volatility3.framework.symbols.linux package

class IDStorage(context, kernel_module_name)[source]

Bases: ABC

Abstraction to support both XArray and RadixTree

CHUNK_MASK = None
CHUNK_SHIFT = None
CHUNK_SIZE = None
classmethod choose_id_storage(context, kernel_module_name)[source]

Returns the appropriate ID storage data structure instance for the current kernel implementation. This is used by the IDR and the PageCache to choose between the XArray and RadixTree.

Parameters:

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • kernel_module_name (str) – The name of the kernel module on which to operate

Return type:

IDStorage

Returns:

The appropriate ID storage instance for the current kernel

get_entries(root)[source]

Walks the tree data structure

Parameters:

root (ObjectInterface) – The tree root object

Yields:

A tree node pointer

Return type:

Iterator[int]

abstractmethod get_head_node(tree)[source]

Returns a pointer to the tree’s head

Return type:

Optional[int]

abstractmethod get_node_height(nodep)[source]

Returns the node height

Return type:

int

abstractmethod get_tree_height(treep)[source]

Returns the tree height

Return type:

int

abstractmethod is_node_tagged(nodep)[source]

Checks if the node pointer is tagged

Return type:

bool

abstractmethod is_valid_node(nodep)[source]

Validates a node pointer

Return type:

bool

abstractmethod node_is_internal(nodep)[source]

Checks if the node is internal

Return type:

bool

abstract property node_type_name: str

Returns the Tree implementation node type name

Returns:

A string with the node type name

nodep_to_node(nodep)[source]

Instantiates a tree node from its pointer

Parameters:

nodep – Pointer to the XArray/RadixTree node

Return type:

ObjectInterface

Returns:

A XArray/RadixTree node instance

property tag_internal_value: int

Returns the internal node flag for the tree

abstractmethod untag_node(nodep)[source]

Untags a node pointer

Return type:

int

class LinuxKernelIntermedSymbols(*args, **kwargs)[source]

Bases: IntermediateSymbolTable

Instantiates a SymbolTable based on an IntermediateSymbolFormat JSON file. This is validated against the appropriate schema. The validation can be disabled by passing validate = False, but this should almost never be done.

Parameters:

  • context – The volatility context for the symbol table

  • config_path – The configuration path for the symbol table

  • name – The name for the symbol table (this is used in symbols e.g. table!symbol)

  • isf_url – The URL pointing to the ISF file location

  • native_types – The NativeSymbolTable that contains the native types for this symbol table

  • table_mapping – A dictionary linking names referenced in the file with symbol tables in the context

  • validate – Determines whether the ISF file will be validated against the appropriate schema

  • class_types – A dictionary of type names and classes that override StructType when they are instantiated

  • symbol_mask – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

clear_symbol_cache(*args, **kwargs)

Clears the symbol cache of this symbol table.

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

classmethod create(context, config_path, sub_path, filename, native_types=None, table_mapping=None, class_types=None, symbol_mask=0)

Takes a context and loads an intermediate symbol table based on a filename.

Parameters:

  • context (ContextInterface) – The context that the current plugin is being run within

  • config_path (str) – The configuration path for reading/storing configuration information this symbol table may use

  • sub_path (str) – The path under a suitable symbol path (defaults to volatility3/symbols and volatility3/framework/symbols) to check

  • filename (str) – Basename of the file to find under the sub_path

  • native_types (Optional[NativeTableInterface]) – Set of native types, defaults to native types read from the intermediate symbol format file

  • table_mapping (Optional[Dict[str, str]]) – a dictionary of table names mentioned within the ISF file, and the tables within the context which they map to

  • symbol_mask (int) – An address mask used for all returned symbol offsets from this table (a mask of 0 disables masking)

Return type:

str

Returns:

the name of the added symbol table

del_type_class(*args, **kwargs)

Removes the associated class override for a specific Symbol type.

property enumerations

Returns an iterable of the available enumerations.

classmethod file_symbol_url(sub_path, filename=None)

Returns an iterator of appropriate file-scheme symbol URLs that can be opened by a ResourceAccessor class.

Filter reduces the number of results returned to only those URLs containing that string

Return type:

Generator[str, None, None]

get_enumeration(*args, **kwargs)
classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type:

List[RequirementInterface]

get_symbol(*args, **kwargs)

Resolves a symbol name into a symbol object.

If the symbol isn’t found, it raises a SymbolError exception

get_symbol_type(name)

Resolves a symbol name into a symbol and then resolves the symbol’s type.

Return type:

Optional[Template]

get_symbols_by_location(offset, size=0)

Returns the name of all symbols in this table that live at a particular offset.

Return type:

Iterable[str]

get_symbols_by_type(type_name)

Returns the name of all symbols in this table that have type matching type_name.

Return type:

Iterable[str]

get_type(*args, **kwargs)

Resolves a symbol name into an object template.

If the symbol isn’t found it raises a SymbolError exception

get_type_class(*args, **kwargs)

Returns the class associated with a Symbol type.

