generic.py +++ b/volatility3/cli/volshell/generic.py @@ -469,7 +469,7 @@ def display_type( and dereference_count < MAX_DEREFERENCE_COUNT ): # before defreerencing the pointer, show it's information - print(f'{" " * dereference_count}{self._display_simple_type(volobject)}') + print(f"{' ' * dereference_count}{self._display_simple_type(volobject)}") # check that we can follow the pointer before dereferencing and do not # attempt to follow null pointers. @@ -486,7 +486,7 @@ def display_type( if hasattr(volobject.vol, "members"): # display the header for this object, if the original object was just a type string, display the type information - struct_header = f'{" " * dereference_count}{volobject.vol.type_name} ({volobject.vol.size} bytes)' + struct_header = f"{' ' * dereference_count}{volobject.vol.type_name} ({volobject.vol.size} bytes)" if isinstance(object, str) and offset is None: suffix = ":" else: @@ -523,7 +523,7 @@ def display_type( len_typename = len(member_type_name) if len(member_type_name) > MAX_TYPENAME_DISPLAY_LENGTH: len_typename = MAX_TYPENAME_DISPLAY_LENGTH - member_type_name = f"{member_type_name[:len_typename - 3]}..." + member_type_name = f"{member_type_name[: len_typename - 3]}..." if isinstance(volobject, interfaces.objects.ObjectInterface): # We're an instance, so also display the data diff --git a/volatility3/framework/__init__.py b/volatility3/framework/__init__.py index 1c899f4344..6943598cfb 100644 --- a/volatility3/framework/__init__.py +++ b/volatility3/framework/__init__.py @@ -2,6 +2,7 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # """Volatility 3 framework.""" + # Check the python version to ensure it's suitable import glob import sys diff --git a/volatility3/framework/automagic/pdbscan.py b/volatility3/framework/automagic/pdbscan.py index 55b9b81e10..8e2233840e 100644 --- a/volatility3/framework/automagic/pdbscan.py +++ b/volatility3/framework/automagic/pdbscan.py @@ -7,6 +7,7 @@ This module contains a standalone scanner, and also a :class:`~volatility3.framework.interfaces.layers.ScannerInterface` based scanner for use within the framework by calling :func:`~volatility3.framework.interfaces.layers.DataLayerInterface.scan`. """ + import contextlib import logging import math diff --git a/volatility3/framework/automagic/stacker.py b/volatility3/framework/automagic/stacker.py index 5968642646..2e9875086d 100644 --- a/volatility3/framework/automagic/stacker.py +++ b/volatility3/framework/automagic/stacker.py @@ -153,8 +153,9 @@ def stack( constructor(context, config_path, requirement) # Stash the changed config items - self._cached = context.config.get(path, None), context.config.branch( - path + self._cached = ( + context.config.get(path, None), + context.config.branch(path), ) vollog.debug( f"physical_layer maximum_address: {physical_layer.maximum_address}" diff --git a/volatility3/framework/automagic/windows.py b/volatility3/framework/automagic/windows.py index 52296f5ad5..7d56b01b30 100644 --- a/volatility3/framework/automagic/windows.py +++ b/volatility3/framework/automagic/windows.py @@ -26,6 +26,7 @@ | x64 | 0x1ED | +--------------+-------+ """ + import logging import struct from typing import Generator, Iterable, List, Optional, Tuple, Type diff --git a/volatility3/framework/configuration/requirements.py b/volatility3/framework/configuration/requirements.py index 6d978e2a9f..b1cc716e55 100644 --- a/volatility3/framework/configuration/requirements.py +++ b/volatility3/framework/configuration/requirements.py @@ -8,6 +8,7 @@ types (such as strings, integers, etc) as well as indicating what they expect to be in the context (such as particular layers or symboltables). """ + import abc import logging import os diff --git a/volatility3/framework/constants/linux/__init__.py b/volatility3/framework/constants/linux/__init__.py index f45bed9261..3f8c52b43b 100644 --- a/volatility3/framework/constants/linux/__init__.py +++ b/volatility3/framework/constants/linux/__init__.py @@ -5,6 +5,7 @@ Linux-specific values that aren't found in debug symbols """ + import enum from dataclasses import dataclass diff --git a/volatility3/framework/contexts/__init__.py b/volatility3/framework/contexts/__init__.py index 32d33f657d..125f41f8ab 100644 --- a/volatility3/framework/contexts/__init__.py +++ b/volatility3/framework/contexts/__init__.py @@ -8,6 +8,7 @@ contexts, to allow a plugin to act on multiple different contexts without them interfering with each other. """ + import functools import hashlib import logging diff --git a/volatility3/framework/deprecation.py b/volatility3/framework/deprecation.py index 90fa9bce0d..5816479223 100644 --- a/volatility3/framework/deprecation.py +++ b/volatility3/framework/deprecation.py @@ -79,7 +79,7 @@ def wrapper(*args, **kwargs): "This is a bug, the deprecated call needs to be removed and the caller needs to update their code to use the new method.", ) - deprecation_msg = f"Method \"{deprecated_func.__module__ + '.' + deprecated_func.__qualname__}\" is deprecated and will be removed in the first release after {removal_date}, use \"{replacement.__module__ + '.' + replacement.__qualname__}\" instead. {additional_information}" + deprecation_msg = f'Method "{deprecated_func.__module__ + "." + deprecated_func.__qualname__}" is deprecated and will be removed in the first release after {removal_date}, use "{replacement.__module__ + "." + replacement.__qualname__}" instead. {additional_information}' warnings.warn(deprecation_msg, FutureWarning) # Return the wrapped function with its original arguments return deprecated_func(*args, **kwargs) diff --git a/volatility3/framework/exceptions.py b/volatility3/framework/exceptions.py index 34b41727aa..3b70c5c29a 100644 --- a/volatility3/framework/exceptions.py +++ b/volatility3/framework/exceptions.py @@ -8,6 +8,7 @@ :class:`PagedInvalidAddressException` contains information about the size of the invalid page. """ + from typing import Callable, Dict, Optional, Tuple from volatility3.framework import interfaces @@ -161,4 +162,4 @@ def __init__( self.failure_reason = failure_reason def __str__(self): - return f"{self.source_component.__module__+ '.' + self.source_component.__qualname__}: Version {self.target_version} dependency on {self.target_component.__module__+ '.' + self.target_component.__name__} {self.target_component.version} unmet." + return f"{self.source_component.__module__ + '.' + self.source_component.__qualname__}: Version {self.target_version} dependency on {self.target_component.__module__ + '.' + self.target_component.__name__} {self.target_component.version} unmet." diff --git a/volatility3/framework/interfaces/automagic.py b/volatility3/framework/interfaces/automagic.py index 4ac386fc0d..744a33babe 100644 --- a/volatility3/framework/interfaces/automagic.py +++ b/volatility3/framework/interfaces/automagic.py @@ -7,6 +7,7 @@ Automagic objects attempt to automatically fill configuration values that a user has not filled. """ + import logging from abc import ABCMeta from typing import Any, List, Optional, Tuple, Type, Union diff --git a/volatility3/framework/interfaces/context.py b/volatility3/framework/interfaces/context.py index 4f863898ef..0b71e4cb27 100644 --- a/volatility3/framework/interfaces/context.py +++ b/volatility3/framework/interfaces/context.py @@ -11,6 +11,7 @@ `object`, which will construct a symbol on a layer at a particular offset. """ + import collections import copy from abc import ABCMeta, abstractmethod diff --git a/volatility3/framework/interfaces/layers.py b/volatility3/framework/interfaces/layers.py index 6c4e4b419d..2e328124d1 100644 --- a/volatility3/framework/interfaces/layers.py +++ b/volatility3/framework/interfaces/layers.py @@ -6,6 +6,7 @@ One layer may combine other layers, map data based on the data itself, or map a procedure (such as decryption) across another layer of data. """ + import collections.abc import functools import logging diff --git a/volatility3/framework/interfaces/objects.py b/volatility3/framework/interfaces/objects.py index 2d8024465c..7f67cf5865 100644 --- a/volatility3/framework/interfaces/objects.py +++ b/volatility3/framework/interfaces/objects.py @@ -3,6 +3,7 @@ # """Objects are the core of volatility, and provide pythonic access to interpreted values of data from a layer.""" + import abc import collections import collections.abc diff --git a/volatility3/framework/interfaces/symbols.py b/volatility3/framework/interfaces/symbols.py index 925be72c93..1159fd290b 100644 --- a/volatility3/framework/interfaces/symbols.py +++ b/volatility3/framework/interfaces/symbols.py @@ -2,6 +2,7 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # """Symbols provide structural information about a set of bytes.""" + import bisect import collections.abc from abc import ABC, abstractmethod diff --git a/volatility3/framework/layers/avml.py b/volatility3/framework/layers/avml.py index 2e55721923..7c052f70a7 100644 --- a/volatility3/framework/layers/avml.py +++ b/volatility3/framework/layers/avml.py @@ -6,6 +6,7 @@ The user of the file doesn't have to worry about the compression, but random access is not allowed.""" + import ctypes import logging import struct diff --git a/volatility3/framework/layers/codecs/__init__.py b/volatility3/framework/layers/codecs/__init__.py index e019bcbcd9..5b9f2602bc 100644 --- a/volatility3/framework/layers/codecs/__init__.py +++ b/volatility3/framework/layers/codecs/__init__.py @@ -2,7 +2,4 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # -"""Codecs used for encoding or decoding data should live here - - -""" +"""Codecs used for encoding or decoding data should live here""" diff --git a/volatility3/framework/layers/intel.py b/volatility3/framework/layers/intel.py index 696c333530..8485800046 100644 --- a/volatility3/framework/layers/intel.py +++ b/volatility3/framework/layers/intel.py @@ -315,7 +315,13 @@ def mapping( ): # The block isn't contiguous if stashed_offset is not None: - yield stashed_offset, stashed_size, stashed_mapped_offset, stashed_mapped_size, stashed_map_layer + yield ( + stashed_offset, + stashed_size, + stashed_mapped_offset, + stashed_mapped_size, + stashed_map_layer, + ) # Update all the stashed values after output stashed_offset = offset stashed_mapped_offset = mapped_offset @@ -334,7 +340,13 @@ def mapping( and stashed_mapped_size is not None and stashed_map_layer is not None ): - yield stashed_offset, stashed_size, stashed_mapped_offset, stashed_mapped_size, stashed_map_layer + yield ( + stashed_offset, + stashed_size, + stashed_mapped_offset, + stashed_mapped_size, + stashed_map_layer, + ) def _mapping( self, offset: int, length: int, ignore_errors: bool = False diff --git a/volatility3/framework/layers/msf.py b/volatility3/framework/layers/msf.py index 2b4fae9639..a7bf6466e3 100644 --- a/volatility3/framework/layers/msf.py +++ b/volatility3/framework/layers/msf.py @@ -234,9 +234,13 @@ def mapping( layer_name=self.name, invalid_address=offset + returned ) else: - yield offset + returned, chunk_size, ( - self._pages[page] * page_size - ) + page_position, chunk_size, self._base_layer + yield ( + offset + returned, + chunk_size, + (self._pages[page] * page_size) + page_position, + chunk_size, + self._base_layer, + ) returned += chunk_size length -= chunk_size diff --git a/volatility3/framework/layers/resources.py b/volatility3/framework/layers/resources.py index 6121c2cffe..66fb617afe 100644 --- a/volatility3/framework/layers/resources.py +++ b/volatility3/framework/layers/resources.py @@ -305,8 +305,9 @@ def non_cached_schemes(cls) -> List[str]: def default_open(req: urllib.request.Request) -> Optional[Any]: """Handles the request if it's the jar scheme.""" if req.type == "jar": - subscheme, remainder = req.full_url.split(":")[1], ":".join( - req.full_url.split(":")[2:] + subscheme, remainder = ( + req.full_url.split(":")[1], + ":".join(req.full_url.split(":")[2:]), ) if subscheme != "file": vollog.log( diff --git a/volatility3/framework/layers/segmented.py b/volatility3/framework/layers/segmented.py index 9825ae15cd..96b9618dc6 100644 --- a/volatility3/framework/layers/segmented.py +++ b/volatility3/framework/layers/segmented.py @@ -129,7 +129,13 @@ def mapping( return None # Crop it to the amount we need left chunk_size = min(size, length + offset - logical_offset) - yield logical_offset, chunk_size, mapped_offset, mapped_size, self._base_layer + yield ( + logical_offset, + chunk_size, + mapped_offset, + mapped_size, + self._base_layer, + ) current_offset += chunk_size # Terminate if we've gone (or reached) our required limit if current_offset >= offset + length: diff --git a/volatility3/framework/layers/vmware.py b/volatility3/framework/layers/vmware.py index 39fb21b630..5dc00f3443 100644 --- a/volatility3/framework/layers/vmware.py +++ b/volatility3/framework/layers/vmware.py @@ -65,10 +65,10 @@ def _read_header(self) -> None: data = meta_layer.read(0, header_size) magic, unknown, groupCount = struct.unpack(self.header_structure, data) if magic not in [ - b"\xD0\xBE\xD2\xBE", - b"\xD1\xBA\xD1\xBA", - b"\xD2\xBE\xD2\xBE", - b"\xD3\xBE\xD3\xBE", + b"\xd0\xbe\xd2\xbe", + b"\xd1\xba\xd1\xba", + b"\xd2\xbe\xd2\xbe", + b"\xd3\xbe\xd3\xbe", ]: raise VmwareFormatException( self.name, f"Wrong magic bytes for Vmware layer: {repr(magic)}" diff --git a/volatility3/framework/plugins/banners.py b/volatility3/framework/plugins/banners.py index d4e6e2aa85..eea39206d7 100644 --- a/volatility3/framework/plugins/banners.py +++ b/volatility3/framework/plugins/banners.py @@ -60,8 +60,9 @@ def locate_banners( not in b" #()+,;/-.0123456789:@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~" ] if not failed: - yield format_hints.Hex(offset), str( - data, encoding="latin-1", errors="?" + yield ( + format_hints.Hex(offset), + str(data, encoding="latin-1", errors="?"), ) def run(self): diff --git a/volatility3/framework/plugins/isfinfo.py b/volatility3/framework/plugins/isfinfo.py index 1c2ac52e90..10f3913213 100644 --- a/volatility3/framework/plugins/isfinfo.py +++ b/volatility3/framework/plugins/isfinfo.py @@ -72,9 +72,12 @@ def list_all_isf_files(cls) -> Generator[str, None, None]: for extension in constants.ISF_EXTENSIONS: # By ending with an extension (and therefore, not /), we should not return any directories if name.endswith(extension): - yield "jar:file:" + str( - pathlib.Path(base_name) - ) + "!" + name + yield ( + "jar:file:" + + str(pathlib.Path(base_name)) + + "!" + + name + ) else: for extension in constants.ISF_EXTENSIONS: diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 1f9fd74b54..ebdbd17069 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -245,7 +245,6 @@ def parse_fb_info( return fb def _generator(self): - if not has_pil: vollog.error( "PIL (pillow) module is required to use this plugin. Please install it manually or through pyproject.toml." diff --git a/volatility3/framework/plugins/linux/ip.py b/volatility3/framework/plugins/linux/ip.py index 348f3c13f0..164fe62dd4 100644 --- a/volatility3/framework/plugins/linux/ip.py +++ b/volatility3/framework/plugins/linux/ip.py @@ -47,7 +47,17 @@ def _gather_net_dev_info(self, net_dev: net_extensions.net_device): prefix_len = in_ifaddr.get_prefix_len() scope_type = in_ifaddr.get_scope_type() ip_addr = in_ifaddr.get_address() - yield net_ns_id, iface_ifindex, iface_name, mac_addr, promisc, ip_addr, prefix_len, scope_type, operational_state + yield ( + net_ns_id, + iface_ifindex, + iface_name, + mac_addr, + promisc, + ip_addr, + prefix_len, + scope_type, + operational_state, + ) # Interface IPv6 Addresses inet6_dev = net_dev.ip6_ptr.dereference().cast("inet6_dev") @@ -55,7 +65,17 @@ def _gather_net_dev_info(self, net_dev: net_extensions.net_device): prefix_len = inet6_ifaddr.get_prefix_len() scope_type = inet6_ifaddr.get_scope_type() ip6_addr = inet6_ifaddr.get_address() - yield net_ns_id, iface_ifindex, iface_name, mac_addr, promisc, ip6_addr, prefix_len, scope_type, operational_state + yield ( + net_ns_id, + iface_ifindex, + iface_name, + mac_addr, + promisc, + ip6_addr, + prefix_len, + scope_type, + operational_state, + ) def _enumerate_net_namespace_list(self): vmlinux = self.context.modules[self.config["kernel"]] @@ -82,16 +102,19 @@ def _generator(self): scope_type, operational_state, ) in self._gather_net_dev_info(net_dev): - yield 0, ( - net_ns_id or renderers.NotAvailableValue(), - iface_ifindex, - iface_name, - mac_addr, - promisc, - ip6_addr, - prefix_len, - scope_type, - operational_state, + yield ( + 0, + ( + net_ns_id or renderers.NotAvailableValue(), + iface_ifindex, + iface_name, + mac_addr, + promisc, + ip6_addr, + prefix_len, + scope_type, + operational_state, + ), ) def run(self): @@ -150,7 +173,16 @@ def _gather_net_dev_link_info(self, net_device): ] flags_str = ",".join(flags_list) - yield net_ns_id or renderers.NotAvailableValue(), iface_name, mac_addr, operational_state, mtu, qdisc_name or renderers.NotAvailableValue(), qlen, flags_str + yield ( + net_ns_id or renderers.NotAvailableValue(), + iface_name, + mac_addr, + operational_state, + mtu, + qdisc_name or renderers.NotAvailableValue(), + qlen, + flags_str, + ) def _generator(self): vmlinux = self.context.modules[self.config["kernel"]] diff --git a/volatility3/framework/plugins/linux/kmsg.py b/volatility3/framework/plugins/linux/kmsg.py index 1069a312f5..ba02763d0d 100644 --- a/volatility3/framework/plugins/linux/kmsg.py +++ b/volatility3/framework/plugins/linux/kmsg.py @@ -551,12 +551,15 @@ def _generator( for facility, level, timestamp, caller, line in ABCKmsg.run_all( context=self.context, config=self.config ): - yield 0, ( - facility, - level, - timestamp, - caller or renderers.NotAvailableValue(), - line, + yield ( + 0, + ( + facility, + level, + timestamp, + caller or renderers.NotAvailableValue(), + line, + ), ) def run(self): diff --git a/volatility3/framework/plugins/linux/lsof.py b/volatility3/framework/plugins/linux/lsof.py index 283eabca0d..be521750a0 100644 --- a/volatility3/framework/plugins/linux/lsof.py +++ b/volatility3/framework/plugins/linux/lsof.py @@ -220,5 +220,9 @@ def generate_timeline(self): ) yield description, timeliner.TimeLinerType.CHANGED, fd_user.change_time - yield description, timeliner.TimeLinerType.MODIFIED, fd_user.modification_time + yield ( + description, + timeliner.TimeLinerType.MODIFIED, + fd_user.modification_time, + ) yield description, timeliner.TimeLinerType.ACCESSED, fd_user.access_time diff --git a/volatility3/framework/plugins/linux/malware/check_afinfo.py b/volatility3/framework/plugins/linux/malware/check_afinfo.py index 47da21615b..4ecf5f788a 100644 --- a/volatility3/framework/plugins/linux/malware/check_afinfo.py +++ b/volatility3/framework/plugins/linux/malware/check_afinfo.py @@ -3,6 +3,7 @@ # """A module containing a plugin that verifies the operation function pointers of network protocols.""" + import logging from typing import List, Tuple, Generator diff --git a/volatility3/framework/plugins/linux/malware/check_syscall.py b/volatility3/framework/plugins/linux/malware/check_syscall.py index 1188bf2503..6476d6621c 100644 --- a/volatility3/framework/plugins/linux/malware/check_syscall.py +++ b/volatility3/framework/plugins/linux/malware/check_syscall.py @@ -2,6 +2,7 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # """A module containing a plugin that checks the system call table for hooks.""" + import contextlib import logging from typing import List diff --git a/volatility3/framework/plugins/linux/malware/netfilter.py b/volatility3/framework/plugins/linux/malware/netfilter.py index d724d4296f..6bc5cd1bf4 100644 --- a/volatility3/framework/plugins/linux/malware/netfilter.py +++ b/volatility3/framework/plugins/linux/malware/netfilter.py @@ -223,7 +223,16 @@ def _run(self) -> Iterator[Tuple[int, str, str, int, int, str, bool]]: ) hooked = module_info is None - yield netns, proto_name, hook_name, priority, hook_ops_hook, module_info, symbol_name, hooked + yield ( + netns, + proto_name, + hook_name, + priority, + hook_ops_hook, + module_info, + symbol_name, + hooked, + ) @classmethod @abstractmethod diff --git a/volatility3/framework/plugins/linux/malware/tty_check.py b/volatility3/framework/plugins/linux/malware/tty_check.py index 1547c5cc62..00e85f2515 100644 --- a/volatility3/framework/plugins/linux/malware/tty_check.py +++ b/volatility3/framework/plugins/linux/malware/tty_check.py @@ -100,11 +100,14 @@ def _generator(self): else: module_name = renderers.NotAvailableValue() - yield 0, ( - name, - format_hints.Hex(recv_buf), - module_name, - symbol_name or renderers.NotAvailableValue(), + yield ( + 0, + ( + name, + format_hints.Hex(recv_buf), + module_name, + symbol_name or renderers.NotAvailableValue(), + ), ) def run(self): diff --git a/volatility3/framework/plugins/linux/module_extract.py b/volatility3/framework/plugins/linux/module_extract.py index 97824aca0c..a8864281af 100644 --- a/volatility3/framework/plugins/linux/module_extract.py +++ b/volatility3/framework/plugins/linux/module_extract.py @@ -75,10 +75,13 @@ def _generator(self): with self.open(file_name) as file_handle: file_handle.write(elf_data) - yield 0, ( - format_hints.Hex(base_address), - len(elf_data), - file_handle.preferred_filename, + yield ( + 0, + ( + format_hints.Hex(base_address), + len(elf_data), + file_handle.preferred_filename, + ), ) def run(self): diff --git a/volatility3/framework/plugins/linux/pagecache.py b/volatility3/framework/plugins/linux/pagecache.py index 1fd96d5d2c..2d20a2fb1d 100644 --- a/volatility3/framework/plugins/linux/pagecache.py +++ b/volatility3/framework/plugins/linux/pagecache.py @@ -386,7 +386,11 @@ def generate_timeline(self): inode_out = inode_in.to_user(vmlinux_layer) description = f"Cached Inode for {inode_out.path}" yield description, timeliner.TimeLinerType.ACCESSED, inode_out.access_time - yield description, timeliner.TimeLinerType.MODIFIED, inode_out.modification_time + yield ( + description, + timeliner.TimeLinerType.MODIFIED, + inode_out.modification_time, + ) yield description, timeliner.TimeLinerType.CHANGED, inode_out.change_time @classmethod @@ -813,7 +817,6 @@ def _generator(self): visited_paths = seen_prefixes = set() for inode_in in inodes_iter: - # Code is slightly duplicated here with the if-block below. # However this prevents unneeded tar manipulation if fifo # or sock inodes come through for example. diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py index 9b31976ece..71caa0853d 100644 --- a/volatility3/framework/plugins/linux/pslist.py +++ b/volatility3/framework/plugins/linux/pslist.py @@ -225,18 +225,21 @@ def _generator( task_euid = self._format_cred(task_fields.euid) task_egid = self._format_cred(task_fields.egid) - yield 0, ( - format_hints.Hex(task_fields.offset), - task_fields.user_pid, - task_fields.user_tid, - task_fields.user_ppid, - task_fields.name, - task_uid, - task_gid, - task_euid, - task_egid, - task_fields.creation_time or renderers.NotAvailableValue(), - file_output, + yield ( + 0, + ( + format_hints.Hex(task_fields.offset), + task_fields.user_pid, + task_fields.user_tid, + task_fields.user_ppid, + task_fields.name, + task_uid, + task_gid, + task_euid, + task_egid, + task_fields.creation_time or renderers.NotAvailableValue(), + file_output, + ), ) @classmethod diff --git a/volatility3/framework/plugins/linux/tracing/perf_events.py b/volatility3/framework/plugins/linux/tracing/perf_events.py index 23b2f2c72c..ff922784df 100644 --- a/volatility3/framework/plugins/linux/tracing/perf_events.py +++ b/volatility3/framework/plugins/linux/tracing/perf_events.py @@ -70,7 +70,6 @@ def list_perf_events(cls, context, vmlinux_module_name: str) -> Generator[ for task in pslist.PsList.list_tasks( context, vmlinux_module_name, include_threads=True ): - # walk the list of perf_event entries for this process for event in task.perf_event_list.to_list( vmlinux.symbol_table_name + constants.BANG + "perf_event", "owner_entry" diff --git a/volatility3/framework/plugins/linux/vmaregexscan.py