From 831e6cf3412f71dffb929a8f42db383e5792214b Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 7 Dec 2023 09:06:13 +0000 Subject: [PATCH 1/3] Linux: update kmsg KmsgFiveTen class to handle symbol shift and create objects with absolute addresses --- volatility3/framework/plugins/linux/kmsg.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/kmsg.py b/volatility3/framework/plugins/linux/kmsg.py index 3f7345bdc5..f3ef12cfe9 100644 --- a/volatility3/framework/plugins/linux/kmsg.py +++ b/volatility3/framework/plugins/linux/kmsg.py @@ -67,7 +67,7 @@ def __init__( vmlinux = context.modules[self._config["kernel"]] self.layer_name = vmlinux.layer_name # type: ignore symbol_table_name = vmlinux.symbol_table_name # type: ignore - self.vmlinux = contexts.Module.create(context, symbol_table_name, self.layer_name, 0) # type: ignore + self.vmlinux = contexts.Module.create(context, symbol_table_name, self.layer_name, vmlinux.offset) # type: ignore self.long_unsigned_int_size = self.vmlinux.get_type("long unsigned int").size @classmethod @@ -365,12 +365,14 @@ def run(self) -> Iterator[Tuple[str, str, str, str, str]]: offset=desc_ring.descs, subtype=self.vmlinux.get_type("prb_desc"), count=desc_count, + absolute=True, ) info_arr = self.vmlinux.object( object_type="array", offset=desc_ring.infos, subtype=self.vmlinux.get_type("printk_info"), count=desc_count, + absolute=True, ) # See kernel/printk/printk_ringbuffer.h From fda3cedabaae0f98600201ec800ed415521e402b Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 14 Dec 2023 09:18:01 +0000 Subject: [PATCH 2/3] Linux: update kmsg to create objects via context rather than module --- volatility3/framework/plugins/linux/kmsg.py | 23 +++++++++++---------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/volatility3/framework/plugins/linux/kmsg.py b/volatility3/framework/plugins/linux/kmsg.py index f3ef12cfe9..17dcc61aac 100644 --- a/volatility3/framework/plugins/linux/kmsg.py +++ b/volatility3/framework/plugins/linux/kmsg.py @@ -64,10 +64,8 @@ def __init__( ): self._context = context self._config = config - vmlinux = context.modules[self._config["kernel"]] - self.layer_name = vmlinux.layer_name # type: ignore - symbol_table_name = vmlinux.symbol_table_name # type: ignore - self.vmlinux = contexts.Module.create(context, symbol_table_name, self.layer_name, vmlinux.offset) # type: ignore + self.vmlinux = context.modules[self._config["kernel"]] + self.layer_name = self.vmlinux.layer_name # type: ignore self.long_unsigned_int_size = self.vmlinux.get_type("long unsigned int").size @classmethod @@ -358,21 +356,24 @@ def run(self) -> Iterator[Tuple[str, str, str, str, str]]: desc_ring = ringbuffers.desc_ring text_data_ring = ringbuffers.text_data_ring - desc_count = 1 << desc_ring.count_bits - desc_arr = self.vmlinux.object( - object_type="array", + + array_type = self.vmlinux.symbol_table_name + constants.BANG + "array" + + desc_arr = self._context.object( + array_type, offset=desc_ring.descs, subtype=self.vmlinux.get_type("prb_desc"), count=desc_count, - absolute=True, + layer_name=self.layer_name, ) - info_arr = self.vmlinux.object( - object_type="array", + + info_arr = self._context.object( + array_type, offset=desc_ring.infos, subtype=self.vmlinux.get_type("printk_info"), count=desc_count, - absolute=True, + layer_name=self.layer_name, ) # See kernel/printk/printk_ringbuffer.h From 9b8534267389988e18ba77b8d8a80cdc56a1e4dc Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 14 Dec 2023 09:24:51 +0000 Subject: [PATCH 3/3] Linux: bump version for linux kmsg --- volatility3/framework/plugins/linux/kmsg.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/kmsg.py b/volatility3/framework/plugins/linux/kmsg.py index 17dcc61aac..5136a00f65 100644 --- a/volatility3/framework/plugins/linux/kmsg.py +++ b/volatility3/framework/plugins/linux/kmsg.py @@ -412,7 +412,7 @@ class Kmsg(plugins.PluginInterface): _required_framework_version = (2, 0, 0) - _version = (1, 0, 0) + _version = (1, 0, 1) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: