From aae3f5bfef27a9bf4c56408df3a6a38f70186e21 Mon Sep 17 00:00:00 2001 From: Eve Date: Tue, 26 Mar 2024 06:43:22 +0000 Subject: [PATCH 01/10] Linux: add first draft of sockscan plugin --- .../framework/plugins/linux/sockscan.py | 318 ++++++++++++++++++ 1 file changed, 318 insertions(+) create mode 100644 volatility3/framework/plugins/linux/sockscan.py diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py new file mode 100644 index 0000000000..52b33d9c1a --- /dev/null +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -0,0 +1,318 @@ +# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0 +# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 +# + +import logging +import struct +from typing import Callable, Tuple, List, Dict + +from volatility3.framework import interfaces, exceptions, constants, objects +from volatility3.framework.renderers import TreeGrid, NotAvailableValue, format_hints +from volatility3.framework.configuration import requirements +from volatility3.framework.interfaces import plugins +from volatility3.framework.objects import utility +from volatility3.framework.symbols import linux +from volatility3.plugins.linux import sockstat +from volatility3.framework import symbols +from volatility3.framework import symbols, constants +from volatility3.framework.layers import scanners + +vollog = logging.getLogger(__name__) + + +class Sockscan(plugins.PluginInterface): + """Scans for network connections found in memory layer.""" + + _required_framework_version = (2, 6, 0) + + @classmethod + def get_requirements(cls): + return [ + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=["Intel32", "Intel64"], + ), + requirements.VersionRequirement( + name="SockHandlers", component=sockstat.SockHandlers, version=(1, 0, 0) + ), + requirements.VersionRequirement( + name="linuxutils", component=linux.LinuxUtilities, version=(2, 0, 0) + ), + ] + + def _generator(self, symbol_table_name: str): + """Scans for sockets. Each row represents a kernel socket. + + Args: + symbol_table_name: The name of the kernel module on which to operate + + Yields: + family: Socket family string (AF_UNIX, AF_INET, etc) + sock_type: Socket type string (STREAM, DGRAM, etc) + protocol: Protocol string (UDP, TCP, etc) + source addr: Source address string + source port: Source port string (not all of them are int) + destination addr: Destination address string + destination port: Destination port (not all of them are int) + state: State strings (LISTEN, CONNECTED, etc) + """ + + # get vmlinux module from context in order to build objects and read symbols + vmlinux = self.context.modules[symbol_table_name] + + # get kernel layer from context so that it's dependencies can be found, and therefore scanned. + # kernel layer will be virtual and built ontop of a physical layer. + kernel_layer = self.context.layers[vmlinux.layer_name] + + # detmine if kernel is 64bit or not. The plugin scans for pointers and these need to formated + # to the correct size so that they can be accurately located in the physical layer. + if symbols.symbol_table_is_64bit(self.context, vmlinux.symbol_table_name): + pack_format = "Q" # 64 bit + else: + pack_format = "I" # 32 bit + + # TODO: Update plugin to support multiple dependencies. e.g. a memory layer and swap file. + # This is a shared problem with psscan and having a generic solution would be useful. + # Find the memory layer to scan, and provide warnings if more than one is located. + if len(kernel_layer.dependencies) > 1: + vollog.warning( + f"Kernel layer depends on multiple layers however only {kernel_layer.dependencies[0]} will be scanned by this plugin." + ) + elif len(kernel_layer.dependencies) == 0: + vollog.error( + f"Kernel layer has no dependencies, meaning there is no memory layer for this plugin to scan." + ) + raise exceptions.LayerException( + vmlinux.layer_name, f"Layer {vmlinux.layer_name} has no dependencies" + ) + memory_layer_name = kernel_layer.dependencies[0] + memory_layer = self.context.layers[kernel_layer.dependencies[0]] + + # use the init process to build a sock handler + # TODO: look into options so that sockstat.SockHandlers so that process_sock can + # be used without a task object. + init_task = vmlinux.object_from_symbol(symbol_name="init_task") + sock_handler = sockstat.SockHandlers(vmlinux, init_task) + + # set to track seen sockets so that results are not duplicated between methods + sock_physical_addresses = set() + + # get progress_callback in order to use this in the scanners. + # TODO: perhaps add more detail to progress, showing method in progress and number of hits found + progress_callback = self._progress_callback + + # TODO: update scanning logic so that all needles can be scanned for at the same time + # this would allow the results to be shown as the scanning is happening and would + # make the plugin faster. It would require working out which needle caused the match + # and applying the logic at that point to get to the socket. + + # Method 1 - find sockets by file operations, then follow pointers to sockets + file_ops_symbol_names = ["socket_file_ops", "sockfs_dentry_operations"] + file_ops_needles = [] + for symbol_name in file_ops_symbol_names: + + # TODO: handle cases where symbol is not found + needle_addr = vmlinux.object_from_symbol(symbol_name).vol.offset + # use canonicalize to set the appropriate sign extension for the addr + addr = kernel_layer.canonicalize(needle_addr) + packed_addr = struct.pack(pack_format, addr) + file_ops_needles.append(packed_addr) + vollog.log( + constants.LOGLEVEL_VVVV, + f"Method 1 will scan for {symbol_name} using the bytes: {packed_addr.hex()}", + ) + + # get file struct to find the offset to the f_op pointer + # this is so that the file object can be created at the correct offset, + # the results of the scanner will be for the f_op member within the file + f_op_offset = vmlinux.get_type("file").members["f_op"][0] + + for addr, _ in memory_layer.scan( + self.context, + scanners.MultiStringScanner(file_ops_needles), + progress_callback, + ): + try: + # create file in the memory_layer, the native layer matches the + # kernel so that pointers can be followed + pfile = self.context.object( + vmlinux.symbol_table_name + constants.BANG + "file", + offset=addr - f_op_offset, + layer_name=memory_layer_name, + native_layer_name=vmlinux.layer_name, + ) + dentry = pfile.get_dentry() + if not dentry: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(addr)} as unable to locate dentry", + ) + continue + + d_inode = dentry.d_inode + if not d_inode: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(addr)} as unable to locate inode for dentry", + ) + continue + + socket_alloc = linux.LinuxUtilities.container_of( + d_inode, "socket_alloc", "vfs_inode", vmlinux + ) + socket = socket_alloc.socket + if not (socket and socket.sk): + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(addr)} as socket created by LinuxUtilities.container_of is invalid", + ) + continue + + # sucessfully trversed from file to sock, this will exist in the + # kernel layer, and need to be translated to the memory layer. + sock = socket.sk.dereference() + sock_physical_addresses.add(kernel_layer.translate(sock.vol.offset)[0]) + + except exceptions.InvalidAddressException as error: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable to follow file at {hex(addr)} to socket due to invalid address: {error}", + ) + + # Method 2 - find sockets by socket destructor directly inside sock objects + socket_destructor_symbol_names = [ + "sock_def_destruct", + "packet_sock_destruct", + "unix_sock_destructor", + "netlink_sock_destruct", + "inet_sock_destruct", + ] + + socket_destructor_needles = [] + for socket_destructor_symbol_name in socket_destructor_symbol_names: + addr = kernel_layer.canonicalize( + vmlinux.get_symbol(socket_destructor_symbol_name).address + + vmlinux.offset + ) + packed_addr = struct.pack(pack_format, addr) + socket_destructor_needles.append(packed_addr) + vollog.log( + constants.LOGLEVEL_VVVV, + f"Method 2 will scan for {socket_destructor_symbol_name} using the bytes: {packed_addr.hex()}", + ) + + # get sock struct to find the offset to the sk_destruct pointer + # this is so that the sock object can be created at the correct offset, + # the results of the scanner will be for the sk_destruct member within the scock + sk_destruct_offset = vmlinux.get_type("sock").members["sk_destruct"][0] + + for addr, _ in memory_layer.scan( + self.context, + scanners.MultiStringScanner(socket_destructor_needles), + progress_callback, + ): + sock_physical_addresses.add(addr - sk_destruct_offset) + + # TODO Method 3 - find sock by sk_error_report symbols + # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] + # this would be similar to Method 2, but using a different pointer within sock. + + # now that the set of results has been created, process them and display the results + for addr in sorted(sock_physical_addresses): + psock = self.context.object( + vmlinux.symbol_table_name + constants.BANG + "sock", + offset=addr, + layer_name=memory_layer_name, + native_layer_name=vmlinux.layer_name, + ) + try: + sock_type = psock.get_type() + + family = psock.get_family() + # remove results with no family + if family == None: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(addr)} as unable to determin family.", + ) + continue + + # TODO: invesitgate options for more invalid address handling in proccess_sock + # and the later formatting on it's results. + sock_fields = sock_handler.process_sock(psock) + # if no sock_fields we're able to be extracted then skip this result. + if not sock_fields: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(addr)} as unable to process with SockHandlers.", + ) + continue + + sock, sock_stat, extended = sock_fields + src, src_port, dst, dst_port, state = sock_stat + protocol = sock.get_protocol() + + # format results + src = NotAvailableValue() if src is None else str(src) + src_port = NotAvailableValue() if src_port is None else str(src_port) + dst = NotAvailableValue() if dst is None else str(dst) + dst_port = NotAvailableValue() if dst_port is None else str(dst_port) + state = NotAvailableValue() if state is None else str(state) + protocol = NotAvailableValue() if protocol is None else str(protocol) + # extended attributes is a dict, so this is formated to string show each + # key and value pair, seperated with a comma. + socket_filter_str = ( + ",".join(f"{k}={v}" for k, v in extended.items()) + if extended + else NotAvailableValue() + ) + + # remove empty results + if (src == "0.0.0.0" or isinstance(src, NotAvailableValue)) and ( + dst == "0.0.0.0" or isinstance(src, NotAvailableValue) + ): + if state == "UNCONNECTED": + continue + elif src_port == "0" and dst_port == "0": + continue + + fields = ( + format_hints.Hex(sock.vol.offset), + family, + sock_type, + protocol, + src, + src_port, + dst, + dst_port, + state, + socket_filter_str, + ) + + yield (0, fields) + except exceptions.InvalidAddressException as error: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable create results for socket at {hex(addr)} to invalid address: {error}", + ) + + def run(self): + + tree_grid_args = [ + ("Sock Offset", format_hints.Hex), + ("Family", str), + ("Type", str), + ("Proto", str), + ("Source Addr", str), + ("Source Port", str), + ("Destination Addr", str), + ("Destination Port", str), + ("State", str), + ("Filter", str), + ] + + return TreeGrid( + tree_grid_args, + self._generator(self.config["kernel"]), + ) From 67291ce90fcbea2462293082b1f5d246dfca1b24 Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 27 Mar 2024 09:29:01 +0000 Subject: [PATCH 02/10] Linux: update sockscan to scan memory layer only once for needles --- .../framework/plugins/linux/sockscan.py | 376 ++++++++++-------- 1 file changed, 204 insertions(+), 172 deletions(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index 52b33d9c1a..d02757238e 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -4,13 +4,12 @@ import logging import struct -from typing import Callable, Tuple, List, Dict +from typing import List, Set -from volatility3.framework import interfaces, exceptions, constants, objects +from volatility3.framework import exceptions, constants from volatility3.framework.renderers import TreeGrid, NotAvailableValue, format_hints from volatility3.framework.configuration import requirements from volatility3.framework.interfaces import plugins -from volatility3.framework.objects import utility from volatility3.framework.symbols import linux from volatility3.plugins.linux import sockstat from volatility3.framework import symbols @@ -41,6 +40,62 @@ def get_requirements(cls): ), ] + def _canonicalize_symbol_addrs( + self, symbol_table_name: List[str], symbol_names: str + ) -> Set[bytes]: + """Takes a list of symbol names and converts the address of each to the bytes + as they would appear in memory so that they can be scanned for. + + Symbols that cannot be found are ignored and not included in the results. + + Args: + symbol_table_name: The name of the kernel module on which to operate + symbol_names: A list of symbol names to be looked up + + Returns: + A set of bytes which are the packed addresses. + """ + # get vmlinux module from context in order to build objects and read symbols + vmlinux = self.context.modules[symbol_table_name] + + # get kernel layer from context so that it's dependencies can be found, and therefore scanned. + # kernel layer will be virtual and built ontop of a physical layer. + kernel_layer = self.context.layers[vmlinux.layer_name] + + # detmine if kernel is 64bit or not. The plugin scans for pointers and these need to formated + # to the correct size so that they can be accurately located in the physical layer. + if symbols.symbol_table_is_64bit(self.context, vmlinux.symbol_table_name): + pack_format = "Q" # 64 bit + else: + pack_format = "I" # 32 bit + + packed_needles = set() + for symbol_name in symbol_names: + try: + needle_addr = vmlinux.object_from_symbol(symbol_name).vol.offset + except exceptions.SymbolError: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable to find symbol {symbol_name} this will not be scanned for.", + ) + continue + # use canonicalize to set the appropriate sign extension for the addr + addr = kernel_layer.canonicalize(needle_addr) + packed_addr = struct.pack(pack_format, addr) + packed_needles.add(packed_addr) + vollog.log( + constants.LOGLEVEL_VVVV, + f"Will scan for {symbol_name} using the bytes: {packed_addr.hex()}", + ) + + # make a warning if no symbols at all could be resolved. + if len(packed_needles) == 0: + vollog.warning( + f"_canonicalize_symbol_addrs was unable to resolve any symbols, use -vvvv for more information." + ) + + return packed_needles + def _generator(self, symbol_table_name: str): """Scans for sockets. Each row represents a kernel socket. @@ -48,6 +103,7 @@ def _generator(self, symbol_table_name: str): symbol_table_name: The name of the kernel module on which to operate Yields: + addr: Physical offset family: Socket family string (AF_UNIX, AF_INET, etc) sock_type: Socket type string (STREAM, DGRAM, etc) protocol: Protocol string (UDP, TCP, etc) @@ -65,15 +121,9 @@ def _generator(self, symbol_table_name: str): # kernel layer will be virtual and built ontop of a physical layer. kernel_layer = self.context.layers[vmlinux.layer_name] - # detmine if kernel is 64bit or not. The plugin scans for pointers and these need to formated - # to the correct size so that they can be accurately located in the physical layer. - if symbols.symbol_table_is_64bit(self.context, vmlinux.symbol_table_name): - pack_format = "Q" # 64 bit - else: - pack_format = "I" # 32 bit - # TODO: Update plugin to support multiple dependencies. e.g. a memory layer and swap file. # This is a shared problem with psscan and having a generic solution would be useful. + # Find the memory layer to scan, and provide warnings if more than one is located. if len(kernel_layer.dependencies) > 1: vollog.warning( @@ -95,91 +145,23 @@ def _generator(self, symbol_table_name: str): init_task = vmlinux.object_from_symbol(symbol_name="init_task") sock_handler = sockstat.SockHandlers(vmlinux, init_task) - # set to track seen sockets so that results are not duplicated between methods - sock_physical_addresses = set() - # get progress_callback in order to use this in the scanners. # TODO: perhaps add more detail to progress, showing method in progress and number of hits found progress_callback = self._progress_callback - # TODO: update scanning logic so that all needles can be scanned for at the same time - # this would allow the results to be shown as the scanning is happening and would - # make the plugin faster. It would require working out which needle caused the match - # and applying the logic at that point to get to the socket. - # Method 1 - find sockets by file operations, then follow pointers to sockets - file_ops_symbol_names = ["socket_file_ops", "sockfs_dentry_operations"] - file_ops_needles = [] - for symbol_name in file_ops_symbol_names: - - # TODO: handle cases where symbol is not found - needle_addr = vmlinux.object_from_symbol(symbol_name).vol.offset - # use canonicalize to set the appropriate sign extension for the addr - addr = kernel_layer.canonicalize(needle_addr) - packed_addr = struct.pack(pack_format, addr) - file_ops_needles.append(packed_addr) - vollog.log( - constants.LOGLEVEL_VVVV, - f"Method 1 will scan for {symbol_name} using the bytes: {packed_addr.hex()}", - ) - + file_ops_symbol_names = [ + "socket_file_ops", + "sockfs_dentry_operations", + ] + file_ops_needles = self._canonicalize_symbol_addrs( + symbol_table_name, file_ops_symbol_names + ) # get file struct to find the offset to the f_op pointer # this is so that the file object can be created at the correct offset, # the results of the scanner will be for the f_op member within the file f_op_offset = vmlinux.get_type("file").members["f_op"][0] - for addr, _ in memory_layer.scan( - self.context, - scanners.MultiStringScanner(file_ops_needles), - progress_callback, - ): - try: - # create file in the memory_layer, the native layer matches the - # kernel so that pointers can be followed - pfile = self.context.object( - vmlinux.symbol_table_name + constants.BANG + "file", - offset=addr - f_op_offset, - layer_name=memory_layer_name, - native_layer_name=vmlinux.layer_name, - ) - dentry = pfile.get_dentry() - if not dentry: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(addr)} as unable to locate dentry", - ) - continue - - d_inode = dentry.d_inode - if not d_inode: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(addr)} as unable to locate inode for dentry", - ) - continue - - socket_alloc = linux.LinuxUtilities.container_of( - d_inode, "socket_alloc", "vfs_inode", vmlinux - ) - socket = socket_alloc.socket - if not (socket and socket.sk): - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(addr)} as socket created by LinuxUtilities.container_of is invalid", - ) - continue - - # sucessfully trversed from file to sock, this will exist in the - # kernel layer, and need to be translated to the memory layer. - sock = socket.sk.dereference() - sock_physical_addresses.add(kernel_layer.translate(sock.vol.offset)[0]) - - except exceptions.InvalidAddressException as error: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Unable to follow file at {hex(addr)} to socket due to invalid address: {error}", - ) - # Method 2 - find sockets by socket destructor directly inside sock objects socket_destructor_symbol_names = [ "sock_def_destruct", @@ -188,114 +170,164 @@ def _generator(self, symbol_table_name: str): "netlink_sock_destruct", "inet_sock_destruct", ] - - socket_destructor_needles = [] - for socket_destructor_symbol_name in socket_destructor_symbol_names: - addr = kernel_layer.canonicalize( - vmlinux.get_symbol(socket_destructor_symbol_name).address - + vmlinux.offset - ) - packed_addr = struct.pack(pack_format, addr) - socket_destructor_needles.append(packed_addr) - vollog.log( - constants.LOGLEVEL_VVVV, - f"Method 2 will scan for {socket_destructor_symbol_name} using the bytes: {packed_addr.hex()}", - ) - + socket_destructor_needles = self._canonicalize_symbol_addrs( + symbol_table_name, socket_destructor_symbol_names + ) # get sock struct to find the offset to the sk_destruct pointer # this is so that the sock object can be created at the correct offset, # the results of the scanner will be for the sk_destruct member within the scock sk_destruct_offset = vmlinux.get_type("sock").members["sk_destruct"][0] - for addr, _ in memory_layer.scan( + # TODO Method 3 - find sock by sk_error_report symbols + # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] + # this would be similar to Method 2, but using a different pointer within sock. + + # Using the calculated needles, scan the memory layer and attempt to parse the sockets located. + for needle_addr, match in memory_layer.scan( self.context, - scanners.MultiStringScanner(socket_destructor_needles), + scanners.MultiStringScanner(socket_destructor_needles | file_ops_needles), progress_callback, ): - sock_physical_addresses.add(addr - sk_destruct_offset) + psock = None + sock_physical_addr = None + + # if match is from socket_destructor_needles simply calculate the offset + # to the sock + if match in socket_destructor_needles: + sock_physical_addr = needle_addr - sk_destruct_offset + psock = self.context.object( + vmlinux.symbol_table_name + constants.BANG + "sock", + offset=sock_physical_addr, + layer_name=memory_layer_name, + native_layer_name=vmlinux.layer_name, + ) - # TODO Method 3 - find sock by sk_error_report symbols - # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] - # this would be similar to Method 2, but using a different pointer within sock. + # if match is from file_ops_needles attempt to walk from file object to + # the sock + if match in file_ops_needles: + try: + # create file in the memory_layer, the native layer matches the + # kernel so that pointers can be followed + sock_physical_addr = needle_addr - f_op_offset + pfile = self.context.object( + vmlinux.symbol_table_name + constants.BANG + "file", + offset=sock_physical_addr, + layer_name=memory_layer_name, + native_layer_name=vmlinux.layer_name, + ) + dentry = pfile.get_dentry() + if not dentry: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as unable to locate dentry", + ) + continue - # now that the set of results has been created, process them and display the results - for addr in sorted(sock_physical_addresses): - psock = self.context.object( - vmlinux.symbol_table_name + constants.BANG + "sock", - offset=addr, - layer_name=memory_layer_name, - native_layer_name=vmlinux.layer_name, - ) - try: - sock_type = psock.get_type() + d_inode = dentry.d_inode + if not d_inode: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as unable to locate inode for dentry", + ) + continue - family = psock.get_family() - # remove results with no family - if family == None: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping socket at {hex(addr)} as unable to determin family.", + socket_alloc = linux.LinuxUtilities.container_of( + d_inode, "socket_alloc", "vfs_inode", vmlinux ) - continue + socket = socket_alloc.socket + if not (socket and socket.sk): + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as socket created by LinuxUtilities.container_of is invalid", + ) + continue - # TODO: invesitgate options for more invalid address handling in proccess_sock - # and the later formatting on it's results. - sock_fields = sock_handler.process_sock(psock) - # if no sock_fields we're able to be extracted then skip this result. - if not sock_fields: + # sucessfully trversed from file to sock, this will exist in the + # kernel layer, and need to be translated to the memory layer. + psock = socket.sk.dereference() + except exceptions.InvalidAddressException as error: vollog.log( constants.LOGLEVEL_VVVV, - f"Skipping socket at {hex(addr)} as unable to process with SockHandlers.", + f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}", ) - continue - - sock, sock_stat, extended = sock_fields - src, src_port, dst, dst_port, state = sock_stat - protocol = sock.get_protocol() - - # format results - src = NotAvailableValue() if src is None else str(src) - src_port = NotAvailableValue() if src_port is None else str(src_port) - dst = NotAvailableValue() if dst is None else str(dst) - dst_port = NotAvailableValue() if dst_port is None else str(dst_port) - state = NotAvailableValue() if state is None else str(state) - protocol = NotAvailableValue() if protocol is None else str(protocol) - # extended attributes is a dict, so this is formated to string show each - # key and value pair, seperated with a comma. - socket_filter_str = ( - ",".join(f"{k}={v}" for k, v in extended.items()) - if extended - else NotAvailableValue() - ) - # remove empty results - if (src == "0.0.0.0" or isinstance(src, NotAvailableValue)) and ( - dst == "0.0.0.0" or isinstance(src, NotAvailableValue) - ): - if state == "UNCONNECTED": + if psock is not None: + try: + sock_type = psock.get_type() + + family = psock.get_family() + # remove results with no family + if family == None: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(sock_physical_addr)} as unable to determin family.", + ) continue - elif