It looks like that the windows poolscanner will in some cases (I think modern windows version) scan a 'virtual' layer rather than a 'physical' one. That means when that the objects that get made are created on this virtual layer. However when the scanning happens on a 'physical' the object is built on that physical layer, with it's native layer being correctly set to the virtual one.
It means if we read out pointers etc from the object the native layer being set correct means we get the right answer.
However it means that object.vol.offset is a reference to the physical layer - and that's why @garanews was having this issue.
Hello 👋
This PR aims to resolve issue where @garanews found an issue with windows psscan when using the --physical flag.
The main issue is covered in my comment here: https://github.com/volatilityfoundation/volatility3/issues/591#issuecomment-1864171385
I would recommend reading the comments on the issue (https://github.com/volatilityfoundation/volatility3/issues/591) as @ikelos raised some other good points on other ways to resolve this problem. It may be that this approach is not the best.
Thanks! 🦊