-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux - Boottime support #1317
Linux - Boottime support #1317
Conversation
Hey @ikelos, the tests are failing because the ISF in linux.zip ( The ISF is circa 2018 and needs to be updated. $ unzip -l linux.zip linux/linux-image-3.2.0-4-amd64-dbg_3.2.57-3+deb7u2_amd64.json.xz
Archive: linux.zip
Length Date Time Name
--------- ---------- ----- ----
776408 2018-07-19 03:04 linux/linux-image-3.2.0-4-amd64-dbg_3.2.57-3+deb7u2_amd64.json.xz
--------- -------
776408 1 file Alternatively, this will be fixed once #1316 is merged. See the following using the same sample: $ ./vol.py \
--remote-isf-url 'https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json' \
-f ./linux-sample-1.bin \
linux.pslist
Volatility 3 Framework 2.11.0
Progress: 100.00 Stacking attempts finished
OFFSET (V) PID TID PPID COMM CREATION TIME File output
0x88001f994740 1 1 0 init 2014-06-24 10:22:33.016001 UTC Disabled
0x88001f994040 2 2 0 kthreadd 2014-06-24 10:22:33.016001 UTC Disabled
0x88001f9a2780 3 3 2 ksoftirqd/0 2014-06-24 10:22:33.056003 UTC Disabled
0x88001f9a67c0 5 5 2 kworker/u:0 2014-06-24 10:22:33.056003 UTC Disabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally the plugin seems fine, we need to get the tests sorted as soon as possible. That's one for @npetroni . My worry with this is the deviation from a well known standard for seemingly little gain and the naming of one of the classes feels quite vague/rushed. Otherwise generally happy with it, like the comments detailing exactly which case is for which kernel version (down to the git commit in some places, I'm assuming?).
…use the created time for the boot time plugin
…object instead of modifying the original. It also normalizes its values, aligning with the behavior of the other addition and subtraction operators
Move TimespecVol3 methods to an abstract class Timespec64Abstract, which is now inherited by Timespec64 and Timespec64Concrete.
…d negate() for improved clarity and reuse
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks! 5:)
Ok, this seems to be failing on |
It looks like |
@ikelos Alright, merge conflict resolved. It will be good to go once the ISF is fixed. |
@ikelos the ISF is now fixed, I reran the tests and it passed. it's ready to go!! |
@@ -81,7 +83,7 @@ def filter_func(x): | |||
@classmethod | |||
def get_task_fields( | |||
cls, task: interfaces.objects.ObjectInterface, decorate_comm: bool = False | |||
) -> Tuple[int, int, int, str]: | |||
) -> Tuple[int, int, int, int, str, datetime.datetime]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change to the return response of a classmethod (the exposed API) should've meant that the MAJOR version got bumped, sorry for missing it... 5:S
In this PR we introduce the boot time support to the Volatility3 framework.
This enables other plugins to provide UTC datetime information based on the system boot time. A prime example is the
linux.pslist
plugin, which has been enhanced as part of this effort. Additionally, we have introduced a newlinux.boottime
plugin to retrieve the system boot time date, supporting also time namespaces (kernels >= 5.6). Both plugins offer support for the Timeliner.linux.pslist
Note: The task creation time is seen from the root time namespece, which is what's expected.
6.8.0-41
4.4.0-142
3.13.0-185
3.2.0-4
linux.boottime
In this first example, we will examine the boot time on a system with multiple time namespaces.
Let's start by inspecting the root time namespace.
Next, let's create a new time namespace with a different boot time, -2days:
It's time to examine a memory dump that includes the steps mentioned above.
Other kernels tests:
6.8.0-41
4.4.0-142
3.13.0-185
3.2.0-4
Timeliner