From 9f145ddcf0ddb84cf7ae45585ce7e9da0d204a17 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Fri, 15 Nov 2024 17:04:33 +0100 Subject: [PATCH 01/11] pillow dependency --- requirements.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/requirements.txt b/requirements.txt index e0d366391..21c8f9a76 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,3 +21,9 @@ leechcorepyc>=2.4.0; sys_platform != 'darwin' # This is required for memory analysis on a Amazon/MinIO S3 and Google Cloud object storage gcsfs>=2023.1.0 s3fs>=2023.1.0 + +# This is required by plugins that manipulate pixels and images. +# https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst +# 10.0.0 dropped support for Python3.7 +# 11.0.0 dropped support for Python3.8, which is still supported by Volatility3 +pillow>=10.0.0,<11.0.0 \ No newline at end of file From 36a18f405b8ba7605ca957ca47d540a5b7c520d7 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Fri, 15 Nov 2024 17:05:23 +0100 Subject: [PATCH 02/11] fourcc code converter helper --- volatility3/framework/symbols/linux/__init__.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py index 3289775b6..573bc66d8 100644 --- a/volatility3/framework/symbols/linux/__init__.py +++ b/volatility3/framework/symbols/linux/__init__.py @@ -483,6 +483,22 @@ def get_module_from_volobj_type( return kernel + @classmethod + def convert_fourcc_code(cls, code: int) -> str: + """Convert a fourcc integer back to its fourcc string representation. + + Args: + code: the numerical representation of the fourcc + + Returns: + The fourcc code string. + """ + + code_bytes_length = (code.bit_length() + 7) // 8 + return "".join( + [chr((code >> (i * 8)) & 0xFF) for i in range(code_bytes_length)] + ) + class IDStorage(ABC): """Abstraction to support both XArray and RadixTree""" From a7620cd6f659dfa685a445536a240182225a778c Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Fri, 15 Nov 2024 17:09:21 +0100 Subject: [PATCH 03/11] linux fbdev subsystem api plugin --- .../framework/plugins/linux/graphics/fbdev.py | 314 ++++++++++++++++++ 1 file changed, 314 insertions(+) create mode 100644 volatility3/framework/plugins/linux/graphics/fbdev.py diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py new file mode 100644 index 000000000..4bde6f62f --- /dev/null +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -0,0 +1,314 @@ +# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0 +# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 +# +import logging +import io + +# Image manipulation functions are kept in the plugin, +# to prevent a general exit on missing PIL (pillow) dependency. +from PIL import Image +from dataclasses import dataclass +from typing import Type, List, Dict, Tuple +from volatility3.framework import constants, exceptions, interfaces +from volatility3.framework.configuration import requirements +from volatility3.framework.renderers import format_hints, TreeGrid, NotAvailableValue +from volatility3.framework.objects import utility +from volatility3.framework.constants import architectures +from volatility3.framework.symbols import linux + +vollog = logging.getLogger(__name__) + + +@dataclass +class Framebuffer: + """Framebuffer object internal representation. This is useful to unify an framebuffer with precalculated + properties and pass it through functions conveniently.""" + + id: str + xres_virtual: int + yres_virtual: int + line_length: int + bpp: int + """Bits Per Pixel""" + size: int + color_fields: Dict[str, Tuple[int, int, int]] + fb_info: interfaces.objects.ObjectInterface + + +class Fbdev(interfaces.plugins.PluginInterface): + """Extract framebuffers from the fbdev graphics subsystem""" + + _version = (1, 0, 0) + _required_framework_version = (2, 11, 0) + + @classmethod + def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: + return [ + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=architectures.LINUX_ARCHS, + ), + requirements.BooleanRequirement( + name="dump", + description="Dump framebuffers", + default=False, + optional=True, + ), + ] + + @classmethod + def parse_fb_pixel_bitfields( + cls, fb_var_screeninfo: interfaces.objects.ObjectInterface + ) -> Dict[str, Tuple[int, int, int]]: + """Organize a framebuffer pixel format into a dictionary. + This is needed to know the position and bitlength of a color inside + a pixel. + + Args: + fb_var_screeninfo: a fb_var_screeninfo kernel object instance + + Returns: + The color fields mappings + + Documentation: + include/uapi/linux/fb.h: + struct fb_bitfield { + __u32 offset; /* beginning of bitfield */ + __u32 length; /* length of bitfield */ + __u32 msb_right; /* != 0 : Most significant bit is right */ + }; + """ + # Naturally order by RGBA + color_mappings = [ + ("R", fb_var_screeninfo.red), + ("G", fb_var_screeninfo.green), + ("B", fb_var_screeninfo.blue), + ("A", fb_var_screeninfo.transp), + ] + color_fields = {} + for color_code, fb_bitfield in color_mappings: + color_fields[color_code] = ( + int(fb_bitfield.offset), + int(fb_bitfield.length), + int(fb_bitfield.msb_right), + ) + return color_fields + + @classmethod + def convert_fb_raw_buffer_to_image( + cls, + context: interfaces.context.ContextInterface, + kernel_name: str, + fb: Framebuffer, + ) -> Image.Image: + """Convert raw framebuffer pixels to an image. + + Args: + fb: the relevant Framebuffer object + + Returns: + A PIL Image object + + Documentation: + include/uapi/linux/fb.h: + /* Interpretation of offset for color fields: All offsets are from the right, + * inside a "pixel" value, which is exactly 'bits_per_pixel' wide (means: you + * can use the offset as right argument to <<). A pixel afterwards is a bit + * stream and is written to video memory as that unmodified. + """ + kernel = context.modules[kernel_name] + kernel_layer = context.layers[kernel.layer_name] + + raw_pixels = io.BytesIO(kernel_layer.read(fb.fb_info.screen_base, fb.size)) + bytes_per_pixel = fb.bpp // 8 + image = Image.new("RGBA", (fb.xres_virtual, fb.yres_virtual)) + + # This is not designed to be extremely fast (numpy isn't available), + # but convenient and dynamic for any color field layout. + for y in range(fb.yres_virtual): + for x in range(fb.xres_virtual): + raw_pixel = int.from_bytes(raw_pixels.read(bytes_per_pixel), "little") + pixel = [0, 0, 0, 255] + # The framebuffer is expected to have been correctly constructed, + # especially by parse_fb_pixel_bitfields, to get the needed RGBA mappings. + for i, color_code in enumerate(["R", "G", "B", "A"]): + offset, length, msb_right = fb.color_fields[color_code] + if length == 0: + continue + color_value = (raw_pixel >> offset) & (2**length - 1) + if msb_right: + # Reverse bit order + color_value = int( + "{:0{length}b}".format(color_value, length=length)[::-1], 2 + ) + pixel[i] = color_value + image.putpixel((x, y), tuple(pixel)) + + return image + + @classmethod + def dump_fb( + cls, + context: interfaces.context.ContextInterface, + kernel_name: str, + open_method: Type[interfaces.plugins.FileHandlerInterface], + fb: Framebuffer, + convert_to_image: bool, + image_format: str = "PNG", + ) -> str: + """Dump a Framebuffer raw buffer to disk. + + Args: + fb: the relevant Framebuffer object + convert_to_image: a boolean specifying if the buffer should be converted to an image + image_format: the target PIL image format (defaults to PNG) + + Returns: + The filename of the dumped buffer. + """ + kernel = context.modules[kernel_name] + kernel_layer = context.layers[kernel.layer_name] + base_filename = f"{fb.id}_{fb.xres_virtual}x{fb.yres_virtual}_{fb.bpp}bpp" + if convert_to_image: + image = cls.convert_fb_raw_buffer_to_image(context, kernel_name, fb) + output = io.BytesIO() + image.save(output, image_format) + file_handle = open_method(f"{base_filename}.{image_format.lower()}") + file_handle.write(output.getvalue()) + else: + raw_pixels = kernel_layer.read(fb.fb_info.screen_base, fb.size) + file_handle = open_method(f"{base_filename}.raw") + file_handle.write(raw_pixels) + + file_handle.close() + return file_handle.preferred_filename + + @classmethod + def parse_fb_info( + cls, + fb_info: interfaces.objects.ObjectInterface, + ) -> Framebuffer: + """Parse an fb_info struct + Args: + fb_info: an fb_info kernel object live instance + + Returns: + A Framebuffer object + + Documentation: + https://docs.kernel.org/fb/api.html: + - struct fb_fix_screeninfo stores device independent unchangeable information about the frame buffer device and the current format. + Those information can't be directly modified by applications, but can be changed by the driver when an application modifies the format. + - struct fb_var_screeninfo stores device independent changeable information about a frame buffer device, its current format and video mode, + as well as other miscellaneous parameters. + """ + # NotAvailableValue() messes with the filename output on disk + id = utility.array_to_string(fb_info.fix.id) or "N-A" + color_fields = None + + # 0 = color, 1 = grayscale, >1 = FOURCC + if fb_info.var.grayscale in [0, 1]: + color_fields = cls.parse_fb_pixel_bitfields(fb_info.var) + + # There a lot of tricky pixel formats used by drivers and vendors in include/uapi/linux/videodev2.h. + # As Volatility3 is not a video format converter, it is best to play it safe and let the user parse + # the raw data manually (with ffmpeg for example). + elif fb_info.var.grayscale > 1: + fourcc = linux.LinuxUtilities.convert_fourcc_code(fb_info.var.grayscale) + warn_msg = f"""Framebuffer "{id}" uses a FOURCC pixel format "{fourcc}" that isn't natively supported. +You can try using ffmpeg to decode the raw buffer. Example usage: +"ffmpeg -pix_fmts" to list supported formats, then +"ffmpeg -f rawvideo -video_size {fb_info.var.xres_virtual}x{fb_info.var.yres_virtual} -i .raw -pix_fmt output.png".""" + vollog.warning(warn_msg) + + # Prefer using the virtual resolution, instead of the visible one. + # This prevents missing non-visible data stored in the framebuffer. + fb = Framebuffer( + id, + xres_virtual=fb_info.var.xres_virtual, + yres_virtual=fb_info.var.yres_virtual, + line_length=fb_info.fix.line_length, + bpp=fb_info.var.bits_per_pixel, + size=fb_info.var.yres_virtual * fb_info.fix.line_length, + color_fields=color_fields, + fb_info=fb_info, + ) + + return fb + + def _generator(self): + kernel_name = self.config["kernel"] + kernel = self.context.modules[kernel_name] + + if not kernel.has_symbol("num_registered_fb"): + raise exceptions.SymbolError( + "num_registered_fb", + kernel.symbol_table_name, + "The provided symbol does not exist in the symbol table. This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt.", + ) + + num_registered_fb = kernel.object_from_symbol("num_registered_fb") + if num_registered_fb < 1: + vollog.info("No registered framebuffer in the fbdev API.") + return None + + registered_fb = kernel.object_from_symbol("registered_fb") + fb_info_list = utility.array_of_pointers( + registered_fb, + num_registered_fb, + kernel.symbol_table_name + constants.BANG + "fb_info", + self.context, + ) + + for fb_info in fb_info_list: + fb = self.parse_fb_info(fb_info) + file_output = "Disabled" + if self.config["dump"]: + try: + file_output = self.dump_fb( + self.context, kernel_name, self.open, fb, bool(fb.color_fields) + ) + except exceptions.InvalidAddressException as excp: + vollog.error( + f'Layer {excp.layer_name} failed to read address {hex(excp.invalid_address)} when dumping framebuffer "{fb.id}".' + ) + file_output = "Error" + + try: + fb_device_name = utility.pointer_to_string( + fb.fb_info.dev.kobj.name, 256 + ) + except exceptions.InvalidAddressException: + fb_device_name = NotAvailableValue() + + yield ( + 0, + ( + format_hints.Hex(fb.fb_info.screen_base), + fb_device_name, + fb.id, + fb.size, + f"{fb.xres_virtual}x{fb.yres_virtual}", + fb.bpp, + "RUNNING" if fb.fb_info.state == 0 else "SUSPENDED", + str(file_output), + ), + ) + + def run(self): + columns = [ + ("Address", format_hints.Hex), + ("Device", str), + ("ID", str), + ("Size", int), + ("Virtual resolution", str), + ("BPP", int), + ("State", str), + ("Filename", str), + ] + + return TreeGrid( + columns, + self._generator(), + ) From f192437a944f56ec3b8eae186d61f3049e691e80 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Fri, 15 Nov 2024 17:11:11 +0100 Subject: [PATCH 04/11] typo --- volatility3/framework/plugins/linux/graphics/fbdev.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 4bde6f62f..60e00d033 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -21,7 +21,7 @@ @dataclass class Framebuffer: - """Framebuffer object internal representation. This is useful to unify an framebuffer with precalculated + """Framebuffer object internal representation. This is useful to unify a framebuffer with precalculated properties and pass it through functions conveniently.""" id: str From 88eb2aa88648180439e4d5311c9bf49ef2ae9363 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Sat, 21 Dec 2024 13:22:04 +0100 Subject: [PATCH 05/11] switch pillow to pyproject.toml --- pyproject.toml | 78 ++++++++++++++++++++++++++++++++++++++++++++---- requirements.txt | 29 ------------------ 2 files changed, 72 insertions(+), 35 deletions(-) delete mode 100644 requirements.txt diff --git a/pyproject.toml b/pyproject.toml index 2e1636a43..c8b2971e1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,13 +8,55 @@ authors = [ ] requires-python = ">=3.8.0" license = { text = "VSL" } -dynamic = ["dependencies", "optional-dependencies", "version"] +dynamic = ["version"] + +dependencies = [ + "pefile>=2024.8.26", +] + +[project.optional-dependencies] +full = [ + "yara-python>=4.5.1,<5", + "capstone>=5.0.3,<6", + "pycryptodome>=3.21.0,<4", + "leechcorepyc>=2.19.2,<3; sys_platform != 'darwin'", + # https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst + # 10.0.0 dropped support for Python3.7 + # 11.0.0 dropped support for Python3.8, which is still supported by Volatility3 + "pillow>=10.0.0,<11.0.0", +] + +cloud = [ + "gcsfs>=2024.10.0", + "s3fs>=2024.10.0", +] + +dev = [ + "volatility3[full,cloud]", + "jsonschema>=4.23.0,<5", + "pyinstaller>=6.11.0,<7", + "pyinstaller-hooks-contrib>=2024.9", +] + +test = [ + "volatility3[dev]", + "pytest>=8.3.3,<9", + "capstone>=5.0.3,<6", + "yara-x>=0.10.0,<1", +] + +docs = [ + "volatility3[dev]", + "sphinx>=8.0.0,<7", + "sphinx-autodoc-typehints>=2.5.0,<3", + "sphinx-rtd-theme>=3.0.1,<4", +] [project.urls] -Homepage = "https://github.com/volatilityfoundation/volatility3/" -"Bug Tracker" = "https://github.com/volatilityfoundation/volatility3/issues" -Documentation = "https://volatility3.readthedocs.io/" -"Source Code" = "https://github.com/volatilityfoundation/volatility3" +homepage = "https://github.com/volatilityfoundation/volatility3/" +documentation = "https://volatility3.readthedocs.io/" +repository = "https://github.com/volatilityfoundation/volatility3" +issues = "https://github.com/volatilityfoundation/volatility3/issues" [project.scripts] vol = "volatility3.cli:main" @@ -22,11 +64,35 @@ volshell = "volatility3.cli.volshell:main" [tool.setuptools.dynamic] version = { attr = "volatility3.framework.constants._version.PACKAGE_VERSION" } -dependencies = { file = "requirements-minimal.txt" } [tool.setuptools.packages.find] include = ["volatility3*"] +[tool.mypy] +mypy_path = "./stubs" +show_traceback = true + +[tool.mypy.overrides] +ignore_missing_imports = true + +[tool.ruff] +line-length = 88 +target-version = "py38" + +[tool.ruff.lint] +select = [ + "F", # pyflakes + "E", # pycodestyle errors + "W", # pycodestyle warnings + "G", # flake8-logging-format + "PIE", # flake8-pie + "UP", # pyupgrade +] + +ignore = [ + "E501", # ignore due to conflict with formatter +] + [build-system] requires = ["setuptools>=68"] build-backend = "setuptools.build_meta" diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 21c8f9a76..000000000 --- a/requirements.txt +++ /dev/null @@ -1,29 +0,0 @@ -# Include the minimal requirements --r requirements-minimal.txt - -# The following packages are optional. -# If certain packages are not necessary, place a comment (#) at the start of the line. - -# This is required for the yara plugins -yara-python>=3.8.0 - -# This is required for several plugins that perform malware analysis and disassemble code. -# It can also improve accuracy of Windows 8 and later memory samples. -# FIXME: Version 6.0.0 is incompatible (#1336) so we'll need an adaptor at some point -capstone>=3.0.5,<6.0.0 - -# This is required by plugins that decrypt passwords, password hashes, etc. -pycryptodome - -# This is required for memory acquisition via leechcore/pcileech. -leechcorepyc>=2.4.0; sys_platform != 'darwin' - -# This is required for memory analysis on a Amazon/MinIO S3 and Google Cloud object storage -gcsfs>=2023.1.0 -s3fs>=2023.1.0 - -# This is required by plugins that manipulate pixels and images. -# https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst -# 10.0.0 dropped support for Python3.7 -# 11.0.0 dropped support for Python3.8, which is still supported by Volatility3 -pillow>=10.0.0,<11.0.0 \ No newline at end of file From f6a54c5c48b6ba47a334956cb7994fecfcf14f0c Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Sat, 21 Dec 2024 13:31:29 +0100 Subject: [PATCH 06/11] ruff fix --- volatility3/framework/plugins/linux/graphics/fbdev.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 60e00d033..7144e081a 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -218,7 +218,7 @@ def parse_fb_info( fourcc = linux.LinuxUtilities.convert_fourcc_code(fb_info.var.grayscale) warn_msg = f"""Framebuffer "{id}" uses a FOURCC pixel format "{fourcc}" that isn't natively supported. You can try using ffmpeg to decode the raw buffer. Example usage: -"ffmpeg -pix_fmts" to list supported formats, then +"ffmpeg -pix_fmts" to list supported formats, then "ffmpeg -f rawvideo -video_size {fb_info.var.xres_virtual}x{fb_info.var.yres_virtual} -i .raw -pix_fmt output.png".""" vollog.warning(warn_msg) From 7caf8c572a4629a2a235a974e6dfff112ccabecd Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Sun, 22 Dec 2024 14:03:26 +0100 Subject: [PATCH 07/11] PIL import graceful exit --- .../framework/plugins/linux/graphics/fbdev.py | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 7144e081a..28cae8000 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -4,9 +4,6 @@ import logging import io -# Image manipulation functions are kept in the plugin, -# to prevent a general exit on missing PIL (pillow) dependency. -from PIL import Image from dataclasses import dataclass from typing import Type, List, Dict, Tuple from volatility3.framework import constants, exceptions, interfaces @@ -16,6 +13,15 @@ from volatility3.framework.constants import architectures from volatility3.framework.symbols import linux +# Image manipulation functions are kept in the plugin, +# to prevent a general exit on missing PIL (pillow) dependency. +try: + from PIL import Image + + has_pil = True +except ImportError: + has_pil = False + vollog = logging.getLogger(__name__) @@ -101,7 +107,7 @@ def