volatility3.plugins.linux.kmsg module

class ABCKmsg(context, config)[source]

Bases: ABC

Kernel log buffer reader

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
get_caller(obj)[source]
get_caller_text(caller_id)[source]
classmethod get_facility_text(facility)[source]
Return type:

str

classmethod get_level_text(level)[source]
Return type:

str

get_prefix(obj)[source]
Return type:

Tuple[int, int, str, str]

get_string(addr, length)[source]
Return type:

str

get_timestamp_in_sec_str(obj)[source]
Return type:

str

nsec_to_sec_str(nsec)[source]
Return type:

str

abstract run()[source]

Walks through the specific kernel implementation.

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod run_all(context, config)[source]

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:
Yields:

kmsg records

Return type:

Iterator[Tuple[str, str, str, str, str]]

abstract classmethod symtab_checks(vmlinux)[source]

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Return type:

bool

Returns:

True is the kernel being analysed fulfill the class requirements.

class DescStateEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]

Bases: Enum

desc_committed = 1
desc_finalized = 2
desc_miss = -1
desc_reserved = 0
desc_reusable = 3
class Kmsg(context, config_path, progress_callback=None)[source]

Bases: PluginInterface

Kernel log buffer reader

Parameters:
  • context (ContextInterface) – The context that the plugin will operate within

  • config_path (str) – The path to configuration data within the context configuration data

  • progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

Return type:

List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

property open

Returns a context manager and thus can be called like open

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns:

A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type:

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type:

Dict[str, RequirementInterface]

version = (1, 0, 1)
class KmsgFiveTen(context, config)[source]

Bases: ABCKmsg

In 5.10 the kernel ringbuffer implementation changed. Previously only one process should read /proc/kmsg and it is permanently open and periodically read by the syslog daemon. A high level structure ‘printk_ringbuffer’ was added to represent the printk ringbuffer which actually contains two ringbuffers. The descriptor ring ‘desc_ring’ contains the records’ metadata, text offsets and states. The data block ring ‘text_data_ring’ contains the records’ text strings. A pointer to the high level structure is kept in the prb pointer which is initialized to a static ringbuffer.

static struct printk_ringbuffer *prb = &printk_rb_static;

In SMP systems with more than 64 CPUs this ringbuffer size is dynamically allocated according the number of CPUs based on the value of CONFIG_LOG_CPU_MAX_BUF_SHIFT. The prb pointer is updated consequently to this dynamic ringbuffer in setup_log_buf().

prb = &printk_rb_dynamic;

Behind scenes, log_buf is still used as external buffer. When the static printk_ringbuffer struct is initialized, _DEFINE_PRINTKRB sets text_data_ring.data pointer to the address in log_buf which points to the static buffer __log_buff. If a dynamic ringbuffer takes place, setup_log_buf() sets text_data_ring.data of printk_rb_dynamic to the new allocated external buffer via the prb_init function. In that case, the original external static buffer in __log_buf and printk_rb_static are unused.

new_log_buf = memblock_alloc(new_log_buf_len, LOG_ALIGN);
prb_init(&printk_rb_dynamic, new_log_buf, ...);
log_buf = new_log_buf;
prb = &printk_rb_dynamic;

See printk.c and printk_ringbuffer.c in kernel/printk/ folder for more details.

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
get_caller(obj)
get_caller_text(caller_id)
get_dict_lines(info)[source]
Return type:

Generator[str, None, None]

classmethod get_facility_text(facility)
Return type:

str

classmethod get_level_text(level)
Return type:

str

get_log_lines(text_data_ring, desc, info)[source]
Return type:

Generator[str, None, None]

get_prefix(obj)
Return type:

Tuple[int, int, str, str]

get_string(addr, length)
Return type:

str

get_text_from_data_ring(text_data_ring, desc, info)[source]
Return type:

str

get_timestamp_in_sec_str(obj)
Return type:

str

nsec_to_sec_str(nsec)
Return type:

str

run()[source]

Walks through the specific kernel implementation.

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:
Yields:

kmsg records

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)[source]

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Return type:

bool

Returns:

True is the kernel being analysed fulfill the class requirements.

class KmsgLegacy(context, config)[source]

Bases: ABCKmsg

Linux kernels prior to v5.10, the ringbuffer is initially kept in __log_buf, and log_buf is a pointer to the former. __log_buf is declared as a char array but it actually contains an array of printk_log structs. The length of this array is defined in the kernel KConfig configuration via the CONFIG_LOG_BUF_SHIFT value as a power of 2. This can also be modified by the log_buf_len kernel boot parameter. In SMP systems with more than 64 CPUs this ringbuffer size is dynamically allocated according the number of CPUs based on the value of CONFIG_LOG_CPU_MAX_BUF_SHIFT, and the log_buf pointer is updated consequently to the new buffer. In that case, the original static buffer in __log_buf is unused.

FACILITIES = ('kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp')
LEVELS = ('emerg', 'alert', 'crit', 'err', 'warn', 'notice', 'info', 'debug')
get_caller(obj)
get_caller_text(caller_id)
get_dict_lines(msg)[source]
Return type:

Generator[str, None, None]

classmethod get_facility_text(facility)
Return type:

str

classmethod get_level_text(level)
Return type:

str

get_log_lines(msg)[source]
Return type:

Generator[str, None, None]

get_prefix(obj)
Return type:

Tuple[int, int, str, str]

get_string(addr, length)
Return type:

str

get_text_from_printk_log(msg)[source]
Return type:

str

get_timestamp_in_sec_str(obj)
Return type:

str

nsec_to_sec_str(nsec)
Return type:

str

run()[source]

Walks through the specific kernel implementation.

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod run_all(context, config)

It calls each subclass symtab_checks() to test the required conditions to that specific kernel implementation.

Parameters:
Yields:

kmsg records

Return type:

Iterator[Tuple[str, str, str, str, str]]

classmethod symtab_checks(vmlinux)[source]

This method on each sublasss will be called to evaluate if the kernel being analyzed fulfill the type & symbols requirements for the implementation. The first class returning True will be instantiated and called via the run() method.

Return type:

bool

Returns:

True is the kernel being analysed fulfill the class requirements.