Merge pull request #1412 from gcmoreira/linux_task_parent_pid_fix

Linux: Fix task parent pid in several plugins
volatilityfoundation · Dec 17, 2024 · 7d2f8b2 · 7d2f8b2
2 parents 992ba3e + e035faa
commit 7d2f8b2
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 37 deletions.
diff --git a/volatility3/framework/constants/_version.py b/volatility3/framework/constants/_version.py
@@ -1,6 +1,6 @@
 # We use the SemVer 2.0.0 versioning scheme
 VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
-VERSION_MINOR = 12  # Number of changes that only add to the interface
+VERSION_MINOR = 13  # Number of changes that only add to the interface
 VERSION_PATCH = 0  # Number of changes that do not change the interface
 VERSION_SUFFIX = ""
 

diff --git a/volatility3/framework/plugins/linux/capabilities.py b/volatility3/framework/plugins/linux/capabilities.py
@@ -49,8 +49,8 @@ def astuple(self) -> Tuple:
 class Capabilities(plugins.PluginInterface):
     """Lists process capabilities"""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 1)
+    _required_framework_version = (2, 13, 0)
+    _version = (1, 1, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -136,7 +136,7 @@ def get_task_capabilities(
             comm=utility.array_to_string(task.comm),
             pid=int(task.pid),
             tgid=int(task.tgid),
-            ppid=int(task.parent.pid),
+            ppid=int(task.get_parent_pid()),
             euid=int(task.cred.euid),
         )
 

diff --git a/volatility3/framework/plugins/linux/envars.py b/volatility3/framework/plugins/linux/envars.py
@@ -16,8 +16,8 @@
 class Envars(plugins.PluginInterface):
     """Lists processes with their environment variables"""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 1)
+    _required_framework_version = (2, 13, 0)
+    _version = (1, 1, 0)
 
     @classmethod
     def get_requirements(cls):
@@ -48,15 +48,7 @@ def _generator(self, tasks):
 
             # get process name as string
             name = utility.array_to_string(task.comm)
-
-            # try and get task parent
-            try:
-                ppid = task.parent.pid
-            except exceptions.InvalidAddressException:
-                vollog.debug(
-                    f"Unable to read parent pid for task {pid} {name}, setting ppid to 0."
-                )
-                ppid = 0
+            ppid = task.get_parent_pid()
 
             # kernel threads never have an mm as they do not have userland mappings
             try:

diff --git a/volatility3/framework/plugins/linux/psaux.py b/volatility3/framework/plugins/linux/psaux.py
@@ -14,8 +14,8 @@
 class PsAux(plugins.PluginInterface):
     """Lists processes with their command line arguments"""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 1)
+    _required_framework_version = (2, 13, 0)
+    _version = (1, 1, 0)
 
     @classmethod
     def get_requirements(cls):
@@ -98,14 +98,8 @@ def _generator(self, tasks):
         # walk the process list and report the arguments
         for task in tasks:
             pid = task.pid
-
-            try:
-                ppid = task.parent.pid
-            except exceptions.InvalidAddressException:
-                ppid = 0
-
+            ppid = task.get_parent_pid()
             name = utility.array_to_string(task.comm)
-
             args = self._get_command_line_args(task, name)
 
             yield (0, (pid, ppid, name, args))

diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py
@@ -17,8 +17,8 @@
 class PsList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     """Lists the processes present in a particular linux memory image."""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (3, 0, 0)
+    _required_framework_version = (2, 13, 0)
+    _version = (3, 1, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -95,7 +95,7 @@ def get_task_fields(
         """
         pid = task.tgid
         tid = task.pid
-        ppid = task.parent.tgid if task.parent else 0
+        ppid = task.get_parent_pid()
         name = utility.array_to_string(task.comm)
         start_time = task.get_create_time()
         if decorate_comm:

diff --git a/volatility3/framework/plugins/linux/psscan.py b/volatility3/framework/plugins/linux/psscan.py
@@ -27,8 +27,8 @@ class DescExitStateEnum(Enum):
 class PsScan(interfaces.plugins.PluginInterface):
     """Scans for processes present in a particular linux image."""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 1)
+    _required_framework_version = (2, 13, 0)
+    _version = (1, 1, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -52,10 +52,7 @@ def _get_task_fields(
         """
         pid = task.tgid
         tid = task.pid
-        ppid = 0
-
-        if task.parent.is_readable():
-            ppid = task.parent.tgid
+        ppid = task.get_parent_pid()
         name = utility.array_to_string(task.comm)
         exit_state = DescExitStateEnum(task.exit_state).name
 

diff --git a/volatility3/framework/plugins/linux/pstree.py b/volatility3/framework/plugins/linux/pstree.py
@@ -12,8 +12,8 @@ class PsTree(interfaces.plugins.PluginInterface):
     """Plugin for listing processes in a tree based on their parent process
     ID."""
 
-    _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 1)
+    _required_framework_version = (2, 13, 0)
+    _version = (1, 1, 0)
 
     @classmethod
     def get_requirements(cls):
@@ -56,9 +56,9 @@ def find_level(self, pid: int) -> None:
         seen = set([pid])
         level = 0
         proc = self._tasks.get(pid)
-        while proc and proc.parent and proc.parent.pid not in seen:
+        while proc and proc.get_parent_pid() not in seen:
             if proc.is_thread_group_leader:
-                parent_pid = proc.parent.pid
+                parent_pid = proc.get_parent_pid()
             else:
                 parent_pid = proc.tgid
 

diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -633,6 +633,20 @@ def get_create_time(self) -> datetime.datetime:
         # root time namespace, not within the task's own time namespace
         return boottime + task_start_time_timedelta
 
+    def get_parent_pid(self) -> int:
+        """Returns the parent process ID (PPID)
+
+        This method replicates the Linux kernel's `getppid` syscall behavior.
+        Avoid using `task.parent`; instead, use this function for accurate results.
+        """
+
+        if self.real_parent and self.real_parent.is_readable():
+            ppid = self.real_parent.pid
+        else:
+            ppid = 0
+
+        return ppid
+
 
 class fs_struct(objects.StructType):
     def get_root_dentry(self):