convert_fb_raw_buffer_to_image( context: interfaces.context.ContextInterface, kernel_name: str, fb: Framebuffer, - ) -> Image.Image: + ): """Convert raw framebuffer pixels to an image. Args: @@ -238,6 +244,13 @@ def parse_fb_info( return fb def _generator(self): + + if not has_pil: + vollog.error( + "PIL (pillow) module is required to use this plugin. Please install it manually or through pyproject.toml." + ) + return None + kernel_name = self.config["kernel"] kernel = self.context.modules[kernel_name] From 1fef570022eb0ae13924ed321e5c09a24fe72563 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Sun, 22 Dec 2024 14:15:45 +0100 Subject: [PATCH 08/11] restrict output to PNG, unify file handling --- .../framework/plugins/linux/graphics/fbdev.py | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 28cae8000..e82827944 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -160,15 +160,13 @@ def dump_fb( kernel_name: str, open_method: Type[interfaces.plugins.FileHandlerInterface], fb: Framebuffer, - convert_to_image: bool, - image_format: str = "PNG", + convert_to_png_image: bool, ) -> str: - """Dump a Framebuffer raw buffer to disk. + """Dump a Framebuffer buffer to disk. Args: fb: the relevant Framebuffer object convert_to_image: a boolean specifying if the buffer should be converted to an image - image_format: the target PIL image format (defaults to PNG) Returns: The filename of the dumped buffer. @@ -176,19 +174,19 @@ def dump_fb( kernel = context.modules[kernel_name] kernel_layer = context.layers[kernel.layer_name] base_filename = f"{fb.id}_{fb.xres_virtual}x{fb.yres_virtual}_{fb.bpp}bpp" - if convert_to_image: - image = cls.convert_fb_raw_buffer_to_image(context, kernel_name, fb) - output = io.BytesIO() - image.save(output, image_format) - file_handle = open_method(f"{base_filename}.{image_format.lower()}") - file_handle.write(output.getvalue()) + if convert_to_png_image: + image_object = cls.convert_fb_raw_buffer_to_image(context, kernel_name, fb) + raw_io_output = io.BytesIO() + image_object.save(raw_io_output, "PNG") + final_fb_buffer = raw_io_output.getvalue() + filename = f"{base_filename}.png" else: - raw_pixels = kernel_layer.read(fb.fb_info.screen_base, fb.size) - file_handle = open_method(f"{base_filename}.raw") - file_handle.write(raw_pixels) + final_fb_buffer = kernel_layer.read(fb.fb_info.screen_base, fb.size) + filename = f"{base_filename}.raw" - file_handle.close() - return file_handle.preferred_filename + with open_method(filename) as f: + f.write(final_fb_buffer) + return f.preferred_filename @classmethod def parse_fb_info( From 8d213284e642c545f44502d0fab3f026bc4fa0ff Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Sun, 22 Dec 2024 14:23:04 +0100 Subject: [PATCH 09/11] handle NotAvailableValue in filename --- volatility3/framework/plugins/linux/graphics/fbdev.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index e82827944..7f7deee4e 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -173,7 +173,8 @@ def dump_fb( """ kernel = context.modules[kernel_name] kernel_layer = context.layers[kernel.layer_name] - base_filename = f"{fb.id}_{fb.xres_virtual}x{fb.yres_virtual}_{fb.bpp}bpp" + id = "N-A" if isinstance(fb.id, NotAvailableValue) else fb.id + base_filename = f"{id}_{fb.xres_virtual}x{fb.yres_virtual}_{fb.bpp}bpp" if convert_to_png_image: image_object = cls.convert_fb_raw_buffer_to_image(context, kernel_name, fb) raw_io_output = io.BytesIO() @@ -207,8 +208,7 @@ def parse_fb_info( - struct fb_var_screeninfo stores device independent changeable information about a frame buffer device, its current format and video mode, as well as other miscellaneous parameters. """ - # NotAvailableValue() messes with the filename output on disk - id = utility.array_to_string(fb_info.fix.id) or "N-A" + id = utility.array_to_string(fb_info.fix.id) or NotAvailableValue() color_fields = None # 0 = color, 1 = grayscale, >1 = FOURCC From 0bb09191aae08b2a1b481fef4fbd565e07a7d91f Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Mon, 23 Dec 2024 21:28:58 +0100 Subject: [PATCH 10/11] file output failure results in UnreadableValue --- .../framework/plugins/linux/graphics/fbdev.