b/volatility3/framework/plugins/linux/vmaregexscan.py index fb757beb58..2fde3aadc9 100644 --- a/volatility3/framework/plugins/linux/vmaregexscan.py +++ b/volatility3/framework/plugins/linux/vmaregexscan.py @@ -64,7 +64,6 @@ def _generator(self, regex_pattern, tasks): vollog.debug(f"RegEx Pattern: {regex_pattern}") for task in tasks: - if not task.mm: continue name = utility.array_to_string(task.comm) @@ -106,12 +105,15 @@ def _generator(self, regex_pattern, tasks): bytes_result = result_data user_pid = task.tgid - yield 0, ( - user_pid, - name, - format_hints.Hex(offset), - text_result, - bytes_result, + yield ( + 0, + ( + user_pid, + name, + format_hints.Hex(offset), + text_result, + bytes_result, + ), ) def run(self): diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index 64f5827c1d..d9466f5128 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -103,12 +103,15 @@ def _generator(self): layer_name=proc_layer.name, length=len(value), ) - yield 0, ( - format_hints.Hex(offset), - task.tgid, - rule_name, - name, - layer_data, + yield ( + 0, + ( + format_hints.Hex(offset), + task.tgid, + rule_name, + name, + layer_data, + ), ) @classmethod diff --git a/volatility3/framework/plugins/mac/lsmod.py b/volatility3/framework/plugins/mac/lsmod.py index c6f57f8892..05a0ee72f1 100644 --- a/volatility3/framework/plugins/mac/lsmod.py +++ b/volatility3/framework/plugins/mac/lsmod.py @@ -3,6 +3,7 @@ # """A module containing a collection of plugins that produce data typically found in Mac's lsmod command.""" + from typing import Set from volatility3.framework import renderers, interfaces, exceptions diff --git a/volatility3/framework/plugins/mac/mount.py b/volatility3/framework/plugins/mac/mount.py index 0f3aa745c1..3d9dcd916b 100644 --- a/volatility3/framework/plugins/mac/mount.py +++ b/volatility3/framework/plugins/mac/mount.py @@ -3,6 +3,7 @@ # """A module containing a collection of plugins that produce data typically found in Mac's mount command.""" + from volatility3.framework import renderers, interfaces from volatility3.framework.configuration import requirements from volatility3.framework.interfaces import plugins diff --git a/volatility3/framework/plugins/mac/psaux.py b/volatility3/framework/plugins/mac/psaux.py index ba9b7b5f63..bdcfb1466e 100644 --- a/volatility3/framework/plugins/mac/psaux.py +++ b/volatility3/framework/plugins/mac/psaux.py @@ -2,6 +2,7 @@ # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # """In-memory artifacts from OSX systems.""" + from typing import Iterator, Tuple, Any, Generator, List from volatility3.framework import exceptions, renderers, interfaces diff --git a/volatility3/framework/plugins/windows/callbacks.py b/volatility3/framework/plugins/windows/callbacks.py index b8c9fe7511..2a65f76bbd 100644 --- a/volatility3/framework/plugins/windows/callbacks.py +++ b/volatility3/framework/plugins/windows/callbacks.py @@ -78,7 +78,6 @@ def create_callback_scan_constraints( def _create_default_scan_constraints( context: interfaces.context.ContextInterface, symbol_table: str ) -> List[poolscanner.PoolConstraint]: - shutdown_packet_size = context.symbol_space.get_type( symbol_table + constants.BANG + "_SHUTDOWN_PACKET" ).size @@ -590,7 +589,11 @@ def list_bugcheck_reason_callbacks( except exceptions.InvalidAddressException: component = renderers.UnreadableValue() - yield "KeBugCheckReasonCallbackListHead", callback.CallbackRoutine, component + yield ( + "KeBugCheckReasonCallbackListHead", + callback.CallbackRoutine, + component, + ) @classmethod def list_bugcheck_callbacks( diff --git a/volatility3/framework/plugins/windows/deskscan.py b/volatility3/framework/plugins/windows/deskscan.py index 35430be5d2..202eaf3303 100644 --- a/volatility3/framework/plugins/windows/deskscan.py +++ b/volatility3/framework/plugins/windows/deskscan.py @@ -77,6 +77,11 @@ def scan_desktops( continue for _thread, process_name, process_pid in desktop.get_threads(): - yield format_hints.Hex( - desktop.vol.offset - ), winsta_name, session_id, desktop_name, process_name, process_pid + yield ( + format_hints.Hex(desktop.vol.offset), + winsta_name, + session_id, + desktop_name, + process_name, + process_pid, + ) diff --git a/volatility3/framework/plugins/windows/desktops.py b/volatility3/framework/plugins/windows/desktops.py index c6557085e5..f2a985c6b1 100644 --- a/volatility3/framework/plugins/windows/desktops.py +++ b/volatility3/framework/plugins/windows/desktops.py @@ -63,9 +63,14 @@ def list_desktops( for desktop, desktop_name in winsta.desktops(kernel.symbol_table_name): # for each desktop, walk its threads for _thread, process_name, process_pid in desktop.get_threads(): - yield format_hints.Hex( - desktop.vol.offset - ), station_name, session_id, desktop_name, process_name, process_pid + yield ( + format_hints.Hex(desktop.vol.offset), + station_name, + session_id, + desktop_name, + process_name, + process_pid, + ) def _generator(self): kernel_name = self.config["kernel"] diff --git a/volatility3/framework/plugins/windows/kpcrs.py b/volatility3/framework/plugins/windows/kpcrs.py index 213e3833c1..d544fd4980 100644 --- a/volatility3/framework/plugins/windows/kpcrs.py +++ b/volatility3/framework/plugins/windows/kpcrs.py @@ -96,7 +96,6 @@ def list_kpcrs( yield kpcr, kpcr.member(kpcr_member) def _generator(self) -> Iterator[Tuple]: - for kpcr, current_prcb in self.list_kpcrs(self.context, self.config["kernel"]): yield ( 0, diff --git a/volatility3/framework/plugins/windows/malware/direct_system_calls.py b/volatility3/framework/plugins/windows/malware/direct_system_calls.py index dce09605be..f6b9e53bb0 100644 --- a/volatility3/framework/plugins/windows/malware/direct_system_calls.py +++ b/volatility3/framework/plugins/windows/malware/direct_system_calls.py @@ -451,12 +451,15 @@ def _generator( address, disasm_bytes = syscall_info - yield 0, ( - proc_name, - proc.UniqueProcessId, - vad_path, - format_hints.Hex(address), - disasm_bytes, + yield ( + 0, + ( + proc_name, + proc.UniqueProcessId, + vad_path, + format_hints.Hex(address), + disasm_bytes, + ), ) def run(self) -> renderers.TreeGrid: diff --git a/volatility3/framework/plugins/windows/malware/hollowprocesses.py b/volatility3/framework/plugins/windows/malware/hollowprocesses.py index f981ae340c..1ea46b540a 100644 --- a/volatility3/framework/plugins/windows/malware/hollowprocesses.py +++ b/volatility3/framework/plugins/windows/malware/hollowprocesses.py @@ -198,10 +198,13 @@ def _generator(self, procs): for check in checks: for note in check(proc, vads, dlls): - yield 0, ( - pid, - proc_name, - note, + yield ( + 0, + ( + pid, + proc_name, + note, + ), ) def run(self): diff --git a/volatility3/framework/plugins/windows/malware/malfind.py b/volatility3/framework/plugins/windows/malware/malfind.py index 01da93e1f4..2f6d9eb56e 100644 --- a/volatility3/framework/plugins/windows/malware/malfind.py +++ b/volatility3/framework/plugins/windows/malware/malfind.py @@ -92,8 +92,11 @@ def list_injections( for vad, data_object in cls.list_injection_sites( context, kernel_layer_name, symbol_table, proc ): - yield vad, data_object.context.layers[data_object.layer_name].read( - data_object.offset, data_object.length + yield ( + vad, + data_object.context.layers[data_object.layer_name].read( + data_object.offset, data_object.length + ), ) @classmethod diff --git a/volatility3/framework/plugins/windows/malware/pebmasquerade.py b/volatility3/framework/plugins/windows/malware/pebmasquerade.py index dd85fb5701..cd898239fc 100644 --- a/volatility3/framework/plugins/windows/malware/pebmasquerade.py +++ b/volatility3/framework/plugins/windows/malware/pebmasquerade.py @@ -167,7 +167,6 @@ def _generator(self, pids, context, kernel_module_name): if isinstance(peb_imagefilepath, str) and peb: try: - # Length values are of type USHORT peb_imagefilepath_length = ( peb.ProcessParameters.ImagePathName.Length // 2 diff --git a/volatility3/framework/plugins/windows/malware/processghosting.py