From 9d67420d0ebe827e508884b02230f5a42103a021 Mon Sep 17 00:00:00 2001 From: Mike Auty Date: Thu, 8 Jan 2026 21:59:03 +0000 Subject: [PATCH 1/3] Improve windows intel detection for Windows 11 --- volatility3/framework/automagic/windows.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/volatility3/framework/automagic/windows.py b/volatility3/framework/automagic/windows.py index 7d56b01b30..af5d4809d9 100644 --- a/volatility3/framework/automagic/windows.py +++ b/volatility3/framework/automagic/windows.py @@ -153,8 +153,7 @@ def __call__( # Mask off the page bits of top level page map page_table_mask = b"\x00\xf0\xff\xff\xff\xff\xff\xff" * 4 page_table = data[ - top_pae_page - - data_offset : top_pae_page + top_pae_page - data_offset : top_pae_page - data_offset + (4 * self.ptr_size) ] @@ -200,7 +199,7 @@ class WindowsIntelStacker(interfaces.automagic.StackerLayerInterface): ( "Detecting Self-referential pointer for recent windows", [DtbSelfRef64bit()], - [(0x150000, 0x150000), (0x650000, 0xA0000)], + [(0x150000, 0x150000), (0x550000, 0xA0000)], ), ( "Older windows fixed location self-referential pointers", @@ -305,9 +304,20 @@ def get_max_pointer(page_table, test, ptr_size: int): hits = sorted(list(hits), key=sort_by_tests) + vollog.debug(f"WindowsIntelStacker hits: {hits}") + for test, page_map_offset in hits: # Turn the page tables into integers and find the largest one page_table = base_layer.read(page_map_offset, 0x1000) + + # Modern windows can have a dummy page table with only about 2 entries, so sanity check + null_count = sum([1 if page_table[x] else 0 for x in page_table]) + if null_count > 0xFA0: + vollog.debug( + f"DTB {page_map_offset:x} contains less than 12 valid pointers, ignoring" + ) + continue + ptr_size = struct.calcsize(test.ptr_struct) max_pointer = get_max_pointer(page_table, test, ptr_size) From 1abd67746f456eea3db2edbf14d6a79398de35d8 Mon Sep 17 00:00:00 2001 From: Mike Auty Date: Thu, 8 Jan 2026 22:04:18 +0000 Subject: [PATCH 2/3] Appease black --- volatility3/framework/automagic/windows.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/automagic/windows.py b/volatility3/framework/automagic/windows.py index af5d4809d9..5ba531d1a7 100644 --- a/volatility3/framework/automagic/windows.py +++ b/volatility3/framework/automagic/windows.py @@ -153,7 +153,8 @@ def __call__( # Mask off the page bits of top level page map page_table_mask = b"\x00\xf0\xff\xff\xff\xff\xff\xff" * 4 page_table = data[ - top_pae_page - data_offset : top_pae_page + top_pae_page + - data_offset : top_pae_page - data_offset + (4 * self.ptr_size) ] From d0ed42456cb24fbcf3f10ec3419618c168cdc575 Mon Sep 17 00:00:00 2001 From: Mike Auty Date: Thu, 8 Jan 2026 22:34:32 +0000 Subject: [PATCH 3/3] Increment the size of the amount scanned, not just the start location --- volatility3/framework/automagic/windows.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/automagic/windows.py b/volatility3/framework/automagic/windows.py index 5ba531d1a7..cd584b6a1b 100644 --- a/volatility3/framework/automagic/windows.py +++ b/volatility3/framework/automagic/windows.py @@ -200,7 +200,7 @@ class WindowsIntelStacker(interfaces.automagic.StackerLayerInterface): ( "Detecting Self-referential pointer for recent windows", [DtbSelfRef64bit()], - [(0x150000, 0x150000), (0x550000, 0xA0000)], + [(0x150000, 0x150000), (0x550000, 0x1A0000)], ), ( "Older windows fixed location self-referential pointers",