volatility3.plugins.linux.kmsg module

class ABCKmsg(context, config)

Bases: ABC

Kernel log buffer reader

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')

LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')

get_caller(obj)

get_caller_text(caller_id)

classmethod get_facility_text(facility)

Return type:

str

classmethod get_level_text(level)

Return type:

str

get_prefix(obj)

Return type:

Tuple[int, int, str, str]

get_string(addr, length)

Return type:

str

get_timestamp_in_sec_str(obj)

Return type:

str

nsec_to_sec_str(nsec)

Return type:

str

abstract run()

Walks through the specific kernel implementation.

Returns:

facility [str]: The log facility: kern, user, etc. See FACILITIES level [str]: The log level: info, debug, etc. See LEVELS timestamp [str]: The message timestamp. See nsec_to_sec_str() caller [str]: The caller ID: CPU(1) or Task(1234). See get_caller() line [str]: The log message.

Return type:

tuple

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:

• context (ContextInterface) – The volatility3 context on which to operate

• config (HierarchicalDict) – Core configuration

Yields:

The kmsg records. Same as run()

Return type:

Iterator[Tuple[str, str, str, str, str]]

abstract classmethod symtab_checks(vmlinux)

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Returns:

True if the kernel being analyzed fulfill the class requirements.

Return type:

bool

class DescStateEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

desc_committed = 1

desc_finalized = 2

desc_miss = -1

desc_reserved = 0

desc_reusable = 3

class Kmsg(context, config_path, progress_callback=None)

Bases: PluginInterface

Kernel log buffer reader

Parameters:

• context (ContextInterface) – The context that the plugin will operate within

• config_path (str) – The path to configuration data within the context configuration data

• progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

classmethod get_requirements()

Returns a list of Requirement objects for this plugin.

Return type:

List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

• context (ContextInterface) – The context in which to store the new configuration

• base_config_path (str) – The base configuration path on which to build the new configuration

• kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open

Returns a context manager and thus can be called like open

run()

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:

A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:

Dict[str, RequirementInterface]

version = (1, 0, 2)

class Kmsg_3_11_to_5_10(context, config)

Bases: Kmsg_3_5_to_3_11

Starting from version 3.11, the struct ‘log’ was renamed to ‘printk_log’. While ‘log_buf’ is declared as a pointer and ‘__log_buf’ as a char array, it essentially holds an array of ‘printk_log’ structs.

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')

LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')

get_caller(obj)

get_caller_text(caller_id)

get_dict_lines(msg)

Return type:

Generator[str, None, None]

classmethod get_facility_text(facility)

Return type:

str

classmethod get_level_text(level)

Return type:

str

get_log_lines(msg)

Return type:

Generator[str, None, None]

get_prefix(obj)

Return type:

Tuple[int, int, str, str]

get_string(addr, length)

Return type:

str

get_text_from_log(msg)

Return type:

str

get_timestamp_in_sec_str(obj)

Return type:

str

nsec_to_sec_str(nsec)

Return type:

str

run()

Walks through the specific kernel implementation.

Returns:

facility [str]: The log facility: kern, user, etc. See FACILITIES level [str]: The log level: info, debug, etc. See LEVELS timestamp [str]: The message timestamp. See nsec_to_sec_str() caller [str]: The caller ID: CPU(1) or Task(1234). See get_caller() line [str]: The log message.

Return type:

tuple

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:

• context (ContextInterface) – The volatility3 context on which to operate

• config (HierarchicalDict) – Core configuration

Yields:

The kmsg records. Same as run()

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Returns:

True if the kernel being analyzed fulfill the class requirements.

Return type:

bool

class Kmsg_3_5_to_3_11(context, config)

Bases: ABCKmsg

While ‘log_buf’ is declared as a pointer and ‘__log_buf’ as a char array, it essentially holds an array of ‘log’ structs.

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')

LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')

get_caller(obj)

get_caller_text(caller_id)

get_dict_lines(msg)

Return type:

Generator[str, None, None]

classmethod get_facility_text(facility)

Return type:

str

classmethod get_level_text(level)

Return type:

str

get_log_lines(msg)

Return type:

Generator[str, None, None]

get_prefix(obj)

Return type:

Tuple[int, int, str, str]

get_string(addr, length)

Return type:

str

get_text_from_log(msg)

Return type:

str

get_timestamp_in_sec_str(obj)

Return type:

str

nsec_to_sec_str(nsec)

Return type:

str

run()

Walks through the specific kernel implementation.

Returns:

facility [str]: The log facility: kern, user, etc. See FACILITIES level [str]: The log level: info, debug, etc. See LEVELS timestamp [str]: The message timestamp. See nsec_to_sec_str() caller [str]: The caller ID: CPU(1) or Task(1234). See get_caller() line [str]: The log message.