src_port == "0" and dst_port == "0": + + # TODO: invesitgate options for more invalid address handling in proccess_sock + # and the later formatting of it's results. + sock_fields = sock_handler.process_sock(psock) + # if no sock_fields we're able to be extracted then skip this result. + if not sock_fields: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(sock_physical_addr)} as unable to process with SockHandlers.", + ) continue - fields = ( - format_hints.Hex(sock.vol.offset), - family, - sock_type, - protocol, - src, - src_port, - dst, - dst_port, - state, - socket_filter_str, - ) + sock, sock_stat, extended = sock_fields + src, src_port, dst, dst_port, state = sock_stat + protocol = sock.get_protocol() - yield (0, fields) - except exceptions.InvalidAddressException as error: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Unable create results for socket at {hex(addr)} to invalid address: {error}", - ) + # format results + src = NotAvailableValue() if src is None else str(src) + src_port = ( + NotAvailableValue() if src_port is None else str(src_port) + ) + dst = NotAvailableValue() if dst is None else str(dst) + dst_port = ( + NotAvailableValue() if dst_port is None else str(dst_port) + ) + state = NotAvailableValue() if state is None else str(state) + protocol = ( + NotAvailableValue() if protocol is None else str(protocol) + ) + # extended attributes is a dict, so this is formated to string show each + # key and value pair, seperated with a comma. + socket_filter_str = ( + ",".join(f"{k}={v}" for k, v in extended.items()) + if extended + else NotAvailableValue() + ) + + # remove empty results + if (src == "0.0.0.0" or isinstance(src, NotAvailableValue)) and ( + dst == "0.0.0.0" or isinstance(src, NotAvailableValue) + ): + if state == "UNCONNECTED": + continue + elif src_port == "0" and dst_port == "0": + continue + + fields = ( + format_hints.Hex(sock_physical_addr), + family, + sock_type, + protocol, + src, + src_port, + dst, + dst_port, + state, + socket_filter_str, + ) + + yield (0, fields) + except exceptions.InvalidAddressException as error: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable create results for socket at {hex(sock_physical_addr)} due to invalid address: {error}", + ) def run(self): From 4f1f48087611818f874a033db4257b162e468c3f Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 27 Mar 2024 09:32:49 +0000 Subject: [PATCH 03/10] Linux: add test for sockscan plugin --- test/test_volatility.py | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/test/test_volatility.py b/test/test_volatility.py index 6e54aa0535..0f935546de 100644 --- a/test/test_volatility.py +++ b/test/test_volatility.py @@ -196,7 +196,7 @@ def test_windows_thrdscan(image, volatility, python): assert out.find(b"\t4\t8") != -1 assert out.find(b"\t4\t12") != -1 assert out.find(b"\t4\t16") != -1 - #assert out.find(b"this raieses AssertionError") != -1 + # assert out.find(b"this raieses AssertionError") != -1 assert rc == 0 @@ -368,6 +368,27 @@ def test_linux_library_list(image, volatility, python): assert rc == 0 +def test_linux_sockscan(image, volatility, python): + # designed for linux-sample-1.dmp SHA1:1C3A4627EDCA94A7ADE3414592BEF0E62D7D3BB6 + rc, out, err = runvol_plugin("linux.sockscan.Sockscan", image, volatility, python) + + assert re.search( + rb"AF_UNIX\s+STREAM\s+-\s+/tmp/pulse-JldaJj8OxQLa/native\s+14054\s+-\s+14053\s+ESTABLISHED\s+-", + out, + ) + assert re.search( + rb"AF_INET\s+STREAM\s+TCP\s+192.168.201.161\s+22\s+192.168.201.1\s+59982\s+ESTABLISHED\s+-", + out, + ) + assert re.search( + rb"AF_INET\s+STREAM\s+TCP\s+0.0.0.0\s+901\s+0.0.0.0\s+0\s+LISTEN\s+-", + out, + ) + + assert out.count(b"\n") >= 50 + assert rc == 0 + + # MAC From 2c8b757ef02bcf6052705a32da6559789aff4201 Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 28 Mar 2024 08:55:07 +0000 Subject: [PATCH 04/10] Linux: update sockscan family check to use 'is None' rather than '== None' as per CodeQL --- volatility3/framework/plugins/linux/sockscan.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index d02757238e..89f35e6bbe 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -257,7 +257,7 @@ def _generator(self, symbol_table_name: str): family = psock.get_family() # remove results with no family - if family == None: + if family is None: vollog.log( constants.LOGLEVEL_VVVV, f"Skipping socket at {hex(sock_physical_addr)} as unable to determin family.", From f3f5650a1d4c5456a8aaa61c58d724bbabf47e97 Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 28 Mar 2024 09:03:39 +0000 Subject: [PATCH 05/10] Linux: update sockscan with checks to reduce possible duplication of results --- volatility3/framework/plugins/linux/sockscan.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index 89f35e6bbe..d3413dea0c 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -182,6 +182,9 @@ def _generator(self, symbol_table_name: str): # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] # this would be similar to Method 2, but using a different pointer within sock. + # add a set of seen addresses to stop possible duplication of results. + seen_sock_physical_addr = set() + # Using the calculated needles, scan the memory layer and attempt to parse the sockets located. for needle_addr, match in memory_layer.scan( self.context, @@ -251,7 +254,8 @@ def _generator(self, symbol_table_name: str): f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}", ) - if psock is not None: + if psock is not None and sock_physical_addr not in seen_sock_physical_addr: + seen_sock_physical_addr.add(sock_physical_addr) try: sock_type = psock.get_type() From fb67d630835e2f7f78b055193de4cfd8696f8f23 Mon Sep 17 00:00:00 2001 From: Eve Date: Thu, 28 Mar 2024 09:21:54 +0000 Subject: [PATCH 06/10] Linux: update tests for sockscan to be more generic --- test/test_volatility.py | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/test/test_volatility.py b/test/test_volatility.py index 0f935546de..3d88eeab16 100644 --- a/test/test_volatility.py +++ b/test/test_volatility.py @@ -372,17 +372,26 @@ def test_linux_sockscan(image, volatility, python): # designed for linux-sample-1.dmp SHA1:1C3A4627EDCA94A7ADE3414592BEF0E62D7D3BB6 rc, out, err = runvol_plugin("linux.sockscan.Sockscan", image, volatility, python) - assert