volatility3.plugins.linux.tracing.ftrace module

class CheckFtrace(context, config_path, progress_callback=None)[source]

Bases: PluginInterface

Detect ftrace hooking

Investigate the ftrace infrastructure to uncover kernel attached callbacks, which can be leveraged to hook kernel functions and modify their behaviour.

Parameters:

context (ContextInterface) – The context that the plugin will operate within
config_path (str) – The path to configuration data within the context configuration data
progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:: HierarchicalDict

property config: HierarchicalDict: The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str: The configuration path on which this configurable lives.

property context: ContextInterface: The context object that this configurable belongs to/configuration is stored in.

classmethod extract_hash_table_filters(ftrace_ops)[source]

Wrap the process of walking to every ftrace_func_entry of an ftrace_ops. Those are stored in a hash table of filters that indicates the addresses hooked.

Parameters:: ftrace_ops (ObjectInterface) – The ftrace_ops struct to walk through
Return type:: Optional[Iterable[ObjectInterface]]
Returns:: An iterable of ftrace_func_entry structs

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:: List[RequirementInterface]

classmethod iterate_ftrace_ops_list(context, kernel_name)[source]

Iterate over (ftrace_ops *)ftrace_ops_list.

Return type:: Optional[Iterable[ObjectInterface]]
Returns:: An iterable of ftrace_ops structs

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open: Returns a context manager and thus can be called like open

classmethod parse_ftrace_ops(context, kernel_name, known_modules, ftrace_ops, run_hidden_modules=True)[source]

Parse an ftrace_ops struct to highlight ftrace kernel hooking. Iterates over embedded ftrace_func_entry entries, which point to hooked memory areas.

Parameters:

known_modules (Dict[str, List[module]]) – A dict of known modules, used to locate callbacks origin. Typically obtained through modxview.run_modules_scanners().
ftrace_ops (ObjectInterface) – The ftrace_ops struct to parse
run_hidden_modules (bool) – Whether to run the hidden_modules plugin or not. Note: it won’t be run, even if specified, if the “hidden_modules” key is present in known_modules.

Yields:

An iterable of ParsedFtraceOps dataclasses, containing a selection of useful fields (callback, hook, module) related to an ftrace_ops struct

Return type:

Optional[Iterable[ParsedFtraceOps]]

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:: A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:: None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:: Dict[str, RequirementInterface]

version = (1, 0, 0)

class FtraceOpsFlags(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Bases: Enum

Denote the state of an ftrace_ops struct. Based on https://elixir.bootlin.com/linux/v6.13-rc3/source/include/linux/ftrace.h#L255.

FTRACE_OPS_FL_ADDING = 256

FTRACE_OPS_FL_ALLOC_TRAMP = 2048

FTRACE_OPS_FL_DELETED = 128

FTRACE_OPS_FL_DIRECT = 131072

FTRACE_OPS_FL_DYNAMIC = 2

FTRACE_OPS_FL_ENABLED = 1

FTRACE_OPS_FL_INITIALIZED = 64

FTRACE_OPS_FL_IPMODIFY = 4096

FTRACE_OPS_FL_MODIFYING = 1024

FTRACE_OPS_FL_PERMANENT = 65536

FTRACE_OPS_FL_PID = 8192

FTRACE_OPS_FL_RCU = 16384

FTRACE_OPS_FL_RECURSION = 16

FTRACE_OPS_FL_REMOVING = 512

FTRACE_OPS_FL_SAVE_REGS = 4

FTRACE_OPS_FL_SAVE_REGS_IF_SUPPORTED = 8

FTRACE_OPS_FL_STUB = 32

FTRACE_OPS_FL_SUBOP = 262144

FTRACE_OPS_FL_TRACE_ARRAY = 32768

class ParsedFtraceOps(ftrace_ops_offset, callback_symbol, callback_address, hooked_symbols, module_name, module_address, flags)[source]

Bases: object

Parsed ftrace_ops struct representation, containing a selection of forensics valuable informations.

callback_address: int

callback_symbol: str

flags: str

ftrace_ops_offset: int

hooked_symbols: str

module_address: int

module_name: str