Merge pull request #1027 from daddycocoaman/fix/pdbutility-signature

fix guid and pdb_name for #1026

requirements-dev.txt

@@ -1,5 +1,5 @@
 # The following packages are required for core functionality.
-pefile>=2017.8.1
+pefile>=2023.2.7
 
 # The following packages are optional.
 # If certain packages are not necessary, place a comment (#) at the start of the line.

requirements-minimal.txt

@@ -1,2 +1,2 @@
 # These packages are required for core functionality.
-pefile>=2017.8.1 #foo
+pefile>=2023.2.7 #foo

requirements.txt

@@ -1,5 +1,5 @@
 # The following packages are required for core functionality.
-pefile>=2017.8.1
+pefile>=2023.2.7
 
 # The following packages are optional.
 # If certain packages are not necessary, place a comment (#) at the start of the line.

volatility3/framework/symbols/windows/pdbutil.py

@@ -9,6 +9,7 @@
 import os
 import re
 import struct
+from pathlib import PureWindowsPath
 from typing import Any, Dict, Generator, List, Optional, Tuple, Union
 from urllib import parse, request
 
@@ -226,13 +227,12 @@ def get_guid_from_mz(
             return None
 
         pdb_name = debug_entry.PdbFileName.decode("utf-8").strip("\x00")
+
+        # Let pathlib do the filename extraction. This will likely always be a Windows path though.
+        pdb_name = PureWindowsPath(pdb_name).name
+
         age = debug_entry.Age
-        guid = "{:08x}{:04x}{:04x}{}".format(
-            debug_entry.Signature_Data1,
-            debug_entry.Signature_Data2,
-            debug_entry.Signature_Data3,
-            binascii.hexlify(debug_entry.Signature_Data4).decode("utf-8"),
-        )
+        guid = debug_entry.Signature_String[:32]  # Removes the Age from the GUID
         return guid, age, pdb_name
 
     @classmethod