From ba351f511d9e4427c3376bfa5d312e8253f85d9a Mon Sep 17 00:00:00 2001
From: eve <eevvee@tuta.io>
Date: Tue, 1 Oct 2024 06:36:56 +0100
Subject: [PATCH] Linux: Update malfind plugin to use
 symbols.symbol_table_is_64bit when determining if a 32bit OS is detected in
 the sample

---
 volatility3/framework/plugins/linux/malfind.py | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/volatility3/framework/plugins/linux/malfind.py b/volatility3/framework/plugins/linux/malfind.py
index cf06ee0cc..18f3dcd56 100644
--- a/volatility3/framework/plugins/linux/malfind.py
+++ b/volatility3/framework/plugins/linux/malfind.py
@@ -5,7 +5,7 @@
 from typing import List
 import logging
 from volatility3.framework import constants, interfaces
-from volatility3.framework import renderers
+from volatility3.framework import renderers, symbols
 from volatility3.framework.configuration import requirements
 from volatility3.framework.objects import utility
 from volatility3.framework.renderers import format_hints
@@ -63,15 +63,9 @@ def _list_injections(self, task):
     def _generator(self, tasks):
         # determine if we're on a 32 or 64 bit kernel
         vmlinux = self.context.modules[self.config["kernel"]]
-        if (
-            self.context.symbol_space.get_type(
-                vmlinux.symbol_table_name + constants.BANG + "pointer"
-            ).size
-            == 4
-        ):
-            is_32bit_arch = True
-        else:
-            is_32bit_arch = False
+        is_32bit_arch = not symbols.symbol_table_is_64bit(
+            self.context, vmlinux.symbol_table_name
+        )
 
         for task in tasks:
             process_name = utility.array_to_string(task.comm)