#1780 - add LoadCount to dlllist output

Dave Lassalle · Dave Lassalle · commit 4d19181848d4 · 2025-04-17T16:42:17.000-05:00
diff --git a/volatility3/framework/plugins/windows/dlllist.py b/volatility3/framework/plugins/windows/dlllist.py
@@ -173,6 +173,10 @@ def _generator(self, procs):
                 except exceptions.InvalidAddressException:
                     size_of_image = renderers.NotAvailableValue()
 
+                LoadCount = entry.get_load_count()
+                if LoadCount is None:
+                    LoadCount = renderers.NotAvailableValue()
+
                 yield (
                     0,
                     (
@@ -186,6 +190,7 @@ def _generator(self, procs):
                         size_of_image,
                         BaseDllName,
                         FullDllName,
+                        LoadCount,
                         DllLoadTime,
                         file_output,
                     ),
@@ -232,6 +237,7 @@ def run(self):
                 ("Size", format_hints.Hex),
                 ("Name", str),
                 ("Path", str),
+                ("LoadCount", int),
                 ("LoadTime", datetime.datetime),
                 ("File output", str),
             ],
diff --git a/volatility3/framework/symbols/windows/__init__.py b/volatility3/framework/symbols/windows/__init__.py
@@ -41,6 +41,7 @@ def __init__(self, *args, **kwargs) -> None:
         self.set_type_class("_POOL_TRACKER_BIG_PAGES", pool.POOL_TRACKER_BIG_PAGES)
         self.set_type_class("_IMAGE_DOS_HEADER", pe.IMAGE_DOS_HEADER)
         self.set_type_class("_KTIMER", extensions.KTIMER)
+        self.set_type_class("_LDR_DATA_TABLE_ENTRY", extensions.LDR_DATA_TABLE_ENTRY)
 
         # Might not necessarily defined in every version of windows
         self.optional_set_type_class("_IMAGE_NT_HEADERS", pe.IMAGE_NT_HEADERS)
diff --git a/volatility3/framework/symbols/windows/extensions/__init__.py b/volatility3/framework/symbols/windows/extensions/__init__.py
@@ -1710,3 +1710,17 @@ def get_available_pages(self) -> List:
                     )
 
         return vacb_list
+
+class LDR_DATA_TABLE_ENTRY(objects.StructType):
+    def get_load_count(self) -> Optional[int]:
+        try:
+            LoadCount = self.LoadCount
+        except:
+            try:
+                LoadCount = self.ObsoleteLoadCount
+            except:
+                LoadCount = None
+        if LoadCount == 65535:
+            LoadCount = -1
+
+        return LoadCount
