Linux ip.Addr and ip.Link plugins

volatility3/framework/constants/linux/__init__.py

@@ -281,3 +281,47 @@
 )
 
 ELF_MAX_EXTRACTION_SIZE = 1024 * 1024 * 1024 * 4 - 1
+
+# For IFA_* below - Ref: include/net/ipv6.h
+IPV6_ADDR_LOOPBACK = 0x0010
+IPV6_ADDR_LINKLOCAL = 0x0020
+IPV6_ADDR_SITELOCAL = 0x0040
+# For inet6_ifaddr - Ref: include/net/if_inet6.h
+IFA_HOST = IPV6_ADDR_LOOPBACK
+IFA_LINK = IPV6_ADDR_LINKLOCAL
+IFA_SITE = IPV6_ADDR_SITELOCAL
+
+# Only for kernels < 3.15 when the net_device_flags enum didn't exist
+# ref include/uapi/linux/if.h
+NET_DEVICE_FLAGS = {
+    "IFF_UP": 0x1,
+    "IFF_BROADCAST": 0x2,
+    "IFF_DEBUG": 0x4,
+    "IFF_LOOPBACK": 0x8,
+    "IFF_POINTOPOINT": 0x10,
+    "IFF_NOTRAILERS": 0x20,
+    "IFF_RUNNING": 0x40,
+    "IFF_NOARP": 0x80,
+    "IFF_PROMISC": 0x100,
+    "IFF_ALLMULTI": 0x200,
+    "IFF_MASTER": 0x400,
+    "IFF_SLAVE": 0x800,
+    "IFF_MULTICAST": 0x1000,
+    "IFF_PORTSEL": 0x2000,
+    "IFF_AUTOMEDIA": 0x4000,
+    "IFF_DYNAMIC": 0x8000,
+    "IFF_LOWER_UP": 0x10000,
+    "IFF_DORMANT": 0x20000,
+    "IFF_ECHO": 0x40000,
+}
+
+# RFC 2863 operational status. Kernels >= 2.6.17. See IF_OPER_* in include/uapi/linux/if.h
+IF_OPER_STATES = (
+    "UNKNOWN",
+    "NOTPRESENT",
+    "DOWN",
+    "LOWERLAYERDOWN",
+    "TESTING",
+    "DORMANT",
+    "UP",
+)

volatility3/framework/interfaces/objects.py

@@ -133,7 +133,7 @@ def __init__(
 
     def __getattr__(self, attr: str) -> Any:
         """Method for ensuring volatility members can be returned."""
-        raise AttributeError
+        raise AttributeError()
 
     @property
     def vol(self) -> ReadOnlyMapping:

volatility3/framework/plugins/linux/ip.py

@@ -0,0 +1,82 @@
+# This file is Copyright 2023 Volatility Foundation and licensed under the Volatility Software License 1.0
+# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
+#
+
+from typing import List
+from volatility3.framework import interfaces, renderers, constants
+from volatility3.framework.configuration import requirements
+from volatility3.framework.interfaces import plugins
+from volatility3.framework.objects import utility
+
+
+class Addr(plugins.PluginInterface):
+    """Lists network interface information for all devices"""
+
+    _required_framework_version = (2, 0, 0)
+
+    _version = (1, 0, 0)
+
+    @classmethod
+    def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
+        return [
+            requirements.ModuleRequirement(
+                name="kernel",
+                description="Linux kernel",
+                architectures=["Intel32", "Intel64"],
+            ),
+        ]
+
+    def _gather_net_dev_info(self, net_dev):
+        mac_addr = net_dev.get_mac_address()
+        promisc = net_dev.promisc
+        operational_state = net_dev.get_operational_state()
+        iface_name = utility.array_to_string(net_dev.name)
+        iface_ifindex = net_dev.ifindex
+        try:
+            net_ns_id = net_dev.get_net_namespace_id()
+        except AttributeError:
+            net_ns_id = renderers.NotAvailableValue()
+
+        # Interface IPv4 Addresses
+        in_device = net_dev.ip_ptr.dereference().cast("in_device")
+        for in_ifaddr in in_device.get_addresses():
+            prefix_len = in_ifaddr.get_prefix_len()
+            scope_type = in_ifaddr.get_scope_type()
+            ip_addr = in_ifaddr.get_address()
+            yield net_ns_id, iface_ifindex, iface_name, mac_addr, promisc, ip_addr, prefix_len, scope_type, operational_state
+
+        # Interface IPv6 Addresses
+        inet6_dev = net_dev.ip6_ptr.dereference().cast("inet6_dev")
+        for inet6_ifaddr in inet6_dev.get_addresses():
+            prefix_len = inet6_ifaddr.get_prefix_len()
+            scope_type = inet6_ifaddr.get_scope_type()
+            ip6_addr = inet6_ifaddr.get_address()
+            yield net_ns_id, iface_ifindex, iface_name, mac_addr, promisc, ip6_addr, prefix_len, scope_type, operational_state
+
+    def _generator(self):
+        vmlinux = self.context.modules[self.config["kernel"]]
+
+        net_type_symname = vmlinux.symbol_table_name + constants.BANG + "net"
+        net_device_symname = vmlinux.symbol_table_name + constants.BANG + "net_device"
+
+        # 'net_namespace_list' exists from kernels >= 2.6.24
+        net_namespace_list = vmlinux.object_from_symbol("net_namespace_list")
+        for net_ns in net_namespace_list.to_list(net_type_symname, "list"):
+            for net_dev in net_ns.dev_base_head.to_list(net_device_symname, "dev_list"):
+                for fields in self._gather_net_dev_info(net_dev):
+                    yield 0, fields
+
+    def run(self):
+        headers = [
+            ("NetNS", int),
+            ("Index", int),
+            ("Interface", str),
+            ("MAC", str),
+            ("Promiscuous", bool),
+            ("IP", str),
+            ("Prefix", int),
+            ("Scope Type", str),
+            ("State", str),
+        ]
+
+        return renderers.TreeGrid(headers, self._generator())

volatility3/framework/symbols/linux/__init__.py

@@ -43,6 +43,11 @@ def __init__(self, *args, **kwargs) -> None:
 
         # Network
         self.set_type_class("net", extensions.net)
+        self.set_type_class("net_device", extensions.net_device)
+        self.set_type_class("in_device", extensions.in_device)
+        self.set_type_class("in_ifaddr", extensions.in_ifaddr)
+        self.set_type_class("inet6_dev", extensions.inet6_dev)
+        self.set_type_class("inet6_ifaddr", extensions.inet6_ifaddr)
         self.set_type_class("socket", extensions.socket)
         self.set_type_class("sock", extensions.sock)
         self.set_type_class("inet_sock", extensions.inet_sock)