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property metadata
property natives: NativeTableInterface

Returns None or a NativeTable for handling space specific native types.

optional_set_type_class(name, clazz)

Calls the set_type_class function but does not throw an exception. Returns whether setting the type class was successful. :type name: str :param name: The name of the type to override the class for :type clazz: Type[ObjectInterface] :param clazz: The actual class to override for the provided type name

Return type:

bool

property producer
provides = {'type': 'interface'}
set_type_class(*args, **kwargs)

Overrides the object class for a specific Symbol type.

Name must be present in self.types

Parameters:

  • name – The name of the type to override the class for

  • clazz – The actual class to override for the provided type name

property symbols

Returns an iterable of the available symbol names.

property types

Returns an iterable of the available symbol type names.

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type:

Dict[str, RequirementInterface]

class LinuxUtilities(*args, **kwargs)[source]

Bases: VersionableInterface

Class with multiple useful linux functions.

classmethod container_of(addr, type_name, member_name, vmlinux)[source]

Cast a member of a structure out to the containing structure. It mimics the Linux kernel macro container_of() see include/linux.kernel.h

Parameters:

  • addr (int) – The pointer to the member.

  • type_name (str) – The type of the container struct this is embedded in.

  • member_name (str) – The name of the member within the struct.

  • vmlinux (ModuleInterface) – The kernel symbols object

Return type:

Optional[ObjectInterface]

Returns:

The constructed object or None

classmethod convert_fourcc_code(code)[source]

Convert a fourcc integer back to its fourcc string representation.

Parameters:

code (int) – the numerical representation of the fourcc

Return type:

str

Returns:

The fourcc code string.

deleted = '(deleted)'
classmethod do_get_path(rdentry, rmnt, dentry, vfsmnt)[source]

Returns a pathname of the mount point or file It mimics the Linux kernel prepend_path function.

Parameters:

  • rdentry (dentry *) – A pointer to the root dentry

  • rmnt (vfsmount *) – A pointer to the root vfsmount

  • dentry (dentry *) – A pointer to the dentry

  • vfsmnt (vfsmount/vfsmount *) – A vfsmount object (kernels >= 3.3) or a vfsmount pointer (kernels < 3.3)

Returns:

Pathname of the mount point or file

Return type:

str

classmethod files_descriptors_for_process(context, symbol_table, task, files_only=False)[source]
classmethod generate_kernel_handler_info(cls, context, kernel_module_name, mods_list)[source]

This method is being deprecated. Use linux_utilities_modules.Modules.run_module_scanners to map kernel pointers to modules”)

A helper function that gets the beginning and end address of the kernel module

Return type:

List[Tuple[str, int, int]]

classmethod get_module_from_volobj_type(context, volobj)[source]

Get the vmlinux from a vol obj

Parameters:

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • volobj (vol object) – A vol object

Raises:

ValueError – If it cannot obtain any module from the symbol table

Return type:

ModuleInterface

Returns:

A kernel object (vmlinux)

classmethod get_path_mnt(task, mnt)[source]

Returns the mount point pathname relative to the task’s root directory.

Parameters:

  • task (task_struct) – A reference task

  • mnt (vfsmount or mount) – A mounted filesystem or a mount point. - kernels < 3.3 type is ‘vfsmount’ - kernels >= 3.3 type is ‘mount’

Returns:

Pathname of the mount point relative to the task’s root directory.

Return type:

str

classmethod lookup_module_address(cls, kernel_module, handlers, target_address)[source]

DEPRECATED: use “volatility3.framework.symbols.linux.utilities.modules.Modules.lookup_module_address” instead.

Searches between the start and end address of the kernel module using target_address. Returns the module and symbol name of the address provided.

Return type:

Tuple[str, str]

classmethod mask_mods_list(cls, context, layer_name, mods)[source]

DEPRECATED: use “volatility3.framework.symbols.linux.utilities.modules.Modules.mask_mods_list” instead.

A helper function to mask the starting and end address of kernel modules

Return type:

List[Tuple[str, int, int]]

classmethod path_for_file(context, task, filp, files_only=False)[source]

Returns a file (or sock pipe) pathname relative to the task’s root directory.

A ‘file’ structure doesn’t have enough information to properly restore its full path we need the root mount information from task_struct to determine this

Parameters:

  • context – The context to retrieve required elements (layers, symbol tables) from

  • task (task_struct) – A reference task

  • filp (file *) – A pointer to an open file

Returns:

A file (or sock pipe) pathname relative to the task’s root directory.