b/volatility3/framework/plugins/windows/malware/processghosting.py index f234bc2e70..fb8ec527d6 100644 --- a/volatility3/framework/plugins/windows/malware/processghosting.py +++ b/volatility3/framework/plugins/windows/malware/processghosting.py @@ -149,9 +149,12 @@ def check_for_ghosting( for file_object_address, delete_pending, delete_on_close in cls._vad_checks( control_area, path ): - yield format_hints.Hex( - file_object_address - ), delete_pending, delete_on_close, vad_base + yield ( + format_hints.Hex(file_object_address), + delete_pending, + delete_on_close, + vad_base, + ) def _generator(self, procs): kernel = self.context.modules[self.config["kernel"]] @@ -187,14 +190,17 @@ def _generator(self, procs): else: path = renderers.NotAvailableValue() - yield 0, ( - pid, - process_name, - format_hints.Hex(base_address), - format_hints.Hex(file_object_address), - delete_pending or renderers.NotApplicableValue(), - delete_on_close or renderers.NotApplicableValue(), - path, + yield ( + 0, + ( + pid, + process_name, + format_hints.Hex(base_address), + format_hints.Hex(file_object_address), + delete_pending or renderers.NotApplicableValue(), + delete_on_close or renderers.NotApplicableValue(), + path, + ), ) def run(self): diff --git a/volatility3/framework/plugins/windows/malware/skeleton_key_check.py b/volatility3/framework/plugins/windows/malware/skeleton_key_check.py index d9cba07045..10c6222bc2 100644 --- a/volatility3/framework/plugins/windows/malware/skeleton_key_check.py +++ b/volatility3/framework/plugins/windows/malware/skeleton_key_check.py @@ -648,12 +648,15 @@ def _generator(self, procs): csystem, cryptdll_base, cryptdll_size ) - yield 0, ( - lsass_proc.UniqueProcessId, - "lsass.exe", - skeleton_key_present, - format_hints.Hex(csystem.Initialize), - format_hints.Hex(csystem.Decrypt), + yield ( + 0, + ( + lsass_proc.UniqueProcessId, + "lsass.exe", + skeleton_key_present, + format_hints.Hex(csystem.Initialize), + format_hints.Hex(csystem.Decrypt), + ), ) def _lsass_proc_filter(self, proc): diff --git a/volatility3/framework/plugins/windows/malware/suspicious_threads.py b/volatility3/framework/plugins/windows/malware/suspicious_threads.py index 3da8cb21ae..803a0b04b5 100644 --- a/volatility3/framework/plugins/windows/malware/suspicious_threads.py +++ b/volatility3/framework/plugins/windows/malware/suspicious_threads.py @@ -196,14 +196,17 @@ def _generator(self): for vad_path, note in self._check_thread_address( exe_path, ranges, address ): - yield 0, ( - proc_name, - pid, - tid, - context, - format_hints.Hex(address), - vad_path, - note, + yield ( + 0, + ( + proc_name, + pid, + tid, + context, + format_hints.Hex(address), + vad_path, + note, + ), ) def run(self): diff --git a/volatility3/framework/plugins/windows/mftscan.py b/volatility3/framework/plugins/windows/mftscan.py index f0be3cf7f7..2dfecb93b1 100644 --- a/volatility3/framework/plugins/windows/mftscan.py +++ b/volatility3/framework/plugins/windows/mftscan.py @@ -132,19 +132,22 @@ def parse_standard_information_records( # There should only be one STANDARD_INFORMATION attribute, but we # do this just in case. for std_information in mft_record.standard_information_entries(): - yield 0, cls.MFTScanResult( - format_hints.Hex(std_information.vol.offset), - str(mft_record.get_signature()), - mft_record.RecordNumber, - mft_record.LinkCount, - mft_flag, - renderers.NotApplicableValue(), - "STANDARD_INFORMATION", - conversion.wintime_to_datetime(std_information.CreationTime), - conversion.wintime_to_datetime(std_information.ModifiedTime), - conversion.wintime_to_datetime(std_information.UpdatedTime), - conversion.wintime_to_datetime(std_information.AccessedTime), - renderers.NotApplicableValue(), + yield ( + 0, + cls.MFTScanResult( + format_hints.Hex(std_information.vol.offset), + str(mft_record.get_signature()), + mft_record.RecordNumber, + mft_record.LinkCount, + mft_flag, + renderers.NotApplicableValue(), + "STANDARD_INFORMATION", + conversion.wintime_to_datetime(std_information.CreationTime), + conversion.wintime_to_datetime(std_information.ModifiedTime), + conversion.wintime_to_datetime(std_information.UpdatedTime), + conversion.wintime_to_datetime(std_information.AccessedTime), + renderers.NotApplicableValue(), + ), ) except exceptions.InvalidAddressException: pass @@ -163,26 +166,28 @@ def parse_filename_records( # File Name Attribute try: for filename_info in mft_record.filename_entries(): - # If we don't have a valid enum, coerce to hex so we can keep the record try: permissions = filename_info.Flags.lookup() except ValueError: permissions = hex(filename_info.Flags) - yield 1, cls.MFTScanResult( - format_hints.Hex(filename_info.vol.offset), - str(mft_record.get_signature()), - mft_record.RecordNumber, - mft_record.LinkCount, - mft_flag, - permissions, - "FILE_NAME", - conversion.wintime_to_datetime(filename_info.CreationTime), - conversion.wintime_to_datetime(filename_info.ModifiedTime), - conversion.wintime_to_datetime(filename_info.UpdatedTime), - conversion.wintime_to_datetime(filename_info.AccessedTime), - filename_info.get_full_name(), + yield ( + 1, + cls.MFTScanResult( + format_hints.Hex(filename_info.vol.offset), + str(mft_record.get_signature()), + mft_record.RecordNumber, + mft_record.LinkCount, + mft_flag, + permissions, + "FILE_NAME", + conversion.wintime_to_datetime(filename_info.CreationTime), + conversion.wintime_to_datetime(filename_info.ModifiedTime), + conversion.wintime_to_datetime(filename_info.UpdatedTime), + conversion.wintime_to_datetime(filename_info.AccessedTime), + filename_info.get_full_name(), + ), ) except exceptions.InvalidAddressException: return @@ -214,22 +219,25 @@ def _generator(self): # but in this case memory usage is so extreme due to the number of # records that it becomes necessary. The rich types are still # exposed through classmethods. - yield level, ( - record.offset, - record.record_type, - int(record.record_number), - int(record.link_count), - record.mft_type, - record.permissions, - record.attribute_type, - record.created, - record.modified, - record.updated, - record.accessed, + yield ( + level, ( - str(record.filename) - if isinstance(record.filename, objects.String) - else record.filename + record.offset, + record.record_type, + int(record.record_number), + int(record.link_count), + record.mft_type, + record.permissions, + record.attribute_type, + record.created, + record.modified, + record.updated, + record.accessed, + ( + str(record.filename) + if isinstance(record.filename, objects.String) + else record.filename + ), ), ) @@ -344,22 +352,25 @@ def _generator(self): # but in this case memory usage is so extreme due to the number of # records that it becomes necessary. The rich types are still # exposed through classmethods. - yield 0, ( - record.offset, - str(record.signature), - int(record.record_number), - record.attribute_type, - ( - str(record.filename) - if isinstance(record.filename, objects.String) - else record.filename - ), + yield ( + 0, ( - str(record.stream_name) - if isinstance(record.stream_name, objects.String) - else record.stream_name + record.offset, + str(record.signature), + int(record.record_number), + record.attribute_type, + ( + str(record.filename) + if isinstance(record.filename, objects.String) + else record.filename + ), + ( + str(record.stream_name) + if isinstance(record.stream_name, objects.String) + else record.stream_name + ), + record.content, ), - record.content, ) def run(self): @@ -454,13 +465,16 @@ def _generator(self): # but in this case memory usage is so extreme due to the number of # records that it becomes necessary. The rich types are still # exposed through classmethods. - yield 0, ( - resident_data_entry.offset, - str(resident_data_entry.signature), - int(resident_data_entry.record_number), - resident_data_entry.attribute_type, - str(resident_data_entry.filename), - resident_data_entry.content, + yield ( + 