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index 7f7deee4e..ab4289cf1 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -8,7 +8,12 @@ from typing import Type, List, Dict, Tuple from volatility3.framework import constants, exceptions, interfaces from volatility3.framework.configuration import requirements -from volatility3.framework.renderers import format_hints, TreeGrid, NotAvailableValue +from volatility3.framework.renderers import ( + format_hints, + TreeGrid, + NotAvailableValue, + UnreadableValue, +) from volatility3.framework.objects import utility from volatility3.framework.constants import architectures from volatility3.framework.symbols import linux @@ -280,11 +285,12 @@ def _generator(self): file_output = self.dump_fb( self.context, kernel_name, self.open, fb, bool(fb.color_fields) ) + file_output = str(file_output) except exceptions.InvalidAddressException as excp: vollog.error( f'Layer {excp.layer_name} failed to read address {hex(excp.invalid_address)} when dumping framebuffer "{fb.id}".' ) - file_output = "Error" + file_output = UnreadableValue() try: fb_device_name = utility.pointer_to_string( @@ -303,7 +309,7 @@ def _generator(self): f"{fb.xres_virtual}x{fb.yres_virtual}", fb.bpp, "RUNNING" if fb.fb_info.state == 0 else "SUSPENDED", - str(file_output), + file_output, ), ) From ea2757c06ce23d9a24e01e2ce7823e4980889ee8 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Tue, 24 Dec 2024 11:45:23 +0100 Subject: [PATCH 11/11] minor version bump --- volatility3/framework/constants/_version.py | 2 +- volatility3/framework/plugins/linux/graphics/fbdev.py | 3 +++ volatility3/framework/symbols/linux/__init__.py | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/volatility3/framework/constants/_version.py b/volatility3/framework/constants/_version.py index 11edc07d8..9ca2d0a5b 100644 --- a/volatility3/framework/constants/_version.py +++ b/volatility3/framework/constants/_version.py @@ -1,6 +1,6 @@ # We use the SemVer 2.0.0 versioning scheme VERSION_MAJOR = 2 # Number of releases of the library with a breaking change -VERSION_MINOR = 13 # Number of changes that only add to the interface +VERSION_MINOR = 14 # Number of changes that only add to the interface VERSION_PATCH = 0 # Number of changes that do not change the interface VERSION_SUFFIX = "" diff --git a/volatility3/framework/plugins/linux/graphics/fbdev.py b/volatility3/framework/plugins/linux/graphics/fbdev.py index ab4289cf1..7b644eccf 100644 --- a/volatility3/framework/plugins/linux/graphics/fbdev.py +++ b/volatility3/framework/plugins/linux/graphics/fbdev.py @@ -60,6 +60,9 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface] description="Linux kernel", architectures=architectures.LINUX_ARCHS, ), + requirements.VersionRequirement( + name="linuxutils", component=linux.LinuxUtilities, version=(2, 2, 0) + ), requirements.BooleanRequirement( name="dump", description="Dump framebuffers", diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py index ba223f979..5aa27b964 100644 --- a/volatility3/framework/symbols/linux/__init__.py +++ b/volatility3/framework/symbols/linux/__init__.py @@ -76,7 +76,7 @@ def __init__(self, *args, **kwargs) -> None: class LinuxUtilities(interfaces.configuration.VersionableInterface): """Class with multiple useful linux functions.""" - _version = (2, 1, 1) + _version = (2, 2, 0) _required_framework_version = (2, 0, 0) framework.require_interface_version(*_required_framework_version)