Fix hexdump text render. Set default to 16 bytes width

[gcmoreira]

Missing bytes

On the one hand, this PR fixes an issue with the hexdump text render function hex_bytes_as_text. The previous implementation failed to handle buffer lengths that are not multiples of 8 bytes, resulting in missing bytes in its output.

For instance, using the text abcd, the previous implementation didn't dump anything.

[*] Text is: abcd
old_hex_bytes_as_text
---------------------

On the contrary, the new implementation correctly handles this case.

[*] Text is: abcd
new_hex_bytes_as_text
---------------------

61 62 63 64                                     abcd

Using a 22 bytes buffer abcdefghijklmnopqrstuv, the old implementation misses the last qrstuv bytes:

[*] Text is: abcdefghijklmnopqrstuv

old_hex_bytes_as_text
---------------------

61 62 63 64 65 66 67 68 abcdefgh
69 6a 6b 6c 6d 6e 6f 70 ijklmnop

While the new implementation handles this case too.

[*] Text is: abcdefghijklmnopqrstuv

new_hex_bytes_as_text
---------------------

61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76                               qrstuv

16 bytes width

On the other hand, this PR increases the hexdump width from 8 bytes to 16 bytes per row for better visualization and to match other hex dump tools/utilities.

Before:

$ python3 ./vol.py -f sample.lime windows.malfind.Malfind 
Volatility 3 Framework 2.7.1
Progress:  100.00               PDB scanning finished                        
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Notes   Hexdump Disasm

1436    WaAppAgent.exe  0xaf0000        0xb6ffff        VadS    PAGE_EXECUTE_READWRITE  2       1       Disabled        N/A
00 00 00 00 00 00 00 00 ........
72 7c b4 85 c6 8f 00 01 r|......
ee ff ee ff 00 00 00 00 ........
28 01 af 00 00 00 00 00 (.......
28 01 af 00 00 00 00 00 (.......
00 00 af 00 00 00 00 00 ........
00 00 af 00 00 00 00 00 ........
80 00 00 00 00 00 00 00 ........        00 00 00 00 00 00 00 00 72 7c b4 85 c6 8f 00 01 ee ff ee ff 00 00 00 00 28 01 af 00 00 00 00 00 28 01 af 00 00 00 00 00 00 00 af 00 00 00 00 00 00 00 af 00 00 00 00 00 80 00 00 00 00 00 00 00
...

After:

$ python3 ./vol.py -f sample.lime windows.malfind.Malfind
Volatility 3 Framework 2.7.1
Progress:  100.00               PDB scanning finished                                                                                             
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Notes   Hexdump Disasm

1436    WaAppAgent.exe  0xaf0000        0xb6ffff        VadS    PAGE_EXECUTE_READWRITE  2       1       Disabled        N/A
00 00 00 00 00 00 00 00 72 7c b4 85 c6 8f 00 01 ........r|......
ee ff ee ff 00 00 00 00 28 01 af 00 00 00 00 00 ........(.......
28 01 af 00 00 00 00 00 00 00 af 00 00 00 00 00 (...............
00 00 af 00 00 00 00 00 80 00 00 00 00 00 00 00 ................        00 00 00 00 00 00 00 00 72 7c b4 85 c6 8f 00 01 ee ff ee ff 00 00 00 00 28 01 af 00 00 00 00 00 28 01 af 00 00 00 00 00 00 00 af 00 00 00 00 00 00 00 af 00 00 00 00 00 80 00 00 00 00 00 00 00
...

Lost in Space

Lastly, the new implementation includes the space character (0x20) in the list of printable characters which, for some reason, was omitted in the original version.

[gcmoreira]

@atcuno

[atcuno]

Thank you @gcmoreira! @ikelos the bug was obviously bad, but then only showing 8 per row was very unusual compared to every other common hex dump utilities and all GUI hex editors, which all show 16 across. Also, only showing 8 produces many extraneous lines in the terminal compared to 8 per row.