Return type:

tuple

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:

• context (ContextInterface) – The volatility3 context on which to operate

• config (HierarchicalDict) – Core configuration

Yields:

The kmsg records. Same as run()

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Returns:

True if the kernel being analyzed fulfill the class requirements.

Return type:

bool

class Kmsg_5_10_to_(context, config)

Bases: ABCKmsg

In 5.10 the kernel ring buffer implementation changed. Previously only one process should read /proc/kmsg and it is permanently open and periodically read by the syslog daemon. A high level structure ‘printk_ringbuffer’ was added to represent the printk ring buffer which actually contains two ring buffers. The descriptor ring ‘desc_ring’ contains the records’ metadata, text offsets and states. The data block ring ‘text_data_ring’ contains the records’ text strings. A pointer to the high level structure is kept in the prb pointer which is initialized to a static ring buffer.

static struct printk_ringbuffer *prb = &printk_rb_static;

In SMP systems with more than 64 CPUs this ring buffer size is dynamically allocated according the number of CPUs based on the value of CONFIG_LOG_CPU_MAX_BUF_SHIFT. The prb pointer is updated consequently to this dynamic ring buffer in setup_log_buf().

prb = &printk_rb_dynamic;

Behind scenes, ‘log_buf’ is still used as external buffer. When the static ‘printk_ringbuffer’ struct is initialized, _DEFINE_PRINTKRB sets text_data_ring.data pointer to the address in ‘log_buf’ which points to the static buffer ‘__log_buf’. If a dynamic ring buffer takes place, setup_log_buf() sets text_data_ring.data of ‘printk_rb_dynamic’ to the new allocated external buffer via the ‘prb_init’ function. In that case, the original external static buffer in ‘__log_buf’ and ‘printk_rb_static’ are unused.

new_log_buf = memblock_alloc(new_log_buf_len, LOG_ALIGN);
prb_init(&printk_rb_dynamic, new_log_buf, ...);
log_buf = new_log_buf;
prb = &printk_rb_dynamic;

See printk.c and printk_ringbuffer.c in kernel/printk/ folder for more details.

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')

LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')

get_caller(obj)

get_caller_text(caller_id)

get_dict_lines(info)

Return type:

Generator[str, None, None]

classmethod get_facility_text(facility)

Return type:

str

classmethod get_level_text(level)

Return type:

str

get_log_lines(text_data_ring, desc, info)

Return type:

Generator[str, None, None]

get_prefix(obj)

Return type:

Tuple[int, int, str, str]

get_string(addr, length)

Return type:

str

get_text_from_data_ring(text_data_ring, desc, info)

Return type:

str

get_timestamp_in_sec_str(obj)

Return type:

str

nsec_to_sec_str(nsec)

Return type:

str

run()

Walks through the specific kernel implementation.

Returns:

facility [str]: The log facility: kern, user, etc. See FACILITIES level [str]: The log level: info, debug, etc. See LEVELS timestamp [str]: The message timestamp. See nsec_to_sec_str() caller [str]: The caller ID: CPU(1) or Task(1234). See get_caller() line [str]: The log message.

Return type:

tuple

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:

• context (ContextInterface) – The volatility3 context on which to operate

• config (HierarchicalDict) – Core configuration

Yields:

The kmsg records. Same as run()

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Returns:

True if the kernel being analyzed fulfill the class requirements.

Return type:

bool

class Kmsg_pre_3_5(context, config)

Bases: ABCKmsg

The kernel ring buffer (log_buf) is a char array that sequentially stores log lines, each separated by newline (LF) characters. i.e:

<6>[ 9565.250411] line1!n<6>[ 9565.250412] line2n…

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')

LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')

get_caller(obj)

get_caller_text(caller_id)

classmethod get_facility_text(facility)

Return type:

str

classmethod get_level_text(level)

Return type:

str

get_prefix(obj)

Return type:

Tuple[int, int, str, str]

get_string(addr, length)

Return type:

str

get_timestamp_in_sec_str(obj)

Return type:

str

nsec_to_sec_str(nsec)

Return type:

str

run()

Walks through the specific kernel implementation.

Returns:

facility [str]: The log facility: kern, user, etc. See FACILITIES level [str]: The log level: info, debug, etc. See LEVELS timestamp [str]: The message timestamp. See nsec_to_sec_str() caller [str]: The caller ID: CPU(1) or Task(1234). See get_caller() line [str]: The log message.

Return type:

tuple

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:

• context (ContextInterface) – The volatility3 context on which to operate

• config (HierarchicalDict) – Core configuration

Yields:

The kmsg records. Same as run()

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Returns:

True if the kernel being analyzed fulfill the class requirements.

Return type:

bool