volatility3.framework.constants.windows package

Volatility 3 Windows Constants.

Windows-specific values that aren’t found in debug symbols

KERNEL_MODULE_NAMES = ['ntkrnlmp', 'ntkrnlpa', 'ntkrpamp', 'ntoskrnl']

The list of names that kernel modules can have within the windows OS

PE_MAX_EXTRACTION_SIZE = 268435456

The following constants represent the layout of the Low Stub which exists only on x64 machines with no virtualization/emulation, responsible for transitioning from Real Mode(16 bit) to Protected Mode(32 bit) and Long Mode(64 bit) on boot/return from sleep. Contains offsets to fields and structures within the undocumented structure _PROCESSOR_START_BLOCK. Here’s a reference: https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/inc/amd64.h#L3334