Merge pull request #1596 from volatilityfoundation/vma_get_name_fixes

ikelos · web-flow · commit 44ae4f137e00 · 2025-02-07T19:35:18.000Z
Fix get_name API, fix malfind
diff --git a/volatility3/framework/plugins/linux/elfs.py b/volatility3/framework/plugins/linux/elfs.py
@@ -177,7 +177,7 @@ def _generator(self, tasks):
                         name,
                         format_hints.Hex(vma.vm_start),
                         format_hints.Hex(vma.vm_end),
-                        path,
+                        path or renderers.NotAvailableValue(),
                         file_output,
                     ),
                 )
diff --git a/volatility3/framework/plugins/linux/malfind.py b/volatility3/framework/plugins/linux/malfind.py
@@ -2,7 +2,7 @@
 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
 #
 
-from typing import List
+from typing import List, Tuple, Optional
 import logging
 from volatility3.framework import interfaces
 from volatility3.framework import renderers, symbols
@@ -39,7 +39,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
             ),
         ]
 
-    def _list_injections(self, task):
+    def _list_injections(
+        self, task
+    ) -> Tuple[interfaces.objects.ObjectInterface, Optional[str], bytes]:
         """Generate memory regions for a process that may contain injected
         code."""
 
@@ -54,12 +56,9 @@ def _list_injections(self, task):
             vollog.debug(
                 f"Injections : processing PID {task.pid} : VMA {vma_name} : {hex(vma.vm_start)}-{hex(vma.vm_end)}"
             )
-            if (
-                vma.is_suspicious(proc_layer)
-                and vma.get_name(self.context, task) != "[vdso]"
-            ):
+            if vma.is_suspicious(proc_layer) and vma_name != "[vdso]":
                 data = proc_layer.read(vma.vm_start, 64, pad=True)
-                yield vma, data
+                yield vma, vma_name, data
 
     def _generator(self, tasks):
         # determine if we're on a 32 or 64 bit kernel
@@ -71,7 +70,7 @@ def _generator(self, tasks):
         for task in tasks:
             process_name = utility.array_to_string(task.comm)
 
-            for vma, data in self._list_injections(task):
+            for vma, vma_name, data in self._list_injections(task):
                 if is_32bit_arch:
                     architecture = "intel"
                 else:
@@ -88,6 +87,7 @@ def _generator(self, tasks):
                         process_name,
                         format_hints.Hex(vma.vm_start),
                         format_hints.Hex(vma.vm_end),
+                        vma_name or renderers.NotAvailableValue(),
                         vma.get_protection(),
                         format_hints.HexBytes(data),
                         disasm,
@@ -103,6 +103,7 @@ def run(self):
                 ("Process", str),
                 ("Start", format_hints.Hex),
                 ("End", format_hints.Hex),
+                ("Path", str),
                 ("Protection", str),
                 ("Hexdump", format_hints.HexBytes),
                 ("Disasm", interfaces.renderers.Disassembly),
diff --git a/volatility3/framework/plugins/linux/proc.py b/volatility3/framework/plugins/linux/proc.py
@@ -246,7 +246,7 @@ def vma_filter_function(x: interfaces.objects.ObjectInterface) -> bool:
                         major,
                         minor,
                         inode_num,
-                        path,
+                        path or renderers.NotAvailableValue(),
                         file_output,
                     ),
                 )
diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -1163,7 +1163,7 @@ def get_page_offset(self) -> int:
         parent_layer = self._context.layers[self.vol.layer_name]
         return self.vm_pgoff << parent_layer.page_shift
 
-    def get_name(self, context, task):
+    def _do_get_name(self, context, task) -> str:
         if self.vm_file != 0:
             fname = linux.LinuxUtilities.path_for_file(context, task, self.vm_file)
         elif self.vm_start <= task.mm.start_brk and self.vm_end >= task.mm.brk:
@@ -1179,6 +1179,12 @@ def get_name(self, context, task):
             fname = "Anonymous Mapping"
         return fname
 
+    def get_name(self, context, task) -> Optional[str]:
+        try:
+            return self._do_get_name(context, task)
+        except exceptions.InvalidAddressException:
+            return None
+
     # used by malfind
     def is_suspicious(self, proclayer=None):
         ret = False

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ def _generator(self, tasks):`
`177`	`177`	`name,`
`178`	`178`	`format_hints.Hex(vma.vm_start),`
`179`	`179`	`format_hints.Hex(vma.vm_end),`
`180`		`- path,`
	`180`	`+ path or renderers.NotAvailableValue(),`
`181`	`181`	`file_output,`
`182`	`182`	`),`
`183`	`183`	`)`
Original file line number	Diff line number	Diff line change
`@@ -246,7 +246,7 @@ def vma_filter_function(x: interfaces.objects.ObjectInterface) -> bool:`
`246`	`246`	`major,`
`247`	`247`	`minor,`
`248`	`248`	`inode_num,`
`249`		`- path,`
	`249`	`+ path or renderers.NotAvailableValue(),`
`250`	`250`	`file_output,`
`251`	`251`	`),`
`252`	`252`	`)`