0, + ( + resident_data_entry.offset, + str(resident_data_entry.signature), + int(resident_data_entry.record_number), + resident_data_entry.attribute_type, + str(resident_data_entry.filename), + resident_data_entry.content, + ), ) def run(self): diff --git a/volatility3/framework/plugins/windows/modules.py b/volatility3/framework/plugins/windows/modules.py index 1ec965737c..18a7b59193 100644 --- a/volatility3/framework/plugins/windows/modules.py +++ b/volatility3/framework/plugins/windows/modules.py @@ -119,13 +119,16 @@ def _generator(self): if self.config["dump"]: file_output = self.dump_module(session_layers, pe_table_name, mod) - yield 0, ( - format_hints.Hex(mod.vol.offset), - format_hints.Hex(mod.DllBase), - format_hints.Hex(mod.SizeOfImage), - BaseDllName, - FullDllName, - file_output, + yield ( + 0, + ( + format_hints.Hex(mod.vol.offset), + format_hints.Hex(mod.DllBase), + format_hints.Hex(mod.SizeOfImage), + BaseDllName, + FullDllName, + file_output, + ), ) @classmethod diff --git a/volatility3/framework/plugins/windows/poolscanner.py b/volatility3/framework/plugins/windows/poolscanner.py index 157282ce14..43dcd0482b 100644 --- a/volatility3/framework/plugins/windows/poolscanner.py +++ b/volatility3/framework/plugins/windows/poolscanner.py @@ -436,7 +436,6 @@ def generate_pool_scan_extended( constraints, alignment=alignment, ): - mem_objects = header.get_object( constraint=constraint, use_top_down=is_windows_8_or_later, diff --git a/volatility3/framework/plugins/windows/registry/amcache.py b/volatility3/framework/plugins/windows/registry/amcache.py index a6ad1848e2..ed078993cb 100644 --- a/volatility3/framework/plugins/windows/registry/amcache.py +++ b/volatility3/framework/plugins/windows/registry/amcache.py @@ -246,13 +246,29 @@ def generate_timeline( ) -> Iterator[Tuple[str, timeliner.TimeLinerType, datetime.datetime]]: for _, entry in self._generator(): if isinstance(entry.last_modify_time, datetime.datetime): - yield f"Amcache: {entry.entry_type} {entry.path} registry key modified", timeliner.TimeLinerType.MODIFIED, entry.last_modify_time + yield ( + f"Amcache: {entry.entry_type} {entry.path} registry key modified", + timeliner.TimeLinerType.MODIFIED, + entry.last_modify_time, + ) if isinstance(entry.last_modify_time_2, datetime.datetime): - yield f"Amcache: {entry.entry_type} {entry.path} STANDARD_INFORMATION create time", timeliner.TimeLinerType.CREATED, entry.last_modify_time_2 + yield ( + f"Amcache: {entry.entry_type} {entry.path} STANDARD_INFORMATION create time", + timeliner.TimeLinerType.CREATED, + entry.last_modify_time_2, + ) if isinstance(entry.install_time, datetime.datetime): - yield f"Amcache: {entry.entry_type} {entry.path} installed", timeliner.TimeLinerType.CREATED, entry.install_time + yield ( + f"Amcache: {entry.entry_type} {entry.path} installed", + timeliner.TimeLinerType.CREATED, + entry.install_time, + ) if isinstance(entry.compile_time, datetime.datetime): - yield f"Amcache: {entry.entry_type} {entry.path} compiled (PE metadata)", timeliner.TimeLinerType.MODIFIED, entry.compile_time + yield ( + f"Amcache: {entry.entry_type} {entry.path} compiled (PE metadata)", + timeliner.TimeLinerType.MODIFIED, + entry.compile_time, + ) @classmethod def get_amcache_hive( @@ -319,20 +335,23 @@ def parse_file_key( vollog.debug(f"Found sha1hash {sha1_hash}") product_name = _get_string_value(values, val_enum.Product.value) - yield program_id, _AmcacheEntry( - AmcacheEntryType.File.name, - path=path, - company=company, - last_modify_time=last_mod_time, - last_modify_time_2=last_mod_time_2, - install_time=install_time, - compile_time=compile_time, - sha1_hash=( - sha1_hash.lstrip("0000") - if isinstance(sha1_hash, str) - else sha1_hash + yield ( + program_id, + _AmcacheEntry( + AmcacheEntryType.File.name, + path=path, + company=company, + last_modify_time=last_mod_time, + last_modify_time_2=last_mod_time_2, + install_time=install_time, + compile_time=compile_time, + sha1_hash=( + sha1_hash.lstrip("0000") + if isinstance(sha1_hash, str) + else sha1_hash + ), + product_name=product_name, ), - product_name=product_name, ) @classmethod @@ -365,15 +384,18 @@ def parse_programs_key( ) version = _get_string_value(values, val_enum.Version.value) - yield program_id, _AmcacheEntry( - AmcacheEntryType.Program.name, - company=company, - last_modify_time=conversion.wintime_to_datetime( - program_key.LastWriteTime.QuadPart + yield ( + program_id, + _AmcacheEntry( + AmcacheEntryType.Program.name, + company=company, + last_modify_time=conversion.wintime_to_datetime( + program_key.LastWriteTime.QuadPart + ), + install_time=install_time, + product_name=product, + product_version=version, ), - install_time=install_time, - product_name=product, - product_version=version, ) @classmethod @@ -411,14 +433,17 @@ def parse_inventory_app_key( product: str = name if isinstance(name, str) else "UNKNOWN" # type: ignore - yield program_id.strip().strip("\u0000"), _AmcacheEntry( - AmcacheEntryType.Program.name, - path=path, - last_modify_time=last_mod, - install_time=install_date, - product_name=product, - company=publisher, - product_version=version, + yield ( + program_id.strip().strip("\u0000"), + _AmcacheEntry( + AmcacheEntryType.Program.name, + path=path, + last_modify_time=last_mod, + install_time=install_date, + product_name=product, + company=publisher, + product_version=version, + ), ) @classmethod @@ -456,19 +481,22 @@ def parse_inventory_app_file_key( prod_ver = _get_string_value(values, val_enum.ProductVersion.value) program_id = _get_string_value(values, val_enum.ProgramID.value) - yield program_id, _AmcacheEntry( - AmcacheEntryType.File.name, - path=path, - company=publisher, - last_modify_time=last_mod, - compile_time=linkdate, - sha1_hash=( - sha1_hash.lstrip("0000") - if isinstance(sha1_hash, str) - else sha1_hash + yield ( + program_id, + _AmcacheEntry( + AmcacheEntryType.File.name, + path=path, + company=publisher, + last_modify_time=last_mod, + compile_time=linkdate, + sha1_hash=( + sha1_hash.lstrip("0000") + if isinstance(sha1_hash, str) + else sha1_hash + ), + product_name=prod_name, + product_version=prod_ver, ), - product_name=prod_name, - product_version=prod_ver, ) @classmethod @@ -485,7 +513,6 @@ def parse_driver_binary_key( wanted_values = [key.value for key in val_enum] for binary_key in driver_binary_key.get_subkeys(): - values = { str(value.get_name()): value for value in binary_key.get_values() @@ -636,7 +663,6 @@ def indented( yield 0, empty_program def run(self): - return renderers.TreeGrid( [ ("EntryType", str), diff --git a/volatility3/framework/plugins/windows/registry/scheduled_tasks.py b/volatility3/framework/plugins/windows/registry/scheduled_tasks.py index 2c660229b5..a3e5fabe2a 100644 --- a/volatility3/framework/plugins/windows/registry/scheduled_tasks.py +++ b/volatility3/framework/plugins/windows/registry/scheduled_tasks.py @@ -185,7 +185,6 @@ class TaskSchedulerTimePeriod: class _ScheduledTasksReader(io.BytesIO): - def read_task_scheduler_time(self) -> Optional[datetime.datetime]: _ = bool(self.read_aligned_u1()) # is_localized filetime = self.decode_filetime() @@ -393,7 +392,6 @@ def _decode_email_action( num_attachment_filenames = reader.read_u4() if num_attachment_filenames is not None: - attachment_filenames = [ reader.read_bstring() for _ in range(num_attachment_filenames) ] @@ -1138,11 +1136,23 @@ def generate_timeline( ) -> Iterator[Tuple[str, timeliner.TimeLinerType, datetime.datetime]]: for _, task in self._generator(): if isinstance(task.last_run_time, datetime.datetime): - yield f"ScheduledTasks: task action {task.action_description} with trigger {task.trigger_description} ran", timeliner.TimeLinerType.ACCESSED, task.last_run_time + yield ( + f"ScheduledTasks: task action {task.action_description} with trigger {task.trigger_description} ran", + timeliner.TimeLinerType.ACCESSED, + task.last_run_time, + ) if isinstance(task.last_successful_run_time, datetime.datetime): - yield f"ScheduledTasks: task action {task.action_description} with trigger {task.trigger_description} ran