Wndows 10 Memory Compression

[MalwareMechanic]

This PR adds the ability to read compressed pages within Windows 10 memory captures by introducing a new address space. Additional plugins are provided to help demonstrate the capability, register command-line options, and find necessary global offsets.

Any documentation or details regarding unit-testing would be much appreciated.

For additional details, please see our blog posts and white paper:

1. https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html
2. https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html
3. https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-three.html
4. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-memory-wp.pdf

[btaubmann]

hey, is there a reason why this not merge to master, yet? In my experiments it did not work with Win10x64_17134. With my Win10x64_18362 image it looks as if it would work

[dmikushin]

Thanks for working on this PR! For hiberfil.sys, I still get:

DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 
...
DEBUG   : volatility.debug    : Failed instantiating (exception): Struct PO_MEMORY_IMAGE has no member FirstTablePage

This is Win10x64_18363, but I guess your patch only covers raw memory dumps, and not the hiberfil?