Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add linux sockscan plugin #1120

Draft
wants to merge 12 commits into
base: develop
Choose a base branch
from
Draft

Add linux sockscan plugin #1120

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
aae3f5b
Linux: add first draft of sockscan plugin
eve-mem Mar 26, 2024
d6afbc0
Merge branch 'volatilityfoundation:develop' into linux_sockscan
eve-mem Mar 27, 2024
67291ce
Linux: update sockscan to scan memory layer only once for needles
eve-mem Mar 27, 2024
4f1f480
Linux: add test for sockscan plugin
eve-mem Mar 27, 2024
2c8b757
Linux: update sockscan family check to use 'is None' rather than '== …
eve-mem Mar 28, 2024
f3f5650
Linux: update sockscan with checks to reduce possible duplication of …
eve-mem Mar 28, 2024
fb67d63
Linux: update tests for sockscan to be more generic
eve-mem Mar 28, 2024
3fa6306
Update volatility3/framework/plugins/linux/sockscan.py
ikelos Apr 3, 2024
e4ea19d
Linux: sockscan update based on comments from @gcmoreira, add version…
eve-mem Aug 2, 2024
a3393a9
Linux: fix black formatting issues
eve-mem Aug 2, 2024
3c37732
Linux: Begin to breakdown the functions in sockscan plugin
eve-mem Aug 2, 2024
8a3f6ee
Merge branch 'volatilityfoundation:develop' into linux_sockscan
eve-mem Sep 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion test/test_volatility.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ def test_windows_thrdscan(image, volatility, python):
assert out.find(b"\t4\t8") != -1
assert out.find(b"\t4\t12") != -1
assert out.find(b"\t4\t16") != -1
#assert out.find(b"this raieses AssertionError") != -1
# assert out.find(b"this raieses AssertionError") != -1
assert rc == 0


Expand Down Expand Up @@ -368,6 +368,36 @@ def test_linux_library_list(image, volatility, python):
assert rc == 0


def test_linux_sockscan(image, volatility, python):
# designed for linux-sample-1.dmp SHA1:1C3A4627EDCA94A7ADE3414592BEF0E62D7D3BB6
rc, out, err = runvol_plugin("linux.sockscan.Sockscan", image, volatility, python)

# ensure that multiple unix paths for sockets have been found
assert (
len(
re.findall(
rb"(/[ -~]+?){1,8}",
out,
)
)
>= 10
)

# ensure that multiple IPv4 addresses have been found
assert (
len(
re.findall(
rb"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}",
out,
)
)
>= 10
)

assert out.count(b"\n") >= 50
assert rc == 0


# MAC


Expand Down
Loading
Loading