diff --git a/doc/source/getting-started-linux-tutorial.rst b/doc/source/getting-started-linux-tutorial.rst index a1aad235db..031b496367 100644 --- a/doc/source/getting-started-linux-tutorial.rst +++ b/doc/source/getting-started-linux-tutorial.rst @@ -40,7 +40,7 @@ For plugin requests, please create an issue with a description of the requested linux.check_creds.Check_creds linux.check_idt.Check_idt -.. note:: Here the the command is piped to grep and head to provide the start of the list of linux plugins. +.. note:: Here the command is piped to grep and head to provide the start of the list of linux plugins. Using plugins diff --git a/doc/source/getting-started-mac-tutorial.rst b/doc/source/getting-started-mac-tutorial.rst index 61af7089b0..f4889d6890 100644 --- a/doc/source/getting-started-mac-tutorial.rst +++ b/doc/source/getting-started-mac-tutorial.rst @@ -37,7 +37,7 @@ For plugin requests, please create an issue with a description of the requested mac.check_sysctl.Check_sysctl mac.check_trap_table.Check_trap_table -.. note:: Here the the command is piped to grep and head to provide the start of the list of macOS plugins. +.. note:: Here the command is piped to grep and head to provide the start of the list of macOS plugins. Using plugins diff --git a/doc/source/getting-started-windows-tutorial.rst b/doc/source/getting-started-windows-tutorial.rst index 979cf1d966..3896000a2a 100644 --- a/doc/source/getting-started-windows-tutorial.rst +++ b/doc/source/getting-started-windows-tutorial.rst @@ -27,7 +27,7 @@ For plugin requests, please create an issue with a description of the requested windows.crashinfo.Crashinfo windows.dlllist.DllList -.. note:: Here the the command is piped to grep and head to provide the start of a list of the available windows plugins. +.. note:: Here the command is piped to grep and head to provide the start of a list of the available windows plugins. Using plugins ------------- @@ -97,7 +97,7 @@ windows.pstree ``windows.pstree`` helps to display the parent-child relationships between processes. -.. note:: Here the the command is piped to head to provide smaller output, here listing only the first 20. +.. note:: Here the command is piped to head to provide smaller output, here listing only the first 20. windows.hashdump ~~~~~~~~~~~~~~~~ diff --git a/volatility3/cli/__init__.py b/volatility3/cli/__init__.py index 901f299a87..bf9297aa98 100644 --- a/volatility3/cli/__init__.py +++ b/volatility3/cli/__init__.py @@ -244,11 +244,12 @@ def run(self): ) isf_group.add_argument( "-u", - "--remote-isf-url", + "--remote-isf-urls", metavar="URL", help="Search online for ISF json files", - default=constants.REMOTE_ISF_URL, + default=constants.REMOTE_ISF_URLs, type=str, + nargs="*", ) parser.add_argument( "--filters", @@ -330,8 +331,8 @@ def run(self): if partial_args.offline: constants.OFFLINE = partial_args.offline - elif partial_args.remote_isf_url: - constants.REMOTE_ISF_URL = partial_args.remote_isf_url + elif partial_args.remote_isf_urls: + constants.REMOTE_ISF_URLs = partial_args.remote_isf_urls # Do the initialization ctx = contexts.Context() # Construct a blank context diff --git a/volatility3/cli/volshell/__init__.py b/volatility3/cli/volshell/__init__.py index e9d3fda089..38f3cdac5a 100644 --- a/volatility3/cli/volshell/__init__.py +++ b/volatility3/cli/volshell/__init__.py @@ -168,11 +168,12 @@ def run(self): ) isf_group.add_argument( "-u", - "--remote-isf-url", + "--remote-isf-urls", metavar="URL", help="Search online for ISF json files", - default=constants.REMOTE_ISF_URL, + default=constants.REMOTE_ISF_URLs, type=str, + nargs="*", ) # Volshell specific flags @@ -245,8 +246,8 @@ def run(self): if partial_args.offline: constants.OFFLINE = partial_args.offline - elif partial_args.remote_isf_url: - constants.REMOTE_ISF_URL = partial_args.remote_isf_url + elif partial_args.remote_isf_urls: + constants.REMOTE_ISF_URLs = partial_args.remote_isf_urls # Do the initialization ctx = contexts.Context() # Construct a blank context diff --git a/volatility3/framework/automagic/symbol_cache.py b/volatility3/framework/automagic/symbol_cache.py index e38771f792..34273613a9 100644 --- a/volatility3/framework/automagic/symbol_cache.py +++ b/volatility3/framework/automagic/symbol_cache.py @@ -425,28 +425,35 @@ def update(self, progress_callback=None): # Remote Entries - if not constants.OFFLINE and constants.REMOTE_ISF_URL: - progress_callback(0, "Reading remote ISF list") - cursor = self._database.cursor() - cursor.execute( - f"SELECT cached FROM cache WHERE local = 0 and cached < datetime('now', '{self.cache_period}')" - ) - remote_identifiers = RemoteIdentifierFormat(constants.REMOTE_ISF_URL) - progress_callback(50, "Reading remote ISF list") - for operating_system in constants.OS_CATEGORIES: - identifiers = remote_identifiers.process( - {}, operating_system=operating_system + if not constants.OFFLINE and constants.REMOTE_ISF_URLs: + length = len(constants.REMOTE_ISF_URLs) + # Reverse to ensure first item has the highest priority + for index, remote_isf_url in