-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add linux sockscan plugin #1120
base: develop
Are you sure you want to change the base?
Conversation
Looks like I've not understood how the testing works, it's my own test that's failing. so I'll update that! |
…None' as per CodeQL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for work @eve-mem
Co-authored-by: Donghyun Kim <[email protected]>
Thanks for merging those changes in directly for me @ikelos, and for the suggested fix @digitalisx. |
] | ||
|
||
def _canonicalize_symbol_addrs( | ||
self, symbol_table_name: List[str], symbol_names: str |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self, symbol_table_name: str, symbol_names: List[str]
# make a warning if no symbols at all could be resolved. | ||
if len(packed_needles) == 0: | ||
vollog.warning( | ||
f"_canonicalize_symbol_addrs was unable to resolve any symbols, use -vvvv for more information." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not need a f'string here
) | ||
elif len(kernel_layer.dependencies) == 0: | ||
vollog.error( | ||
f"Kernel layer has no dependencies, meaning there is no memory layer for this plugin to scan." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no f'string needed
# get file struct to find the offset to the f_op pointer | ||
# this is so that the file object can be created at the correct offset, | ||
# the results of the scanner will be for the f_op member within the file | ||
f_op_offset = vmlinux.get_type("file").members["f_op"][0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vmlinux.get_type("file").relative_child_offset("f_op")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
relative_child_offset is nice - thank you!
# get sock struct to find the offset to the sk_destruct pointer | ||
# this is so that the sock object can be created at the correct offset, | ||
# the results of the scanner will be for the sk_destruct member within the scock | ||
sk_destruct_offset = vmlinux.get_type("sock").members["sk_destruct"][0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vmlinux.get_type("sock").relative_child_offset("sk_destruct")
|
||
return packed_needles | ||
|
||
def _generator(self, symbol_table_name: str): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this function is a bit too long, any chance to split it in smaller functions? That will also help to document what each subfunction is doing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes will do 👍
) | ||
|
||
# make a warning if no symbols at all could be resolved. | ||
if len(packed_needles) == 0: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if not packed_needles:
name="SockHandlers", component=sockstat.SockHandlers, version=(1, 0, 0) | ||
), | ||
requirements.VersionRequirement( | ||
name="linuxutils", component=linux.LinuxUtilities, version=(2, 0, 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LinuxUtilities is currently on 2.1.0, check this is still working
…, make use of relative_child_offset, fix f string.
def _walk_file_ops_needles( | ||
self, symbol_table_name, memory_layer_name, needle_addr, f_op_offset | ||
): |
Check notice
Code scanning / CodeQL
Explicit returns mixed with implicit (fall through) returns Note
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@eve-mem you are missing a return None
at the very end of this method
f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}", | ||
) | ||
|
||
def _extract_sock_fields(self, psock, sock_handler): |
Check notice
Code scanning / CodeQL
Explicit returns mixed with implicit (fall through) returns Note
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@eve-mem Same here, you are missing a return None
at the very end of this method
Is this still being worked on or was it replaced by a different PR? @eve-mem @gcmoreira |
This still needs work from me, i don't think there is another at the moment (I won't be offended if someone does have the time to sort this out, or make an alternative) |
Hello 👋
This PR adds a first attempt at a sockscan plugin. Based heavily on the vol2 netscan plugin by @atcuno. I've also added another method following the path from a file object as per the sockstat plugin by @gcmoreira, and to display the results this plugin makes heavy use of the great socket handling from sockstat.
I've tried to include scanning for all the types of sockets supported rather than just the INET ones used un the vol2 plugin. I've hard coded the symbols to search for, I think it has reasonably good coverage of most cases but I'd welcome any feedback.
I've tried adding a test case as well - hopefully I've done that correctly.
Thanks for taking the time to review this, and I look forward to and feedback you might have.
Thank you!
Here is a sample of the results: