Address feedback

volatilityfoundation · Feb 15, 2025 · 6babe15 · 6babe15
1 parent b78b7a5
commit 6babe15
Showing 1 changed file with 14 additions and 15 deletions.
diff --git a/volatility3/framework/plugins/windows/dumpfiles.py b/volatility3/framework/plugins/windows/dumpfiles.py
@@ -47,13 +47,13 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             requirements.ListRequirement(
                 name="virtaddr",
                 element_type=int,
-                description="Dump a single _FILE_OBJECT at this virtual address",
+                description="Dump the _FILE_OBJECTs at the given virtual address(es)",
                 optional=True,
             ),
             requirements.ListRequirement(
                 name="physaddr",
                 element_type=int,
-                description="Dump a single _FILE_OBJECT at this physical address",
+                description="Dump a single _FILE_OBJECTs at the given physical address(es)",
                 optional=True,
             ),
             requirements.StringRequirement(
@@ -320,25 +320,24 @@ def _generator(self, procs: List, offsets: List):
                         )
 
         elif offsets:
+            virtual_layer_name = kernel.layer_name
 
-            # Now process any offsets explicitly requested by the user.
+            #FIXME - change this after standard access to physical layer
+            physical_layer_name = self.context.layers[virtual_layer_name].config[
+                "memory_layer"
+            ]
+
+           # Now process any offsets explicitly requested by the user.
             for offset, is_virtual in offsets:
                 try:
-                    layer_name = kernel.layer_name
-                    # switch to a memory layer if the user provided --physaddr instead of --virtaddr
-                    if not is_virtual:
-                        layer_name = self.context.layers[layer_name].config[
-                            "memory_layer"
-                        ]
-
                     file_obj = self.context.object(
                         kernel.symbol_table_name + constants.BANG + "_FILE_OBJECT",
-                        layer_name=layer_name,
-                        native_layer_name=kernel.layer_name,
+                        layer_name=virtual_layer_name if is_virtual else physical_layer_name,
+                        native_layer_name=virtual_layer_name,
                         offset=offset,
                     )
                     for result in self.process_file_object(
-                        self.context, kernel.layer_name, self.open, file_obj
+                        self.context, virtual_layer_name, self.open, file_obj
                     ):
                         yield (0, result)
                 except exceptions.InvalidAddressException:
@@ -362,11 +361,11 @@ def run(self):
             for virtaddr in self.config["virtaddr"]:
                 offsets.append((virtaddr, True))
 
-        elif self.config.get("physaddr"):
+        if self.config.get("physaddr"):
             for physaddr in self.config["physaddr"]:
                 offsets.append((physaddr, False))
 
-        else:
+        if not offsets:
             filter_func = pslist.PsList.create_pid_filter(
                 [self.config.get("pid", None)]
             )