successfully", timeliner.TimeLinerType.ACCESSED, task.last_successful_run_time + yield ( + f"ScheduledTasks: task action {task.action_description} with trigger {task.trigger_description} ran successfully", + timeliner.TimeLinerType.ACCESSED, + task.last_successful_run_time, + ) if isinstance(task.creation_time, datetime.datetime): - yield f"ScheduledTasks: Creation Time for task {task.guid} with trigger {task.trigger_description or ''}", timeliner.TimeLinerType.CREATED, task.creation_time + yield ( + f"ScheduledTasks: Creation Time for task {task.guid} with trigger {task.trigger_description or ''}", + timeliner.TimeLinerType.CREATED, + task.creation_time, + ) @classmethod def get_software_hive( @@ -1203,7 +1213,6 @@ def parse_triggers_value( def parse_dynamic_info_value( cls, dyn_info_value: reg_extensions.CM_KEY_VALUE ) -> Optional[DynamicInfo]: - try: data = dyn_info_value.decode_data() except exceptions.InvalidAddressException: @@ -1318,7 +1327,6 @@ def _parse_task_key( all_actions = action_set.actions or [None] if action_set is not None else [None] for action, trigger in itertools.product(all_actions, all_triggers): - if action is not None: if action.action_type in ( ActionType.Exe, diff --git a/volatility3/framework/plugins/windows/sessions.py b/volatility3/framework/plugins/windows/sessions.py index 29d0b21047..1588205293 100644 --- a/volatility3/framework/plugins/windows/sessions.py +++ b/volatility3/framework/plugins/windows/sessions.py @@ -95,13 +95,16 @@ def _generator(self): # Group and yield each row for rows in sessions.values(): for row in rows: - yield 0, ( - row.get("session_id"), - row.get("session_type"), - row.get("process_id"), - row.get("process_name"), - row.get("user_name"), - row.get("process_start"), + yield ( + 0, + ( + row.get("session_id"), + row.get("session_type"), + row.get("process_id"), + row.get("process_name"), + row.get("user_name"), + row.get("process_start"), + ), ) def generate_timeline(self): diff --git a/volatility3/framework/plugins/windows/shimcachemem.py b/volatility3/framework/plugins/windows/shimcachemem.py index 7a03ebbb63..8935757d49 100644 --- a/volatility3/framework/plugins/windows/shimcachemem.py +++ b/volatility3/framework/plugins/windows/shimcachemem.py @@ -51,9 +51,17 @@ def generate_timeline( ) -> Iterator[Tuple[str, timeliner.TimeLinerType, datetime]]: for _, (_, last_modified, last_update, _, _, file_path) in self._generator(): if isinstance(last_update, datetime): - yield f"Shimcache: File {file_path} executed", timeliner.TimeLinerType.ACCESSED, last_update + yield ( + f"Shimcache: File {file_path} executed", + timeliner.TimeLinerType.ACCESSED, + last_update, + ) if isinstance(last_modified, datetime): - yield f"Shimcache: File {file_path} modified", timeliner.TimeLinerType.MODIFIED, last_modified + yield ( + f"Shimcache: File {file_path} modified", + timeliner.TimeLinerType.MODIFIED, + last_modified, + ) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: @@ -161,7 +169,7 @@ def find_shimcache_win_xp( continue try: - if proc_layer.read(vad.get_start(), 4) != b"\xEF\xBE\xAD\xDE": + if proc_layer.read(vad.get_start(), 4) != b"\xef\xbe\xad\xde": if pid == 624: vollog.debug("VAD magic bytes don't match DEADBEEF") continue diff --git a/volatility3/framework/plugins/windows/svcscan.py b/volatility3/framework/plugins/windows/svcscan.py index 5f0e4761eb..1bfb98fda2 100644 --- a/volatility3/framework/plugins/windows/svcscan.py +++ b/volatility3/framework/plugins/windows/svcscan.py @@ -150,7 +150,6 @@ def _create_service_table( def _get_service_key( context, config_path: str, kernel_module_name: str ) -> Optional[objects.StructType]: - for hive in hivelist.HiveList.list_hives( context=context, base_config_path=interfaces.configuration.path_join( diff --git a/volatility3/framework/plugins/windows/thrdscan.py b/volatility3/framework/plugins/windows/thrdscan.py index 082b822843..1588f292e5 100644 --- a/volatility3/framework/plugins/windows/thrdscan.py +++ b/volatility3/framework/plugins/windows/thrdscan.py @@ -167,16 +167,19 @@ def _generator(self, filter_func: Callable) -> Iterator[Tuple[int, Tuple]]: info = self.gather_thread_info(ethread, vads_cache) if info: - yield 0, ( - format_hints.Hex(info.offset), - info.pid, - info.tid, - format_hints.Hex(info.start_addr), - info.start_path or renderers.NotAvailableValue(), - format_hints.Hex(info.win32_start_addr), - info.win32_start_path or renderers.NotAvailableValue(), - info.create_time, - info.exit_time, + yield ( + 0, + ( + format_hints.Hex(info.offset), + info.pid, + info.tid, + format_hints.Hex(info.start_addr), + info.start_path or renderers.NotAvailableValue(), + format_hints.Hex(info.win32_start_addr), + info.win32_start_path or renderers.NotAvailableValue(), + info.create_time, + info.exit_time, + ), ) def generate_timeline(self): diff --git a/volatility3/framework/plugins/windows/vadregexscan.py b/volatility3/framework/plugins/windows/vadregexscan.py index 068838e356..6a3cc394f2 100644 --- a/volatility3/framework/plugins/windows/vadregexscan.py +++ b/volatility3/framework/plugins/windows/vadregexscan.py @@ -62,7 +62,6 @@ def _generator(self, regex_pattern, procs): vollog.debug(f"RegEx Pattern: {regex_pattern}") for proc in procs: - # attempt to create a process layer for each proc proc_layer_name = proc.add_process_layer() if not proc_layer_name: @@ -106,12 +105,15 @@ def _generator(self, regex_pattern, procs): max_length=proc.ImageFileName.vol.count, errors="replace", ) - yield 0, ( - proc_id, - process_name, - format_hints.Hex(offset), - text_result, - bytes_result, + yield ( + 0, + ( + proc_id, + process_name, + format_hints.Hex(offset), + text_result, + bytes_result, + ), ) def run(self): diff --git a/volatility3/framework/plugins/windows/vadyarascan.py b/volatility3/framework/plugins/windows/vadyarascan.py index bbbe49f2df..9a38213fa8 100644 --- a/volatility3/framework/plugins/windows/vadyarascan.py +++ b/volatility3/framework/plugins/windows/vadyarascan.py @@ -100,21 +100,24 @@ def _generator(self): layer_name=layer.name, length=len(value), ) - yield 0, ( - format_hints.Hex(offset), - task.UniqueProcessId, - task.get_create_time(), - task.InheritedFromUniqueProcessId, - task.ImageFileName.cast( - "string", - max_length=task.ImageFileName.vol.count, - errors="replace", + yield ( + 0, + ( + format_hints.Hex(offset), + task.UniqueProcessId, + task.get_create_time(), + task.InheritedFromUniqueProcessId, + task.ImageFileName.cast( + "string", + max_length=task.ImageFileName.vol.count, + errors="replace", + ), + task.get_session_id(), + task.ActiveThreads, + rule_name, + name, + layer_data, ), - task.get_session_id(), - task.ActiveThreads, - rule_name, - name, - layer_data, ) @classmethod diff --git a/volatility3/framework/plugins/windows/windows.py b/volatility3/framework/plugins/windows/windows.py index 9d4317df97..c988696651 100644 --- a/volatility3/framework/plugins/windows/windows.py +++ b/volatility3/framework/plugins/windows/windows.py @@ -112,15 +112,18 @@ def _generator(self): ) continue - yield 0, ( - format_hints.Hex(window.vol.offset), - station_name, - sess_id, - desktop_name, - window_name or renderers.NotAvailableValue(), - window_proc, - process_name, - process_pid, + yield ( + 0, + ( + format_hints.Hex(window.vol.offset), + station_name, + sess_id, + desktop_name, + window_name or renderers.NotAvailableValue(), + window_proc, + process_name, + process_pid, + ), ) def run(self): diff --git a/volatility3/framework/renderers/__init__.py b/volatility3/framework/renderers/__init__.py index 8732e6e887..899c191964 100644 --- a/volatility3/framework/renderers/__init__.py +++ b/volatility3/framework/renderers/__init__.py @@ -6,6 +6,7 @@ Renderers display the unified output format in some manner (be it text or file or graphical output """ + import collections import collections.abc import dataclasses diff --git a/volatility3/framework/renderers/format_hints.py b/volatility3/framework/renderers/format_hints.py index