Return type:

str

smear = '<potentially smeared>'
version = (2, 4, 0)
classmethod walk_internal_list(vmlinux, struct_name, list_member, list_start, max_count=4096)[source]

An API that provides generic, smear-resistant enumeration of embedded lists

Parameters:

  • vmlinux (ModuleInterface)

  • struct_name (str) – name of the structure of the list elements

  • list_member (str) – name of the list_member holding the internal list

  • list_start (ObjectInterface) – Starting (head) member of the list

  • max_count (int) – Optional maximum amount of list elements that will be yielded

Return type:

Generator[ObjectInterface, None, None]

Returns:

Instances of struct_name

class PageCache(context, kernel_module_name, page_cache)[source]

Bases: object

Linux Page Cache abstraction

Parameters:

  • context (ContextInterface) – interfaces.context.ContextInterface,

  • kernel_module_name (str) – The name of the kernel module on which to operate

  • page_cache (ObjectInterface) – Page cache address space

get_cached_pages()[source]

Returns all page cache contents

Yields:

Page objects

Return type:

Iterator[ObjectInterface]

class RadixTree(*args, **kwargs)[source]

Bases: IDStorage

CHUNK_MASK = None
CHUNK_SHIFT = None
CHUNK_SIZE = None
RADIX_TREE_ENTRY_MASK = 3
RADIX_TREE_EXCEPTIONAL_ENTRY = 2
RADIX_TREE_HEIGHT_MASK = None
RADIX_TREE_HEIGHT_SHIFT = None
RADIX_TREE_INDEX_BITS = None
RADIX_TREE_INTERNAL_NODE = 1
RADIX_TREE_MAP_SHIFT = 6
RADIX_TREE_MAX_PATH = None
classmethod choose_id_storage(context, kernel_module_name)

Returns the appropriate ID storage data structure instance for the current kernel implementation. This is used by the IDR and the PageCache to choose between the XArray and RadixTree.

Parameters:

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • kernel_module_name (str) – The name of the kernel module on which to operate

Return type:

IDStorage

Returns:

The appropriate ID storage instance for the current kernel

get_entries(root)

Walks the tree data structure

Parameters:

root (ObjectInterface) – The tree root object

Yields:

A tree node pointer

Return type:

Iterator[int]

get_head_node(tree)[source]

Returns a pointer to the tree’s head

Return type:

Optional[int]

get_node_height(nodep)[source]

Returns the node height

Return type:

int

get_tree_height(treep)[source]

Returns the tree height

Return type:

int

is_node_tagged(nodep)[source]

Checks if the node pointer is tagged

Return type:

bool

is_valid_node(nodep)[source]

Validates a node pointer

Return type:

bool

node_is_internal(nodep)[source]

Checks if the node is internal

Return type:

bool

property node_type_name: str

Returns the Tree implementation node type name

Returns:

A string with the node type name

nodep_to_node(nodep)

Instantiates a tree node from its pointer

Parameters:

nodep – Pointer to the XArray/RadixTree node

Return type:

ObjectInterface

Returns:

A XArray/RadixTree node instance

property tag_internal_value: int

Returns the internal node flag for the tree

untag_node(nodep)[source]

Untags a node pointer

Return type:

int

class VMCoreInfo(*args, **kwargs)[source]

Bases: VersionableInterface

classmethod search_vmcoreinfo_elf_note(context, layer_name, progress_callback=None)[source]

Enumerates each VMCoreInfo ELF note table found in memory along with its offset.

This approach is independent of any external ISF symbol or type, requiring only the Elf64_Note found in ‘elf.json’, which is already included in the framework.

Parameters:

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The layer within the context in which the module exists

  • progress_callback (Optional[Callable[[float, str], None]]) – A function that takes a percentage (and an optional description) that will be called periodically

Yields:

Tuples with the VMCoreInfo ELF note offset and the VMCoreInfo table parsed in a dictionary.

Return type:

Iterator[Tuple[int, Dict[str, str]]]

version = (1, 0, 0)
class XArray(context, kernel_module_name)[source]

Bases: IDStorage

CHUNK_MASK = None
CHUNK_SHIFT = None
CHUNK_SIZE = None
XARRAY_TAG_INTERNAL = 2
XARRAY_TAG_MASK = 3
classmethod choose_id_storage(context, kernel_module_name)

Returns the appropriate ID storage data structure instance for the current kernel implementation. This is used by the IDR and the PageCache to choose between the XArray and RadixTree.

Parameters:

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • kernel_module_name (str) – The name of the kernel module on which to operate

Return type:

IDStorage

Returns:

The appropriate ID storage instance for the current kernel

get_entries(root)

Walks the tree data structure

Parameters:

root (ObjectInterface) – The tree root object

Yields:

A tree node pointer

Return type:

Iterator[int]

get_head_node(tree)[source]

Returns a pointer to the tree’s head

Return type:

Optional[int]

get_node_height(nodep)[source]

Returns the node height

Return type:

int

get_tree_height(treep)[source]

Returns the tree height

Return type:

int

is_node_tagged(nodep)[source]

Checks if the node pointer is tagged

Return type:

bool

is_valid_node(nodep)[source]

Validates a node pointer

Return type:

bool

node_is_internal(nodep)[source]

Checks if the node is internal

Return type:

bool

property node_type_name: str

Returns the Tree implementation node type name

Returns:

A string with the node type name

nodep_to_node(nodep)

Instantiates a tree node from its pointer

Parameters:

nodep – Pointer to the XArray/RadixTree node

Return type:

ObjectInterface

Returns:

A XArray/RadixTree node instance

property tag_internal_value: int

Returns the internal node flag for the tree

untag_node(nodep)[source]

Untags a node pointer

Return type:

int

Subpackages

Submodules