[Forensics-changes] [volatility] 01/02: Imported Upstream version 2.5+git20161121.ecd8a54
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Wed Dec 14 23:39:00 UTC 2016
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository volatility.
commit 3ee6b9d443bf03089d1418a77d44c599df55bb6b
Author: Joao Eriberto Mota Filho <eriberto at debian.org>
Date: Wed Dec 14 21:38:38 2016 -0200
Imported Upstream version 2.5+git20161121.ecd8a54
---
volatility/plugins/bigpagepools.py | 2 +-
volatility/plugins/linux/check_fops.py | 14 +++++++-------
volatility/plugins/linux/common.py | 15 +++++++++++++--
volatility/plugins/linux/cpuinfo.py | 10 +++++++---
4 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/volatility/plugins/bigpagepools.py b/volatility/plugins/bigpagepools.py
index 3536db9..b4e8594 100644
--- a/volatility/plugins/bigpagepools.py
+++ b/volatility/plugins/bigpagepools.py
@@ -68,7 +68,7 @@ class BigPageTableMagic(obj.ProfileModification):
(6, 2, '32bit') : [[92, 88]],
(6, 2, '64bit') : [[-5200, -5224]],
(6, 3, '32bit') : [[116, 120]],
- (6, 4, '64bit') : [[208, 184], [168, 192], [176, 168], [48, 40], [32, 24]],
+ (6, 4, '64bit') : [[208, 184], [168, 192], [176, 168], [48, 40], [32, 24], [24, 48]],
(6, 4, '32bit') : [[-168, -164]],
}
diff --git a/volatility/plugins/linux/check_fops.py b/volatility/plugins/linux/check_fops.py
index 8581d21..d9ef201 100644
--- a/volatility/plugins/linux/check_fops.py
+++ b/volatility/plugins/linux/check_fops.py
@@ -57,9 +57,8 @@ class linux_check_fop(linux_common.AbstractLinuxCommand):
for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules):
name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp))
yield (name, hooked_member, hook_address)
-
+
def check_proc_fop(self, f_op_members, modules):
-
proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
if not proc_mnt_addr:
return
@@ -74,22 +73,23 @@ class linux_check_fop(linux_common.AbstractLinuxCommand):
# only check the root directory
for dentry in root.d_subdirs.list_of_type("dentry", "d_u"):
-
name = dentry.d_name.name.dereference_as("String", length = 255)
for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules):
yield("proc_mnt: {0}".format(name), hooked_member, hook_address)
def walk_proc(self, cur, f_op_members, modules, parent = ""):
-
+ last_cur = None
while cur:
-
if cur.obj_offset in self.seen_proc:
+ if cur.obj_offset == last_cur:
+ break
+
cur = cur.next
continue
self.seen_proc[cur.obj_offset] = 1
-
+
name = cur.name.dereference_as("String", length = 255)
fops = cur.proc_fops
@@ -104,6 +104,7 @@ class linux_check_fop(linux_common.AbstractLinuxCommand):
yield (name, hooked_member, hook_address)
subdir = subdir.next
+ last_cur = cur.obj_offset
cur = cur.next
def check_proc_root_fops(self, f_op_members, modules):
@@ -138,7 +139,6 @@ class linux_check_fop(linux_common.AbstractLinuxCommand):
funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache]
for func in funcs:
-
for (name, member, address) in func(f_op_members, modules):
yield (name, member, address)
diff --git a/volatility/plugins/linux/common.py b/volatility/plugins/linux/common.py
index 50a80d2..0c1f7d9 100644
--- a/volatility/plugins/linux/common.py
+++ b/volatility/plugins/linux/common.py
@@ -51,6 +51,7 @@ class AbstractLinuxCommand(commands.Command):
def __init__(self, *args, **kwargs):
self.addr_space = None
self.known_addrs = {}
+ self.known_fops = {}
commands.Command.__init__(self, *args, **kwargs)
@property
@@ -83,12 +84,19 @@ class AbstractLinuxCommand(commands.Command):
return False
def verify_ops(self, ops, op_members, modules):
+ ops_addr = ops.v()
+ ops_list = []
+
+ if ops_addr in self.known_fops:
+ for check, addr in self.known_fops[ops_addr]:
+ yield check, addr
+
+ return
for check in op_members:
addr = int(ops.m(check))
- if addr and addr != 0:
-
+ if addr and addr != 0 and addr != -1:
if addr in self.known_addrs:
known = self.known_addrs[addr]
else:
@@ -97,6 +105,9 @@ class AbstractLinuxCommand(commands.Command):
if known == 0:
yield (check, addr)
+ ops_list.append((check, addr))
+
+ self.known_fops[ops_addr] = ops_list
class AbstractLinuxIntelCommand(AbstractLinuxCommand):
@staticmethod
diff --git a/volatility/plugins/linux/cpuinfo.py b/volatility/plugins/linux/cpuinfo.py
index 7166569..81a9fea 100644
--- a/volatility/plugins/linux/cpuinfo.py
+++ b/volatility/plugins/linux/cpuinfo.py
@@ -78,8 +78,9 @@ class linux_cpuinfo(linux_common.AbstractLinuxIntelCommand):
def online_cpus(self):
""" returns a list of online cpus (the processor numbers) """
- cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits")
- cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map")
+ cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits")
+ cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map")
+ cpu_present_mask_addr = self.addr_space.profile.get_symbol("__cpu_present_mask")
#later kernels..
if cpu_online_bits_addr:
@@ -88,11 +89,14 @@ class linux_cpuinfo(linux_common.AbstractLinuxIntelCommand):
elif cpu_present_map_addr:
bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space)
+ elif cpu_present_mask_addr:
+ bmap = obj.Object("unsigned long", offset = cpu_present_mask_addr, vm = self.addr_space)
+
else:
raise AttributeError, "Unable to determine number of online CPUs for memory capture"
cpus = []
- for i in range(8):
+ for i in range(32):
if bmap & (1 << i):
cpus.append(i)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/volatility.git
More information about the forensics-changes
mailing list