Merge pull request #1035 from eve-mem/linux_bash_get_sections_only_once

Linux: update bash plugin to only get memory sections once
volatilityfoundation · Nov 15, 2023 · 2e4d6cd · 2e4d6cd
2 parents 19d40b1 + 9fe7d47
commit 2e4d6cd
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/volatility3/framework/plugins/linux/bash.py b/volatility3/framework/plugins/linux/bash.py
@@ -75,11 +75,16 @@ def _generator(self, tasks):
 
             bang_addrs = []
 
+            # get task memory sections to be used by scanners
+            task_memory_sections = [
+                section for section in task.get_process_memory_sections(heap_only=True)
+            ]
+
             # find '#' values on the heap
             for address in proc_layer.scan(
                 self.context,
                 scanners.BytesScanner(b"#"),
-                sections=task.get_process_memory_sections(heap_only=True),
+                sections=task_memory_sections,
             ):
                 bang_addrs.append(struct.pack(pack_format, address))
 
@@ -89,7 +94,7 @@ def _generator(self, tasks):
                 for address, _ in proc_layer.scan(
                     self.context,
                     scanners.MultiStringScanner(bang_addrs),
-                    sections=task.get_process_memory_sections(heap_only=True),
+                    sections=task_memory_sections,
                 ):
                     hist = self.context.object(
                         bash_table_name + constants.BANG + "hist_entry",