From 0e165bf7b2c31ad96d43f88578c2d77dd64e6907 Mon Sep 17 00:00:00 2001
From: Antoine Brodin <ant1@users.noreply.github.com>
Date: Tue, 1 Oct 2024 07:14:23 +0000
Subject: [PATCH] freebsd: attempt to guess physical location of kernel
 searching for interpreter

---
 volatility3/framework/automagic/freebsd.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/volatility3/framework/automagic/freebsd.py b/volatility3/framework/automagic/freebsd.py
index 4b3ae7cf12..50884079dd 100644
--- a/volatility3/framework/automagic/freebsd.py
+++ b/volatility3/framework/automagic/freebsd.py
@@ -73,9 +73,17 @@ def stack(
                 # Freebsd amd64
                 if "KPML4phys" in table.symbols:
                     layer_class = intel.Intel32e
+                    kernload_offset = 0
+                    kernload = table.get_symbol("kernload").address
+                    for interp in layer.scan(context = context, scanner = scanners.BytesScanner(b"/red/herring\x00\x00\x00\x00"), progress_callback = progress_callback):
+                        kernload_from_interp = interp & 0xfffffffffffff800
+                        # Verify 2MB alignment
+                        if kernload_from_interp & 0x1fffff == 0:
+                            kernload_offset = kernload_from_interp - kernload
+                            break
                     kernbase = table.get_symbol("kernbase").address
                     kpml4phys_ptr = table.get_symbol("KPML4phys").address
-                    kpml4phys_str = layer.read(kpml4phys_ptr - kernbase, 8)
+                    kpml4phys_str = layer.read(kpml4phys_ptr - kernbase + kernload_offset, 8)
                     dtb = struct.unpack("<Q", kpml4phys_str)[0]
                 # Freebsd i386
                 elif "IdlePTD" in table.symbols: