Skip to content

Commit

Permalink
Address feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
atcuno committed Oct 23, 2024
1 parent d489c2c commit 7ea01d1
Showing 1 changed file with 9 additions and 28 deletions.
37 changes: 9 additions & 28 deletions volatility3/framework/plugins/windows/mftscan.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,12 @@ def get_requirements(cls):
@staticmethod
def enumerate_mft_records(
context: interfaces.context.ContextInterface,
config: interfaces.configuration.HierarchicalDict,
config_path: str,
primary_layer_name: str,
attr_callback,
) -> interfaces.objects.ObjectInterface:
try:
primary = context.layers[config["primary"]]
primary = context.layers[primary_layer_name]
except KeyError:
vollog.error(
"Unable to obtain primary layer for scanning. Please file a bug on GitHub about this issue."
Expand Down Expand Up @@ -105,10 +105,9 @@ def enumerate_mft_records(
# There is no field that has a count of Attributes
# Keep Attempting to read attributes until we get an invalid attr_header.AttrType
while attr.Attr_Header.AttrType.is_valid_choice:
for record in attr_callback(
yield from attr_callback(
record_map, mft_record, attr, symbol_table
):
yield record
)

# If there's no advancement the loop will never end, so break it now
if attr.Attr_Header.Length == 0:
Expand Down Expand Up @@ -225,12 +224,12 @@ def parse_data_record(
)

@classmethod
def _do_parse_data_records(
def parse_data_records(
cls,
record_map: Dict[int, Tuple[str, int, int]],
mft_record: interfaces.objects.ObjectInterface,
attr: interfaces.objects.ObjectInterface,
symbol_table,
record_map: Dict[int, Tuple[str, int, int]],
return_first_record: bool,
) -> Generator[Iterable, None, None]:
"""
Expand Down Expand Up @@ -262,7 +261,6 @@ def _do_parse_data_records(

# at the second DATA attribute of this record
elif record_map[mft_record.vol.offset][1] == 1 and not return_first_record:
print("at second record")
display_data = True

if display_data:
Expand All @@ -271,26 +269,9 @@ def _do_parse_data_records(
):
yield record

@classmethod
def parse_data_records(
cls,
record_map: Dict[int, Tuple[str, int, int]],
mft_record: interfaces.objects.ObjectInterface,
attr: interfaces.objects.ObjectInterface,
symbol_table,
return_first_record: bool,
):
"""
Callback for parsing data records through enumerate_mft_records
"""
for record in cls._do_parse_data_records(
mft_record, attr, symbol_table, record_map, return_first_record
):
yield record

def _generator(self):
for record in self.enumerate_mft_records(
self.context, self.config, self.config_path, self.parse_mft_records
self.context, self.config_path, self.config["primary"], self.parse_mft_records
):
yield record

Expand Down Expand Up @@ -371,7 +352,7 @@ def _generator(self):
ads_name,
content,
) in MFTScan.enumerate_mft_records(
self.context, self.config, self.config_path, self.parse_ads_data_records
self.context, self.config_path, self.config["primary"], self.parse_ads_data_records
):
yield (
0,
Expand Down Expand Up @@ -437,7 +418,7 @@ def _generator(self):
_,
content,
) in MFTScan.enumerate_mft_records(
self.context, self.config, self.config_path, self.parse_first_data_records
self.context, self.config_path, self.config["primary"], self.parse_first_data_records
):
yield (0, (offset, rec_type, rec_num, attr_type, file_name, content))

Expand Down

0 comments on commit 7ea01d1

Please sign in to comment.