d57c7e9f19..83f36a1a0e 100644 --- a/volatility3/framework/renderers/format_hints.py +++ b/volatility3/framework/renderers/format_hints.py @@ -8,6 +8,7 @@ Text renderers should attempt to honour all hints provided in this module where possible """ + from typing import Type, Union from volatility3.framework import interfaces diff --git a/volatility3/framework/symbols/__init__.py b/volatility3/framework/symbols/__init__.py index 87f2288d79..a050298bab 100644 --- a/volatility3/framework/symbols/__init__.py +++ b/volatility3/framework/symbols/__init__.py @@ -210,9 +210,10 @@ def _iterative_resolve(self, traverse_list): replacements = set() # Whole Symbols that still need traversing while traverse_list: - template_traverse_list, traverse_list = [ - self._resolved[traverse_list[0]] - ], traverse_list[1:] + template_traverse_list, traverse_list = ( + [self._resolved[traverse_list[0]]], + traverse_list[1:], + ) # Traverse a single symbol looking for any ReferenceTemplate objects while template_traverse_list: traverser, template_traverse_list = ( diff --git a/volatility3/framework/symbols/intermed.py b/volatility3/framework/symbols/intermed.py index 33035bc70a..001f817bdc 100644 --- a/volatility3/framework/symbols/intermed.py +++ b/volatility3/framework/symbols/intermed.py @@ -246,9 +246,12 @@ def file_symbol_url( if name.endswith(zip_match + extension) or ( zip_match == "*" and name.endswith(extension) ): - yield "jar:file:" + str( - pathlib.Path(zip_path) - ) + "!" + name + yield ( + "jar:file:" + + str(pathlib.Path(zip_path)) + + "!" + + name + ) @classmethod def create( diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 3b9a73e7cd..a40c58bf48 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -36,7 +36,6 @@ class module(generic.GenericIntelProcess): - def is_valid(self): """Determine whether it is a valid module object by verifying the self-referential in module_kobject. This also confirms that the module is actively allocated and @@ -991,7 +990,6 @@ def _parse_maple_tree_node( class mm_struct(objects.StructType): - # TODO: As of version 3.0.0 this method should be removed def get_mmap_iter(self) -> Iterable[interfaces.objects.ObjectInterface]: """ @@ -3048,7 +3046,6 @@ def find( class kernel_symbol(objects.StructType): - def _offset_to_ptr(self, off) -> int: layer = self._context.layers[self.vol.layer_name] long_mask = (1 << layer.bits_per_register) - 1 diff --git a/volatility3/framework/symbols/linux/utilities/modules.py b/volatility3/framework/symbols/linux/utilities/modules.py index 0ae7488144..804abd4045 100644 --- a/volatility3/framework/symbols/linux/utilities/modules.py +++ b/volatility3/framework/symbols/linux/utilities/modules.py @@ -297,7 +297,6 @@ def run_modules_scanners( # process each module coming from back the current source for module in gatherer.gather_modules(context, kernel_module_name): - # the kernel sends back a ModuleInfo directly if isinstance(module, ModuleInfo): modinfo = module @@ -998,13 +997,16 @@ def generator(self): with self.open(file_name) as file_handle: file_handle.write(elf_data) - yield 0, ( - format_hints.Hex(module.vol.offset), - name, - format_hints.Hex(code_size), - taints, - parameters, - file_name, + yield ( + 0, + ( + format_hints.Hex(module.vol.offset), + name, + format_hints.Hex(code_size), + taints, + parameters, + file_name, + ), ) def run(self): diff --git a/volatility3/framework/symbols/windows/extensions/callbacks.py b/volatility3/framework/symbols/windows/extensions/callbacks.py index f54db39f20..855933f593 100644 --- a/volatility3/framework/symbols/windows/extensions/callbacks.py +++ b/volatility3/framework/symbols/windows/extensions/callbacks.py @@ -48,7 +48,6 @@ def is_parseable(self, type_map: Dict[int, str]) -> bool: return False try: - device = self.DeviceObject if not device or not (device.DriverObject.DriverStart % 0x1000 == 0): vollog.debug( diff --git a/volatility3/framework/symbols/windows/extensions/gui.py b/volatility3/framework/symbols/windows/extensions/gui.py index 0d39f8173a..000c50319f 100644 --- a/volatility3/framework/symbols/windows/extensions/gui.py +++ b/volatility3/framework/symbols/windows/extensions/gui.py @@ -220,7 +220,6 @@ def windows( break class tagWND(objects.StructType, pool.ExecutiveObject): - def is_valid(self) -> bool: """ Enforce a valid sid diff --git a/volatility3/framework/symbols/windows/extensions/mft.py b/volatility3/framework/symbols/windows/extensions/mft.py index bf20c1ffcb..ddc21798f4 100644 --- a/volatility3/framework/symbols/windows/extensions/mft.py +++ b/volatility3/framework/symbols/windows/extensions/mft.py @@ -54,7 +54,6 @@ def longest_filename(self) -> Optional[objects.String]: return max(names, key=lambda x: len(str(x))) def _attributes(self) -> Iterator["MFTAttribute"]: - # We will update this on each pass in the next loop and use it as the new offset. attr_base_offset = self.FirstAttrOffset attribute_object_type_name = ( diff --git a/volatility3/framework/symbols/windows/extensions/shimcache.py b/volatility3/framework/symbols/windows/extensions/shimcache.py index 3b32d30c7d..e7d92a48d8 100644 --- a/volatility3/framework/symbols/windows/extensions/shimcache.py +++ b/volatility3/framework/symbols/windows/extensions/shimcache.py @@ -183,7 +183,6 @@ def is_valid(self) -> bool: == self.ListEntry.Flink.Blink.dereference().vol.offset ) ): - return True else: return False diff --git a/volatility3/framework/symbols/windows/pdbconv.py b/volatility3/framework/symbols/windows/pdbconv.py index c23ffb3503..5baf23fb27 100644 --- a/volatility3/framework/symbols/windows/pdbconv.py +++ b/volatility3/framework/symbols/windows/pdbconv.py @@ -489,7 +489,7 @@ def name_strip(self, name): """Strips unnecessary components from the start of a symbol name.""" new_name = name - if new_name[:1] in ["_", "@", "\u007F"]: + if new_name[:1] in ["_", "@", "\u007f"]: new_name = new_name[1:] name_array = new_name.split("@") diff --git a/volatility3/plugins/__init__.py b/volatility3/plugins/__init__.py index 6afa8baf45..27fc0938c9 100644 --- a/volatility3/plugins/__init__.py +++ b/volatility3/plugins/__init__.py @@ -12,6 +12,7 @@ The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new. """ + from volatility3.framework import constants __path__ = constants.PLUGINS_PATH diff --git a/volatility3/plugins/linux/__init__.py b/volatility3/plugins/linux/__init__.py index 2d3e2386e4..2ea8fb2507 100644 --- a/volatility3/plugins/linux/__init__.py +++ b/volatility3/plugins/linux/__init__.py @@ -11,6 +11,7 @@ When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary. """ + import os import sys diff --git a/volatility3/plugins/mac/__init__.py b/volatility3/plugins/mac/__init__.py index 3ac3f15532..3f8e81ce1b 100644 --- a/volatility3/plugins/mac/__init__.py +++ b/volatility3/plugins/mac/__init__.py @@ -11,6 +11,7 @@ When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary. """ + import os import sys diff --git a/volatility3/plugins/windows/__init__.py b/volatility3/plugins/windows/__init__.py index d74f4fcd51..4684935085 100644 --- a/volatility3/plugins/windows/__init__.py +++ b/volatility3/plugins/windows/__init__.py @@ -11,6 +11,7 @@ When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary. """ + import os import sys diff --git a/volatility3/plugins/windows/registry/__init__.py b/volatility3/plugins/windows/registry/__init__.py index aeeaa87f25..f012a52a06 100644 --- a/volatility3/plugins/windows/registry/__init__.py +++ b/volatility3/plugins/windows/registry/__init__.py @@ -11,6 +11,7 @@ When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary. """ + import os import sys diff --git a/volatility3/symbols/__init__.py b/volatility3/symbols/__init__.py index c35f07cbe2..162ea013e4 100644 --- a/volatility3/symbols/__init__.py +++ b/volatility3/symbols/__init__.py @@ -6,6 +6,7 @@ This is the namespace for all volatility symbols, and determines the path for loading symbol ISF files """ + from volatility3.framework import constants __path__ = constants.SYMBOL_BASEPATHS