re.search( - rb"AF_UNIX\s+STREAM\s+-\s+/tmp/pulse-JldaJj8OxQLa/native\s+14054\s+-\s+14053\s+ESTABLISHED\s+-", - out, - ) - assert re.search( - rb"AF_INET\s+STREAM\s+TCP\s+192.168.201.161\s+22\s+192.168.201.1\s+59982\s+ESTABLISHED\s+-", - out, + # ensure that multiple unix paths for sockets have been found + assert ( + len( + re.findall( + rb"(/[ -~]+?){1,8}", + out, + ) + ) + >= 10 ) - assert re.search( - rb"AF_INET\s+STREAM\s+TCP\s+0.0.0.0\s+901\s+0.0.0.0\s+0\s+LISTEN\s+-", - out, + + # ensure that multiple IPv4 addresses have been found + assert ( + len( + re.findall( + rb"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}", + out, + ) + ) + >= 10 ) assert out.count(b"\n") >= 50 From 3fa63061ddd2bba4a80c843bbb2a2095a7c1e67c Mon Sep 17 00:00:00 2001 From: ikelos Date: Wed, 3 Apr 2024 20:29:24 +0100 Subject: [PATCH 07/10] Update volatility3/framework/plugins/linux/sockscan.py Co-authored-by: Donghyun Kim --- volatility3/framework/plugins/linux/sockscan.py | 1 - 1 file changed, 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index d3413dea0c..dc657c65b4 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -12,7 +12,6 @@ from volatility3.framework.interfaces import plugins from volatility3.framework.symbols import linux from volatility3.plugins.linux import sockstat -from volatility3.framework import symbols from volatility3.framework import symbols, constants from volatility3.framework.layers import scanners From e4ea19debfeb61d0e441309dcb4edabb22c2dd46 Mon Sep 17 00:00:00 2001 From: eve Date: Fri, 2 Aug 2024 11:41:52 +0100 Subject: [PATCH 08/10] Linux: sockscan update based on comments from @gcmoreira, add version, make use of relative_child_offset, fix f string. --- volatility3/framework/plugins/linux/sockscan.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index dc657c65b4..cab4b9718f 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -22,7 +22,8 @@ class Sockscan(plugins.PluginInterface): """Scans for network connections found in memory layer.""" _required_framework_version = (2, 6, 0) - + _version = (1, 0, 0) + @classmethod def get_requirements(cls): return [ @@ -35,12 +36,12 @@ def get_requirements(cls): name="SockHandlers", component=sockstat.SockHandlers, version=(1, 0, 0) ), requirements.VersionRequirement( - name="linuxutils", component=linux.LinuxUtilities, version=(2, 0, 0) + name="linuxutils", component=linux.LinuxUtilities, version=(2, 1, 0) ), ] def _canonicalize_symbol_addrs( - self, symbol_table_name: List[str], symbol_names: str + self, symbol_table_name: str, symbol_names: List[str] ) -> Set[bytes]: """Takes a list of symbol names and converts the address of each to the bytes as they would appear in memory so that they can be scanned for. @@ -88,9 +89,9 @@ def _canonicalize_symbol_addrs( ) # make a warning if no symbols at all could be resolved. - if len(packed_needles) == 0: + if not packed_needles: vollog.warning( - f"_canonicalize_symbol_addrs was unable to resolve any symbols, use -vvvv for more information." + "_canonicalize_symbol_addrs was unable to resolve any symbols, use -vvvv for more information." ) return packed_needles @@ -159,7 +160,7 @@ def _generator(self, symbol_table_name: str): # get file struct to find the offset to the f_op pointer # this is so that the file object can be created at the correct offset, # the results of the scanner will be for the f_op member within the file - f_op_offset = vmlinux.get_type("file").members["f_op"][0] + f_op_offset = vmlinux.get_type("file").relative_child_offset("f_op") # Method 2 - find sockets by socket destructor directly inside sock objects socket_destructor_symbol_names = [ @@ -175,7 +176,7 @@ def _generator(self, symbol_table_name: str): # get sock struct to find the offset to the sk_destruct pointer # this is so that the sock object can be created at the correct offset, # the results of the scanner will be for the sk_destruct member within the scock - sk_destruct_offset = vmlinux.get_type("sock").members["sk_destruct"][0] + sk_destruct_offset = vmlinux.get_type("sock").relative_child_offset("sk_destruct") # TODO Method 3 - find sock by sk_error_report symbols # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] From a3393a971155a0ef095509fdb758f6e2b37994b7 Mon Sep 17 00:00:00 2001 From: eve Date: Fri, 2 Aug 2024 11:46:04 +0100 Subject: [PATCH 09/10] Linux: fix black formatting issues --- volatility3/framework/plugins/linux/sockscan.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index cab4b9718f..35e8237df9 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -23,7 +23,7 @@ class Sockscan(plugins.PluginInterface): _required_framework_version = (2, 6, 0) _version = (1, 0, 0) - + @classmethod def get_requirements(cls): return [ @@ -176,7 +176,9 @@ def _generator(self, symbol_table_name: str): # get sock struct to find the offset to the sk_destruct pointer # this is so that the sock object can be created at the correct offset, # the results of the scanner will be for the sk_destruct member within the scock - sk_destruct_offset = vmlinux.get_type("sock").relative_child_offset("sk_destruct") + sk_destruct_offset = vmlinux.get_type("sock").relative_child_offset( + "sk_destruct" + ) # TODO Method 3 - find sock by sk_error_report symbols # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] From 3c377320e5b2ddfe6f9e6c9101790af88faa0ade Mon Sep 17 00:00:00 2001 From: eve Date: Fri, 2 Aug 2024 15:41:04 +0100 Subject: [PATCH 10/10] Linux: Begin to breakdown the functions in sockscan plugin --- .../framework/plugins/linux/sockscan.py | 338 ++++++++++-------- 1 file changed, 191 insertions(+), 147 deletions(-) diff --git a/volatility3/framework/plugins/linux/sockscan.py b/volatility3/framework/plugins/linux/sockscan.py index 35e8237df9..57b4daf31c 100644 --- a/volatility3/framework/plugins/linux/sockscan.py +++ b/volatility3/framework/plugins/linux/sockscan.py @@ -96,22 +96,15 @@ def _canonicalize_symbol_addrs( return packed_needles - def _generator(self, symbol_table_name: str): - """Scans for sockets. Each row represents a kernel socket. + def _find_memory_layer_name(self, symbol_table_name: str): + """Find the memory layer below the kernel. Only returns a single layer, + and will warn the user if multiple layers are found. Args: - symbol_table_name: The name of the kernel module on which to operate + symbol_table_name: The name of the kernel module on which to operate. - Yields: - addr: Physical offset - family: Socket family string (AF_UNIX, AF_INET, etc) - sock_type: Socket type string (STREAM, DGRAM, etc) - protocol: Protocol string (UDP, TCP, etc) - source addr: Source address string - source port: Source port string (not all of them are int) - destination addr: Destination address string - destination port: Destination port (not all of them are int) - state: State strings (LISTEN, CONNECTED, etc) + Returns: + memory_layer_name: The name of the layer below the kernel to be scanned. """ # get vmlinux module from context in order to build objects and read symbols @@ -136,20 +129,15 @@ def _generator(self, symbol_table_name: str): raise exceptions.LayerException( vmlinux.layer_name, f"Layer {vmlinux.layer_name} has no dependencies" ) + memory_layer_name = kernel_layer.dependencies[0] - memory_layer = self.context.layers[kernel_layer.dependencies[0]] - # use the init process to build a sock handler - # TODO: look into options so that sockstat.SockHandlers so that process_sock can - # be used without a task object. - init_task = vmlinux.object_from_symbol(symbol_name="init_task") - sock_handler = sockstat.SockHandlers(vmlinux, init_task) + return memory_layer_name - # get progress_callback in order to use this in the scanners. - # TODO: perhaps add more detail to progress, showing method in progress and number of hits found - progress_callback = self._progress_callback + def _find_file_ops_needles(self, symbol_table_name: str): + # get vmlinux module from context in order to read symbols + vmlinux = self.context.modules[symbol_table_name] - # Method 1 - find sockets by file operations, then follow pointers to sockets file_ops_symbol_names = [ "socket_file_ops", "sockfs_dentry_operations", @@ -162,7 +150,12 @@ def _generator(self, symbol_table_name: str): # the results of the scanner will be for the f_op member within the file f_op_offset = vmlinux.get_type("file").relative_child_offset("f_op") - # Method 2 - find sockets by socket destructor directly inside sock objects + return (file_ops_needles, f_op_offset) + + def _find_sk_destruct_needles(self, symbol_table_name: str): + # get vmlinux module from context in order to read symbols + vmlinux = self.context.modules[symbol_table_name] + socket_destructor_symbol_names = [ "sock_def_destruct", "packet_sock_destruct", @@ -179,6 +172,173 @@ def _generator(self, symbol_table_name: str): sk_destruct_offset = vmlinux.get_type("sock").relative_child_offset( "sk_destruct" ) + return (socket_destructor_needles, sk_destruct_offset) + + def _walk_file_ops_needles( + self, symbol_table_name, memory_layer_name, needle_addr, f_op_offset + ): + vmlinux = self.context.modules[symbol_table_name] + try: + # create file in the memory_layer, the native layer matches the + # kernel so that pointers can be followed + sock_physical_addr = needle_addr - f_op_offset + pfile = self.context.object( + vmlinux.symbol_table_name + constants.BANG + "file", + offset=sock_physical_addr, + layer_name=memory_layer_name, + native_layer_name=vmlinux.layer_name, + ) + dentry = pfile.get_dentry() + if not dentry: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as unable to locate dentry", + ) + return None + + d_inode = dentry.d_inode + if not d_inode: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as unable to locate inode for dentry", + ) + return None + + socket_alloc = linux.LinuxUtilities.container_of( + d_inode, "socket_alloc", "vfs_inode", vmlinux + ) + socket = socket_alloc.socket + if not (socket and socket.sk): + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping file at {hex(needle_addr)} as socket created by LinuxUtilities.container_of is invalid", + ) + return None + + # sucessfully trversed from file to sock, this will exist in the + # kernel layer, and need to be translated to the memory layer. + psock = socket.sk.dereference() + return psock + + except exceptions.InvalidAddressException as error: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}", + ) + + def _extract_sock_fields(self, psock, sock_handler): + try: + sock_physical_addr = psock.vol.offset + sock_type = psock.get_type() + + family = psock.get_family() + # remove results with no family + if family is None: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(sock_physical_addr)} as unable to determin family.", + ) + return None + + # TODO: invesitgate options for more invalid address handling in proccess_sock + # and the later formatting of it's results. + sock_fields = sock_handler.process_sock(psock) + # if no sock_fields we're able to be extracted then skip this result. + if not sock_fields: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Skipping socket at {hex(sock_physical_addr)} as unable to process with SockHandlers.", + ) + return None + + sock, sock_stat, extended = sock_fields + src, src_port, dst, dst_port, state = sock_stat + protocol = sock.get_protocol() + + # format results + src = NotAvailableValue() if src is None else str(src) + src_port = NotAvailableValue() if src_port is None else str(src_port) + dst = NotAvailableValue() if dst is None else str(dst) + dst_port = NotAvailableValue() if dst_port is None else str(dst_port) + state = NotAvailableValue() if state is None else str(state) + protocol = NotAvailableValue() if protocol is None else str(protocol) + # extended attributes is a dict, so this is formated to string show each + # key and value pair, seperated with a comma. + socket_filter_str = ( + ",".join(f"{k}={v}" for k, v in extended.items()) + if extended + else NotAvailableValue() + ) + + # remove empty results + if (src == "0.0.0.0" or isinstance(src, NotAvailableValue)) and ( + dst == "0.0.0.0" or isinstance(src, NotAvailableValue) + ): + if state == "UNCONNECTED": + return None + elif src_port == "0" and dst_port == "0": + return None + return ( + format_hints.Hex(sock_physical_addr), + family, + sock_type, + protocol, + src, + src_port, + dst, + dst_port, + state, + socket_filter_str, + ) + + except exceptions.InvalidAddressException as error: + vollog.log( + constants.LOGLEVEL_VVVV, + f"Unable create results for socket at {hex(sock_physical_addr)} due to invalid address: {error}", + ) + + def _generator(self, symbol_table_name: str): + """Scans for sockets. Each row represents a kernel socket. + + Args: + symbol_table_name: The name of the kernel module on which to operate + + Yields: + addr: Physical offset + family: Socket family string (AF_UNIX, AF_INET, etc) + sock_type: Socket type string (STREAM, DGRAM, etc) + protocol: Protocol string (UDP, TCP, etc) + source addr: Source address string + source port: Source port string (not all of them are int) + destination addr: Destination address string + destination port: Destination port (not all of them are int) + state: State strings (LISTEN, CONNECTED, etc) + """ + + # get vmlinux module from context in order to build objects and read symbols + vmlinux = self.context.modules[symbol_table_name] + + # get the memory layer that is to be scanned. + memory_layer_name = self._find_memory_layer_name(symbol_table_name) + memory_layer = self.context.layers[memory_layer_name] + + # use the init process to build a sock handler + # TODO: look into options so that sockstat.SockHandlers so that process_sock can + # be used without a task object. + init_task = vmlinux.object_from_symbol(symbol_name="init_task") + sock_handler = sockstat.SockHandlers(vmlinux, init_task) + + # get progress_callback in order to use this in the scanners. + # TODO: perhaps add more detail to progress, showing method in progress and number of hits found + progress_callback = self._progress_callback + + # Method 1 - find sockets by file operations, then follow pointers to sockets + file_ops_needles, f_op_offset = self._find_file_ops_needles(symbol_table_name) + + # Method 2 - find sockets by socket destructor directly inside sock objects + socket_destructor_needles, sk_destruct_offset = self._find_sk_destruct_needles( + symbol_table_name + ) # TODO Method 3 - find sock by sk_error_report symbols # sk_error_report_symbol_names = ['sock_def_error_report', 'inet_sk_rebuild_header', 'inet_listen'] @@ -196,8 +356,7 @@ def _generator(self, symbol_table_name: str): psock = None sock_physical_addr = None - # if match is from socket_destructor_needles simply calculate the offset - # to the sock + # if match is from socket_destructor_needles simply calculate the offset to the sock if match in socket_destructor_needles: sock_physical_addr = needle_addr - sk_destruct_offset psock = self.context.object( @@ -207,133 +366,18 @@ def _generator(self, symbol_table_name: str): native_layer_name=vmlinux.layer_name, ) - # if match is from file_ops_needles attempt to walk from file object to - # the sock + # if match is from file_ops_needles attempt to walk from file object to the sock if match in file_ops_needles: - try: - # create file in the memory_layer, the native layer matches the - # kernel so that pointers can be followed - sock_physical_addr = needle_addr - f_op_offset - pfile = self.context.object( - vmlinux.symbol_table_name + constants.BANG + "file", - offset=sock_physical_addr, - layer_name=memory_layer_name, - native_layer_name=vmlinux.layer_name, - ) - dentry = pfile.get_dentry() - if not dentry: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(needle_addr)} as unable to locate dentry", - ) - continue - - d_inode = dentry.d_inode - if not d_inode: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(needle_addr)} as unable to locate inode for dentry", - ) - continue - - socket_alloc = linux.LinuxUtilities.container_of( - d_inode, "socket_alloc", "vfs_inode", vmlinux - ) - socket = socket_alloc.socket - if not (socket and socket.sk): - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping file at {hex(needle_addr)} as socket created by LinuxUtilities.container_of is invalid", - ) - continue - - # sucessfully trversed from file to sock, this will exist in the - # kernel layer, and need to be translated to the memory layer. - psock = socket.sk.dereference() - except exceptions.InvalidAddressException as error: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Unable to follow file at {hex(needle_addr)} to socket due to invalid address: {error}", - ) + psock = self._walk_file_ops_needles( + symbol_table_name, memory_layer_name, needle_addr, f_op_offset + ) if psock is not None and sock_physical_addr not in seen_sock_physical_addr: seen_sock_physical_addr.add(sock_physical_addr) - try: - sock_type = psock.get_type() - - family = psock.get_family() - # remove results with no family - if family is None: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping socket at {hex(sock_physical_addr)} as unable to determin family.", - ) - continue - - # TODO: invesitgate options for more invalid address handling in proccess_sock - # and the later formatting of it's results. - sock_fields = sock_handler.process_sock(psock) - # if no sock_fields we're able to be extracted then skip this result. - if not sock_fields: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Skipping socket at {hex(sock_physical_addr)} as unable to process with SockHandlers.", - ) - continue - - sock, sock_stat, extended = sock_fields - src, src_port, dst, dst_port, state = sock_stat - protocol = sock.get_protocol() - - # format results - src = NotAvailableValue() if src is None else str(src) - src_port = ( - NotAvailableValue() if src_port is None else str(src_port) - ) - dst = NotAvailableValue() if dst is None else str(dst) - dst_port = ( - NotAvailableValue() if dst_port is None else str(dst_port) - ) - state = NotAvailableValue() if state is None else str(state) - protocol = ( - NotAvailableValue() if protocol is None else str(protocol) - ) - # extended attributes is a dict, so this is formated to string show each - # key and value pair, seperated with a comma. - socket_filter_str = ( - ",".join(f"{k}={v}" for k, v in extended.items()) - if extended - else NotAvailableValue() - ) - - # remove empty results - if (src == "0.0.0.0" or isinstance(src, NotAvailableValue)) and ( - dst == "0.0.0.0" or isinstance(src, NotAvailableValue) - ): - if state == "UNCONNECTED": - continue - elif src_port == "0" and dst_port == "0": - continue - - fields = ( - format_hints.Hex(sock_physical_addr), - family, - sock_type, - protocol, - src, - src_port, - dst, - dst_port, - state, - socket_filter_str, - ) + fields = self._extract_sock_fields(psock, sock_handler) + if fields: yield (0, fields) - except exceptions.InvalidAddressException as error: - vollog.log( - constants.LOGLEVEL_VVVV, - f"Unable create results for socket at {hex(sock_physical_addr)} due to invalid address: {error}", - ) def run(self):