From 15a51cf1ec1e139193097976c115c820861bc034 Mon Sep 17 00:00:00 2001 From: Gustavo Moreira Date: Mon, 14 Oct 2024 16:13:56 +1100 Subject: [PATCH 1/3] Linux - Add hlist_head object extension. Fix #1313 --- .../framework/symbols/linux/__init__.py | 1 + .../symbols/linux/extensions/__init__.py | 39 ++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py index 219f120ee..1b7a331f8 100644 --- a/volatility3/framework/symbols/linux/__init__.py +++ b/volatility3/framework/symbols/linux/__init__.py @@ -22,6 +22,7 @@ def __init__(self, *args, **kwargs) -> None: # Set-up Linux specific types self.set_type_class("file", extensions.struct_file) self.set_type_class("list_head", extensions.list_head) + self.set_type_class("hlist_head", extensions.hlist_head) self.set_type_class("mm_struct", extensions.mm_struct) self.set_type_class("super_block", extensions.super_block) self.set_type_class("task_struct", extensions.task_struct) diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index aa18b8262..4b1df2a0b 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -844,7 +844,7 @@ def get_subdirs(self) -> interfaces.objects.ObjectInterface: if self.has_member("d_sib") and self.has_member("d_children"): # kernels >= 6.8 walk_member = "d_sib" - list_head_member = self.d_children.first + list_head_member = self.d_children elif self.has_member("d_child") and self.has_member("d_subdirs"): # 2.5.0 <= kernels < 6.8 walk_member = "d_child" @@ -961,6 +961,43 @@ def __iter__(self) -> Iterator[interfaces.objects.ObjectInterface]: return self.to_list(self.vol.parent.vol.type_name, self.vol.member_name) +class hlist_head(objects.StructType, collections.abc.Iterable): + def to_list( + self, + symbol_type: str, + member: str, + ) -> Iterator[interfaces.objects.ObjectInterface]: + """Returns an iterator of the entries in the list. + + This is a doubly linked list; however, it is not circular, so the 'forward' field + doesn't make sense. Also, the sentinel concept doesn't make sense here either; + unlike list_head, the head and nodes each have their own distinct types. A list_head + cannot be a node by itself. + - The 'pprev' of the first 'hlist_node' points to the 'hlist_head', not to the last node. + - The last element 'next' member is NULL + + Args: + symbol_type: Type of the list elements + member: Name of the list_head member in the list elements + + Yields: + Objects of the type specified via the "symbol_type" argument. + + """ + vmlinux = linux.LinuxUtilities.get_module_from_volobj_type(self._context, self) + + current = self.first + while current and current.is_readable(): + yield linux.LinuxUtilities.container_of( + current, symbol_type, member, vmlinux + ) + + current = current.next + + def __iter__(self) -> Iterator[interfaces.objects.ObjectInterface]: + return self.to_list(self.vol.parent.vol.type_name, self.vol.member_name) + + class files_struct(objects.StructType): def get_fds(self) -> interfaces.objects.ObjectInterface: if self.has_member("fdt"): From f00c4c3c392a26bea29ba87d961c3a8f51092829 Mon Sep 17 00:00:00 2001 From: Gustavo Moreira Date: Mon, 14 Oct 2024 16:35:43 +1100 Subject: [PATCH 2/3] Allows to create objects when using the same symbol table --- volatility3/framework/contexts/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/contexts/__init__.py b/volatility3/framework/contexts/__init__.py index 4c169728c..6961d9328 100644 --- a/volatility3/framework/contexts/__init__.py +++ b/volatility3/framework/contexts/__init__.py @@ -245,7 +245,7 @@ def object( """ if constants.BANG not in object_type: object_type = self.symbol_table_name + constants.BANG + object_type - else: + elif not object_type.startswith(self.symbol_table_name + constants.BANG): raise ValueError( "Cannot reference another module when constructing an object" ) From db8667f88abec074f3165ecfd04219e7ef72fbd1 Mon Sep 17 00:00:00 2001 From: Gustavo Moreira Date: Wed, 23 Oct 2024 08:55:44 +1100 Subject: [PATCH 3/3] Linux - Fix hlist_head object extension by dropping the iterator since it can't determine the correct member_name --- volatility3/framework/symbols/linux/extensions/__init__.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 4b1df2a0b..acf78278b 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -994,9 +994,6 @@ def to_list( current = current.next - def __iter__(self) -> Iterator[interfaces.objects.ObjectInterface]: - return self.to_list(self.vol.parent.vol.type_name, self.vol.member_name) - class files_struct(objects.StructType): def get_fds(self) -> interfaces.objects.ObjectInterface: