This commit fixes a bug where the layer_name gets discarded when constructing objects. Previously, it was assumed that we would not want to construct an object for a module with a layer_name different from that of the module. However, because we switch to scanning the memory layer on samples where the version is < 10, but still construct kernel executive objects based on the result of the memory layer scan, we actually do sometimes need to specify a different layer.
The effects of this were most noticeable when scanning for symlinks in a Windows 7 sample. It was returning no results due to an InvalidAddressException on all attempts to access the _OBJECT_HEADER.NameInfo.Name - the original _OBJECT_HEADER has a layer_name of memory_layer and a native_layer_name of kernel.layer_name, but the Name member, which is a _UNICODE_STRING, ends up with both the layer_name and native_layer_name values being set to kernel.layer_name. Therefore, when attempting to read the Buffer and Length members of the string, we get the InvalidAddressException.
This fix corrects the output of windows.symlinkscan.SymlinkScan, which is now equivalent to the output produced by the original vol2 plugin, and the output of Win10+ samples remains the same. It will likely also impact https://github.com/volatilityfoundation/volatility3/pull/1110, as well as any other existing plugins that access OBJECT_SYMBOLIC_LINK, KMUTANT, DRIVER_OBJECT or DEVICE_OBJECT names.
This commit fixes a bug where the
layer_namegets discarded when constructing objects. Previously, it was assumed that we would not want to construct an object for a module with a layer_name different from that of the module. However, because we switch to scanning the memory layer on samples where the version is < 10, but still construct kernel executive objects based on the result of the memory layer scan, we actually do sometimes need to specify a different layer.The effects of this were most noticeable when scanning for symlinks in a Windows 7 sample. It was returning no results due to an
InvalidAddressExceptionon all attempts to access the_OBJECT_HEADER.NameInfo.Name- the original_OBJECT_HEADERhas alayer_nameofmemory_layerand anative_layer_nameofkernel.layer_name, but theNamemember, which is a_UNICODE_STRING, ends up with both thelayer_nameandnative_layer_namevalues being set tokernel.layer_name. Therefore, when attempting to read theBufferandLengthmembers of the string, we get theInvalidAddressException.This fix corrects the output of
windows.symlinkscan.SymlinkScan, which is now equivalent to the output produced by the original vol2 plugin, and the output of Win10+ samples remains the same. It will likely also impact https://github.com/volatilityfoundation/volatility3/pull/1110, as well as any other existing plugins that accessOBJECT_SYMBOLIC_LINK,KMUTANT,DRIVER_OBJECTorDEVICE_OBJECTnames.