enumerate(reversed(constants.REMOTE_ISF_URLs)): + progress_callback(index / length * 100, "Reading remote ISF list") + cursor = self._database.cursor() + cursor.execute( + f"SELECT cached FROM cache WHERE local = 0 and cached < datetime('now', '{self.cache_period}')" + ) + remote_identifiers = RemoteIdentifierFormat(remote_isf_url) + progress_callback( + (index + 0.5) / length * 100, "Reading remote ISF list" ) - for identifier, location in identifiers: - identifier = identifier.rstrip() - identifier = ( - identifier[:-1] if identifier.endswith(b"\x00") else identifier - ) # Linux banners dumped by dwarf2json end with "\x00\n". If not stripped, the banner cannot match. - cursor.execute( - "INSERT OR REPLACE INTO cache(identifier, location, operating_system, local, cached) VALUES (?, ?, ?, ?, datetime('now'))", - (identifier, location, operating_system, False), + for operating_system in constants.OS_CATEGORIES: + identifiers = remote_identifiers.process( + {}, operating_system=operating_system ) - progress_callback(100, "Reading remote ISF list") + for identifier, location in identifiers: + identifier = identifier.rstrip() + identifier = ( + identifier[:-1] + if identifier.endswith(b"\x00") + else identifier + ) # Linux banners dumped by dwarf2json end with "\x00\n". If not stripped, the banner cannot match. + cursor.execute( + "INSERT OR REPLACE INTO cache(identifier, location, operating_system, local, cached) VALUES (?, ?, ?, ?, datetime('now'))", + (identifier, location, operating_system, False), + ) + progress_callback((index + 1) / length * 100, "Reading remote ISF list") self._database.commit() def get_identifier_dictionary( diff --git a/volatility3/framework/constants/__init__.py b/volatility3/framework/constants/__init__.py index 8bdf847300..46835dd132 100644 --- a/volatility3/framework/constants/__init__.py +++ b/volatility3/framework/constants/__init__.py @@ -115,8 +115,8 @@ class Parallelism(enum.IntEnum): OFFLINE = False """Whether to go online to retrieve missing/necessary JSON files""" -REMOTE_ISF_URL = None # 'http://localhost:8000/banners.json' -"""Remote URL to query for a list of ISF addresses""" +REMOTE_ISF_URLs = [] # ['http://localhost:8000/banners.json'] +"""Remote URLs to query for a list of ISF addresses""" ### # DEPRECATED VALUES diff --git a/volatility3/framework/plugins/mac/pslist.py b/volatility3/framework/plugins/mac/pslist.py index 9b570f3f9c..980ffae41f 100644 --- a/volatility3/framework/plugins/mac/pslist.py +++ b/volatility3/framework/plugins/mac/pslist.py @@ -131,7 +131,7 @@ def list_tasks_allproc( Args: context: The context to retrieve required elements (layers, symbol tables) from - kernel_module_name: The name of the the kernel module on which to operate + kernel_module_name: The name of the kernel module on which to operate filter_func: A function which takes a process object and returns True if the process should be ignored/filtered Returns: @@ -176,7 +176,7 @@ def list_tasks_tasks( Args: context: The context to retrieve required elements (layers, symbol tables) from - kernel_module_name: The name of the the kernel module on which to operate + kernel_module_name: The name of the kernel module on which to operate filter_func: A function which takes a task object and returns True if the task should be ignored/filtered Returns: @@ -220,7 +220,7 @@ def list_tasks_sessions( Args: context: The context to retrieve required elements (layers, symbol tables) from - kernel_module_name: The name of the the kernel module on which to operate + kernel_module_name: The name of the kernel module on which to operate filter_func: A function which takes a task object and returns True if the task should be ignored/filtered Returns: @@ -255,7 +255,7 @@ def list_tasks_process_group( Args: context: The context to retrieve required elements (layers, symbol tables) from - kernel_module_name: The name of the the kernel module on which to operate + kernel_module_name: The name of the kernel module on which to operate filter_func: A function which takes a task object and returns True if the task should be ignored/filtered Returns: @@ -293,7 +293,7 @@ def list_tasks_pid_hash_table( Args: context: The context to retrieve required elements (layers, symbol tables) from - kernel_module_name: The name of the the kernel module on which to operate + kernel_module_name: The name of the kernel module on which to operate filter_func: A function which takes a task object and returns True if the task should be ignored/filtered Returns: diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py index 8296221544..a5e66ca123 100644 --- a/volatility3/framework/symbols/linux/extensions/__init__.py +++ b/volatility3/framework/symbols/linux/extensions/__init__.py @@ -1521,7 +1521,7 @@ def is_equal(self, vfsmount_ptr) -> bool: exceptions.VolatilityException: If vfsmount_ptr is not a 'vfsmount \\*' Returns: - bool: 'True' if the given argument points to the the same 'vfsmount' + bool: 'True' if the given argument points to the same 'vfsmount' as 'self'. """ if isinstance(vfsmount_ptr, objects.Pointer):