From ed16cf1d37969de2a54d5634864b65fe928961d1 Mon Sep 17 00:00:00 2001
From: "U-BASIS\\cray" <cray@win-cray-2910.basistech.net>
Date: Tue, 10 Mar 2020 22:28:46 -0400
Subject: [PATCH] Minor fix to malfind

Specifying -W does not currently get applied to unified output, just text output. Update includes refined results for unified output.
---
 volatility/plugins/malware/malfind.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/volatility/plugins/malware/malfind.py b/volatility/plugins/malware/malfind.py
index 6fa5113d0..55b121cec 100644
--- a/volatility/plugins/malware/malfind.py
+++ b/volatility/plugins/malware/malfind.py
@@ -426,6 +426,8 @@ def generator(self, data):
         if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
             debug.error(self._config.DUMP_DIR + " is not a directory")
 
+        refined_criteria = ["MZ", "\x55\x8B"]
+
         for task in data:
             for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
 
@@ -434,6 +436,9 @@ def generator(self, data):
 
                 content = address_space.zread(vad.Start, 64) 
 
+                if self._config.REFINED and content[0:2] not in refined_criteria:
+                    continue
+
                 yield (0, [str(task.ImageFileName), 
                            int(task.UniqueProcessId),
                            Address(vad.Start),