Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add linux sockscan plugin #1120

Draft
wants to merge 12 commits into
base: develop
Choose a base branch
from

Conversation

eve-mem
Copy link
Contributor

@eve-mem eve-mem commented Mar 27, 2024

Hello 👋

This PR adds a first attempt at a sockscan plugin. Based heavily on the vol2 netscan plugin by @atcuno. I've also added another method following the path from a file object as per the sockstat plugin by @gcmoreira, and to display the results this plugin makes heavy use of the great socket handling from sockstat.

I've tried to include scanning for all the types of sockets supported rather than just the INET ones used un the vol2 plugin. I've hard coded the symbols to search for, I think it has reasonably good coverage of most cases but I'd welcome any feedback.

I've tried adding a test case as well - hopefully I've done that correctly.

Thanks for taking the time to review this, and I look forward to and feedback you might have.

Thank you!

Here is a sample of the results:

Volatility 3 Framework 2.6.0

Sock Offset	Family	Type	Proto	Source Addr	Source Port	Destination Addr	Destination Port	State	Filter

0x4416880	AF_UNIX	STREAM	-	/tmp/pulse-JldaJj8OxQLa/native	14054	-	14053	ESTABLISHED	-
0x445a080	AF_UNIX	STREAM	-	-	10706	-	10705	ESTABLISHED	-
0x445a3c0	AF_UNIX	STREAM	-	-	10705	-	10706	ESTABLISHED	-
<snip>
0x1ad6fbc0	AF_INET	STREAM	TCP	0.0.0.0	901	0.0.0.0	0	LISTEN	-
0x1ad78780	AF_UNIX	STREAM	-	-	9767	/var/run/dbus/system_bus_socket	9768	ESTABLISHED	-
<snip>
0x1b5a5000	AF_NETLINK	RAW	NETLINK_KOBJECT_UEVENT	groups:0x00000002	2403	group:0x00000000	0	UNCONNECTED	filter_type=socket_filter,bpf_filter_type=cBPF
0x1b5c8000	AF_NETLINK	RAW	NETLINK_ROUTE	groups:0x000a0501	2363	group:0x00000000	0	UNCONNECTED	-
0x1b5c8400	AF_NETLINK	RAW	NETLINK_KOBJECT_UEVENT	groups:0x00000002	4294963067	group:0x00000000	0	UNCONNECTED	filter_type=socket_filter,bpf_filter_type=cBPF
<snip>
0x1c56bb80	AF_INET	STREAM	TCP	192.168.201.161	22	192.168.201.1	59982	ESTABLISHED	-
<snip>

@eve-mem
Copy link
Contributor Author

eve-mem commented Mar 27, 2024

Looks like I've not understood how the testing works, it's my own test that's failing. so I'll update that!

@eve-mem eve-mem marked this pull request as draft March 28, 2024 08:55
@eve-mem eve-mem marked this pull request as ready for review March 28, 2024 09:36
Copy link
Contributor

@digitalisx digitalisx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for work @eve-mem

volatility3/framework/plugins/linux/sockscan.py Outdated Show resolved Hide resolved
@eve-mem
Copy link
Contributor Author

eve-mem commented Apr 30, 2024

Thanks for merging those changes in directly for me @ikelos, and for the suggested fix @digitalisx.

]

def _canonicalize_symbol_addrs(
self, symbol_table_name: List[str], symbol_names: str
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self, symbol_table_name: str, symbol_names: List[str]

# make a warning if no symbols at all could be resolved.
if len(packed_needles) == 0:
vollog.warning(
f"_canonicalize_symbol_addrs was unable to resolve any symbols, use -vvvv for more information."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not need a f'string here

)
elif len(kernel_layer.dependencies) == 0:
vollog.error(
f"Kernel layer has no dependencies, meaning there is no memory layer for this plugin to scan."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no f'string needed

# get file struct to find the offset to the f_op pointer
# this is so that the file object can be created at the correct offset,
# the results of the scanner will be for the f_op member within the file
f_op_offset = vmlinux.get_type("file").members["f_op"][0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vmlinux.get_type("file").relative_child_offset("f_op")

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

relative_child_offset is nice - thank you!

# get sock struct to find the offset to the sk_destruct pointer
# this is so that the sock object can be created at the correct offset,
# the results of the scanner will be for the sk_destruct member within the scock
sk_destruct_offset = vmlinux.get_type("sock").members["sk_destruct"][0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vmlinux.get_type("sock").relative_child_offset("sk_destruct")


return packed_needles

def _generator(self, symbol_table_name: str):
Copy link
Contributor

@gcmoreira gcmoreira Jul 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function is a bit too long, any chance to split it in smaller functions? That will also help to document what each subfunction is doing

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes will do 👍

)

# make a warning if no symbols at all could be resolved.
if len(packed_needles) == 0:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if not packed_needles:

name="SockHandlers", component=sockstat.SockHandlers, version=(1, 0, 0)
),
requirements.VersionRequirement(
name="linuxutils", component=linux.LinuxUtilities, version=(2, 0, 0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LinuxUtilities is currently on 2.1.0, check this is still working

@eve-mem eve-mem marked this pull request as draft August 2, 2024 10:49
Comment on lines +177 to +179
def _walk_file_ops_needles(
self, symbol_table_name, memory_layer_name, needle_addr, f_op_offset
):

Check notice

Code scanning / CodeQL

Explicit returns mixed with implicit (fall through) returns Note

Mixing implicit and explicit returns may indicate an error as implicit returns always return None.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eve-mem you are missing a return None at the very end of this method

f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}",
)

def _extract_sock_fields(self, psock, sock_handler):

Check notice

Code scanning / CodeQL

Explicit returns mixed with implicit (fall through) returns Note

Mixing implicit and explicit returns may indicate an error as implicit returns always return None.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eve-mem Same here, you are missing a return None at the very end of this method

@atcuno
Copy link
Contributor

atcuno commented Dec 16, 2024

Is this still being worked on or was it replaced by a different PR? @eve-mem @gcmoreira

@eve-mem
Copy link
Contributor Author

eve-mem commented Dec 16, 2024

This still needs work from me, i don't think there is another at the moment

(I won't be offended if someone does have the time to sort this out, or make an alternative)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants