From 02f17af8a632fb70d1152c66ff3847b2fb921033 Mon Sep 17 00:00:00 2001 From: Gustavo Moreira Date: Tue, 17 Dec 2024 12:09:29 +1100 Subject: [PATCH 1/2] linux: fix task parent pid in several plugins. It also adds a method to get the correct one in a unified way from the task object extension --- .../framework/plugins/linux/capabilities.py | 4 ++-- volatility3/framework/plugins/linux/envars.py | 12 ++---------- volatility3/framework/plugins/linux/psaux.py | 10 ++-------- volatility3/framework/plugins/linux/pslist.py | 4 ++-- volatility3/framework/plugins/linux/psscan.py | 7 ++----- volatility3/framework/plugins/linux/pstree.py | 6 +++--- .../framework/symbols/linux/extensions/__init__.py | 14 ++++++++++++++ 7 files changed, 27 insertions(+), 30 deletions(-) diff --git a/volatility3/framework/plugins/linux/capabilities.py b/volatility3/framework/plugins/linux/capabilities.py index a8a8fb1fa3..a06ee4c1b3 100644 --- a/volatility3/framework/plugins/linux/capabilities.py +++ b/volatility3/framework/plugins/linux/capabilities.py @@ -50,7 +50,7 @@ class Capabilities(plugins.PluginInterface): """Lists process capabilities""" _required_framework_version = (2, 0, 0) - _version = (1, 0, 1) + _version = (1, 1, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: @@ -136,7 +136,7 @@ def get_task_capabilities( comm=utility.array_to_string(task.comm), pid=int(task.pid), tgid=int(task.tgid), - ppid=int(task.parent.pid), + ppid=int(task.get_parent_pid()), euid=int(task.cred.euid), ) diff --git a/volatility3/framework/plugins/linux/envars.py b/volatility3/framework/plugins/linux/envars.py index 22aba6408b..a3eb21cf5c 100644 --- a/volatility3/framework/plugins/linux/envars.py +++ b/volatility3/framework/plugins/linux/envars.py @@ -17,7 +17,7 @@ class Envars(plugins.PluginInterface): """Lists processes with their environment variables""" _required_framework_version = (2, 0, 0) - _version = (1, 0, 1) + _version = (1, 1, 0) @classmethod def get_requirements(cls): @@ -48,15 +48,7 @@ def _generator(self, tasks): # get process name as string name = utility.array_to_string(task.comm) - - # try and get task parent - try: - ppid = task.parent.pid - except exceptions.InvalidAddressException: - vollog.debug( - f"Unable to read parent pid for task {pid} {name}, setting ppid to 0." - ) - ppid = 0 + ppid = task.get_parent_pid() # kernel threads never have an mm as they do not have userland mappings try: diff --git a/volatility3/framework/plugins/linux/psaux.py b/volatility3/framework/plugins/linux/psaux.py index 5467c3b4c4..5a4d75c706 100644 --- a/volatility3/framework/plugins/linux/psaux.py +++ b/volatility3/framework/plugins/linux/psaux.py @@ -15,7 +15,7 @@ class PsAux(plugins.PluginInterface): """Lists processes with their command line arguments""" _required_framework_version = (2, 0, 0) - _version = (1, 0, 1) + _version = (1, 1, 0) @classmethod def get_requirements(cls): @@ -98,14 +98,8 @@ def _generator(self, tasks): # walk the process list and report the arguments for task in tasks: pid = task.pid - - try: - ppid = task.parent.pid - except exceptions.InvalidAddressException: - ppid = 0 - + ppid = task.get_parent_pid() name = utility.array_to_string(task.comm) - args = self._get_command_line_args(task, name) yield (0, (pid, ppid, name, args)) diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py index 6460462a71..edfc0688c1 100644 --- a/volatility3/framework/plugins/linux/pslist.py +++ b/volatility3/framework/plugins/linux/pslist.py @@ -18,7 +18,7 @@ class PsList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface): """Lists the processes present in a particular linux memory image.""" _required_framework_version = (2, 0, 0) - _version = (3, 0, 0) + _version = (3, 1, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: @@ -95,7 +95,7 @@ def get_task_fields( """ pid = task.tgid tid = task.pid - ppid = task.parent.tgid if task.parent else 0 + ppid = task.get_parent_pid() name = utility.array_to_string(task.comm) start_time = task.get_create_time() if decorate_comm: diff --git a/volatility3/framework/plugins/linux/psscan.py b/volatility3/framework/plugins/linux/psscan.py index 40784a647b..55e3778abc 100644 --- a/volatility3/framework/plugins/linux/psscan.py +++ b/volatility3/framework/plugins/linux/psscan.py @@ -28,7 +28,7 @@ class PsScan(interfaces.plugins.PluginInterface): """Scans for processes present in a particular linux image.""" _required_framework_version = (2, 0, 0) - _version = (1, 0, 1) + _version = (1, 1, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: @@ -52,10 +52,7 @@ def _get_task_fields( """ pid = task.tgid tid = task.pid - ppid = 0 - - if task.parent.is_readable(): - ppid = task.parent.tgid + ppid = task.get_parent_pid() name = utility.array_to_string(task.comm) exit_state = DescExitStateEnum(task.exit_state).name diff --git a/volatility3/framework/plugins/linux/pstree.py b/volatility3/framework/plugins/linux/pstree.py index 9dc5ea3cc5..7ea9df3d65 100644 --- a/volatility3/framework/plugins/linux/pstree.py +++ b/volatility3/framework/plugins/linux/pstree.py @@ -13,7 +13,7 @@ class PsTree(interfaces.plugins.PluginInterface): ID.""" _required_framework_version = (2, 0, 0) - _version = (1, 0, 1) + _version = (1, 1, 0) @classmethod def get_requirements(cls): @@ -56,9 +56,9 @@ def find_level(self, pid: int) -> None: seen = set([pid]) level = 0 proc = self._tasks.get(pid) - while proc and proc.parent and proc.parent.pid not in seen: + while proc and proc.get_parent_pid() not in seen: if proc.is_thread_group_leader: - parent_pid = proc.parent.pid + parent_pid = proc.get_parent_pid() else: parent_pid = proc.tgid diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 927f767e2a..f27306e678 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -635,6 +635,20 @@ def get_create_time(self) -> datetime.datetime: # root time namespace, not within the task's own time namespace return boottime + task_start_time_timedelta + def get_parent_pid(self) -> int: + """Returns the parent process ID (PPID) + + This method replicates the Linux kernel's `getppid` syscall behavior. + Avoid using `task.parent`; instead, use this function for accurate results. + """ + + if self.real_parent and self.real_parent.is_readable(): + ppid = self.real_parent.pid + else: + ppid = 0 + + return ppid + class fs_struct(objects.StructType): def get_root_dentry(self): From e035faa32392bc27d20f4b7b0c01feb0e9da2210 Mon Sep 17 00:00:00 2001 From: Gustavo Moreira Date: Wed, 18 Dec 2024 09:55:13 +1100 Subject: [PATCH 2/2] bump framework minor version --- volatility3/framework/constants/_version.py | 2 +- volatility3/framework/plugins/linux/capabilities.py | 2 +- volatility3/framework/plugins/linux/envars.py | 2 +- volatility3/framework/plugins/linux/psaux.py | 2 +- volatility3/framework/plugins/linux/pslist.py | 2 +- volatility3/framework/plugins/linux/psscan.py | 2 +- volatility3/framework/plugins/linux/pstree.py | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/volatility3/framework/constants/_version.py b/volatility3/framework/constants/_version.py index 55ef19e4b1..93e9c84327 100644 --- a/volatility3/framework/constants/_version.py +++ b/volatility3/framework/constants/_version.py @@ -1,6 +1,6 @@ # We use the SemVer 2.0.0 versioning scheme VERSION_MAJOR = 2 # Number of releases of the library with a breaking change -VERSION_MINOR = 12 # Number of changes that only add to the interface +VERSION_MINOR = 13 # Number of changes that only add to the interface VERSION_PATCH = 0 # Number of changes that do not change the interface VERSION_SUFFIX = "" diff --git a/volatility3/framework/plugins/linux/capabilities.py b/volatility3/framework/plugins/linux/capabilities.py index a06ee4c1b3..afd91c48e6 100644 --- a/volatility3/framework/plugins/linux/capabilities.py +++ b/volatility3/framework/plugins/linux/capabilities.py @@ -49,7 +49,7 @@ def astuple(self) -> Tuple: class Capabilities(plugins.PluginInterface): """Lists process capabilities""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (1, 1, 0) @classmethod diff --git a/volatility3/framework/plugins/linux/envars.py b/volatility3/framework/plugins/linux/envars.py index a3eb21cf5c..aec3eeb14d 100644 --- a/volatility3/framework/plugins/linux/envars.py +++ b/volatility3/framework/plugins/linux/envars.py @@ -16,7 +16,7 @@ class Envars(plugins.PluginInterface): """Lists processes with their environment variables""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (1, 1, 0) @classmethod diff --git a/volatility3/framework/plugins/linux/psaux.py b/volatility3/framework/plugins/linux/psaux.py index 5a4d75c706..60424a990e 100644 --- a/volatility3/framework/plugins/linux/psaux.py +++ b/volatility3/framework/plugins/linux/psaux.py @@ -14,7 +14,7 @@ class PsAux(plugins.PluginInterface): """Lists processes with their command line arguments""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (1, 1, 0) @classmethod diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py index edfc0688c1..a6d2e65380 100644 --- a/volatility3/framework/plugins/linux/pslist.py +++ b/volatility3/framework/plugins/linux/pslist.py @@ -17,7 +17,7 @@ class PsList(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface): """Lists the processes present in a particular linux memory image.""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (3, 1, 0) @classmethod diff --git a/volatility3/framework/plugins/linux/psscan.py b/volatility3/framework/plugins/linux/psscan.py index 55e3778abc..2b20ce583a 100644 --- a/volatility3/framework/plugins/linux/psscan.py +++ b/volatility3/framework/plugins/linux/psscan.py @@ -27,7 +27,7 @@ class DescExitStateEnum(Enum): class PsScan(interfaces.plugins.PluginInterface): """Scans for processes present in a particular linux image.""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (1, 1, 0) @classmethod diff --git a/volatility3/framework/plugins/linux/pstree.py b/volatility3/framework/plugins/linux/pstree.py index 7ea9df3d65..c80cfbec73 100644 --- a/volatility3/framework/plugins/linux/pstree.py +++ b/volatility3/framework/plugins/linux/pstree.py @@ -12,7 +12,7 @@ class PsTree(interfaces.plugins.PluginInterface): """Plugin for listing processes in a tree based on their parent process ID.""" - _required_framework_version = (2, 0, 0) + _required_framework_version = (2, 13, 0) _version = (1, 1, 0) @classmethod