`windows.filescan` reports all files to be of size `216`

[kevthehermit]

Describe the bug windows.filescan reports all files to be of size 216

Context Volatility Version: 2.5.0 Operating System: Ubuntu 22.04 Python Version: 3.10.12 Suspected Operating System: Windows 10 Command: vol -f /mnt/d/Projects/dump.raw windows.filescan

To Reproduce Run the plugin on any dump for windows 10

1. Use command vol -f /mnt/d/Projects/dump.raw windows.filescan

Expected behavior The correct Size is reported

Example output

Volatility 3 Framework 2.5.0

Offset	Name	Size

0x910b71893a20	\Windows\System32\svchost.exe	216
0x910b73217210	\$Secure:$SDS:$DATA	216
0x910b732174f0	\$Secure:$SII:$INDEX_ALLOCATION	216
0x910b732177d0	\Windows\System32\drivers\stornvme.sys	216
0x910b73217940	\$Mft::$BITMAP	216
0x910b73217ab0	\:$I30:$INDEX_ALLOCATION	216
0x910b732181e0	\$MftMirr	216
0x910b73218630	\$LogFile	216
0x910b73218a80	\$Mft	216
0x910b73218d60	\Windows\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_fc93ae411c02f280\BasicDisplay.sys	216
0x910b73218ed0	\$BitMap	216
0x910b734020a0	\$Extend\$RmMetadata\$TxfLog:$I30:$INDEX_ALLOCATION	216
0x910b73402380	\Windows\System32\drivers\dumpfve.sys	216
0x910b73402660	\$Extend\$UsnJrnl:$J:$DATA	216
0x910b73402940	\Device\HarddiskVolume3\$Extend\$RmMetadata\$TxfLog\$TxfLog	216
0x910b73402ab0	\$Directory	216

Additional information Dump files correctly saves and extracts the correct size of file object

[ikelos]

So dumpfiles walks the pages that make up the contents of the stored file, whereas filescan just reads the Size member of the fileobject. This is a short and therefore will not be able to talk about files larger than 65535 bytes anyway. Looks like to get the accurate size we'll need to do the same thing as dumpfiles to walk the pages...

That'll be the code in either CONTROL_AREA or in SHARED_CACHE_MAP

Blech, looks like you go through the FileObject's SectionObjectPointer... Not fun. 5:S