Merge pull request #1781 from volatilityfoundation/1780-dlllist-loadcount-missing

1780 dlllist loadcount missing

Author: ikelos

volatility3/framework/constants/_version.py

@@ -1,7 +1,7 @@
 # We use the SemVer 2.0.0 versioning scheme
 VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
-VERSION_MINOR = 26  # Number of changes that only add to the interface
-VERSION_PATCH = 2  # Number of changes that do not change the interface
+VERSION_MINOR = 27  # Number of changes that only add to the interface
+VERSION_PATCH = 0  # Number of changes that do not change the interface
 VERSION_SUFFIX = ""
 
 PACKAGE_VERSION = (

volatility3/framework/plugins/windows/dlllist.py

@@ -22,7 +22,7 @@ class DllList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     """Lists the loaded DLLs in a particular windows memory image."""
 
     _required_framework_version = (2, 0, 0)
-    _version = (3, 0, 0)
+    _version = (3, 0, 1)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -173,6 +173,10 @@ def _generator(self, procs):
                 except exceptions.InvalidAddressException:
                     size_of_image = renderers.NotAvailableValue()
 
+                LoadCount = entry.get_load_count()
+                if LoadCount is None:
+                    LoadCount = renderers.NotAvailableValue()
+
                 yield (
                     0,
                     (
@@ -186,6 +190,7 @@ def _generator(self, procs):
                         size_of_image,
                         BaseDllName,
                         FullDllName,
+                        LoadCount,
                         DllLoadTime,
                         file_output,
                     ),
@@ -232,6 +237,7 @@ def run(self):
                 ("Size", format_hints.Hex),
                 ("Name", str),
                 ("Path", str),
+                ("LoadCount", int),
                 ("LoadTime", datetime.datetime),
                 ("File output", str),
             ],

volatility3/framework/symbols/windows/__init__.py

@@ -41,6 +41,7 @@ def __init__(self, *args, **kwargs) -> None:
         self.set_type_class("_POOL_TRACKER_BIG_PAGES", pool.POOL_TRACKER_BIG_PAGES)
         self.set_type_class("_IMAGE_DOS_HEADER", pe.IMAGE_DOS_HEADER)
         self.set_type_class("_KTIMER", extensions.KTIMER)
+        self.set_type_class("_LDR_DATA_TABLE_ENTRY", extensions.LDR_DATA_TABLE_ENTRY)
 
         # Might not necessarily defined in every version of windows
         self.optional_set_type_class("_IMAGE_NT_HEADERS", pe.IMAGE_NT_HEADERS)

volatility3/framework/symbols/windows/extensions/__init__.py

@@ -1710,3 +1710,16 @@ def get_available_pages(self) -> List:
                     )
 
         return vacb_list
+
+
+class LDR_DATA_TABLE_ENTRY(objects.StructType):
+    def get_load_count(self) -> Optional[int]:
+        try:
+            LoadCount = self.LoadCount.cast("short")
+        except Exception:
+            try:
+                LoadCount = self.ObsoleteLoadCount.cast("short")
+            except Exception:
+                LoadCount = None
+
+        return LoadCount