From a68d56e19109a81098ae208d33ae94a679ff0824 Mon Sep 17 00:00:00 2001 From: Eve Date: Tue, 13 Dec 2022 16:09:57 +0000 Subject: [PATCH 01/10] add linux.vmayarascan based on windows.vadtarascan --- .../framework/plugins/linux/vmayarascan.py | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 volatility3/framework/plugins/linux/vmayarascan.py diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py new file mode 100644 index 0000000000..e9482089a6 --- /dev/null +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -0,0 +1,121 @@ +# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0 +# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 +# + +from typing import Iterable, List, Tuple + +from volatility3.framework import interfaces, renderers +from volatility3.framework.configuration import requirements +from volatility3.framework.renderers import format_hints +from volatility3.plugins import yarascan +from volatility3.plugins.linux import pslist + +class VmaYaraScan(interfaces.plugins.PluginInterface): + """Scans all virtual memory areas for tasks using yara.""" + + _required_framework_version = (2, 4, 0) + + @classmethod + def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: + return [ + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=["Intel32", "Intel64"], + ), + requirements.BooleanRequirement( + name="wide", + description="Match wide (unicode) strings", + default=False, + optional=True, + ), + requirements.StringRequirement( + name="yara_rules", description="Yara rules (as a string)", optional=True + ), + requirements.URIRequirement( + name="yara_file", description="Yara rules (as a file)", optional=True + ), + # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code + # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later + requirements.URIRequirement( + name="yara_compiled_file", + description="Yara compiled rules (as a file)", + optional=True, + ), + requirements.IntRequirement( + name="max_size", + default=0x40000000, + description="Set the maximum size (default is 1GB)", + optional=True, + ), + requirements.PluginRequirement( + name="pslist", plugin=pslist.PsList, version=(2, 0, 0) + ), + requirements.VersionRequirement( + name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0) + ), + requirements.ListRequirement( + name="pid", + element_type=int, + description="Process IDs to include (all other processes are excluded)", + optional=True, + ), + ] + + def _generator(self): + kernel = self.context.modules[self.config["kernel"]] + + rules = yarascan.YaraScan.process_yara_options(dict(self.config)) + + filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) + for task in pslist.PsList.list_tasks( + context=self.context, + vmlinux_module_name=self.config["kernel"], + filter_func=filter_func, + ): + proc_layer_name = task.add_process_layer() + if not proc_layer_name: + continue + + proc_layer = self.context.layers[proc_layer_name] + for offset, rule_name, name, value in proc_layer.scan( + context=self.context, + scanner=yarascan.YaraScanner(rules=rules), + sections=self.get_vma_maps(task), + ): + yield 0, ( + format_hints.Hex(offset), + task.tgid, + rule_name, + name, + value, + ) + + @staticmethod + def get_vma_maps( + task: interfaces.objects.ObjectInterface, + ) -> Iterable[Tuple[int, int]]: + """Creates a map of start/end addresses for each virtual memory area in a task. + + Args: + task: The task object of which to read the vmas from + + Returns: + An iterable of tuples containing start and end addresses for each descriptor + """ + if task.mm: + for vma in task.mm.get_mmap_iter(): + vm_size = vma.vm_end - vma.vm_start + yield (vma.vm_start, vm_size) + + def run(self): + return renderers.TreeGrid( + [ + ("Offset", format_hints.Hex), + ("PID", int), + ("Rule", str), + ("Component", str), + ("Value", bytes), + ], + self._generator(), + ) From f82a3f520facdc4e9ba973ddf8316473bbd190fe Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 4 Jan 2023 09:32:39 +0000 Subject: [PATCH 02/10] liniting for linux.vmayarascan --- volatility3/framework/plugins/linux/vmayarascan.py | 1 + 1 file changed, 1 insertion(+) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index e9482089a6..3efbd2ae1f 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -10,6 +10,7 @@ from volatility3.plugins import yarascan from volatility3.plugins.linux import pslist + class VmaYaraScan(interfaces.plugins.PluginInterface): """Scans all virtual memory areas for tasks using yara.""" From 6f82e3d8cf7b173f07c51634016413b5ef2243c6 Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 4 Jan 2023 09:36:20 +0000 Subject: [PATCH 03/10] remove unused variable in linux.vmayarascan --- volatility3/framework/plugins/linux/vmayarascan.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index 3efbd2ae1f..c7a48cc149 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -64,8 +64,6 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface] ] def _generator(self): - kernel = self.context.modules[self.config["kernel"]] - rules = yarascan.YaraScan.process_yara_options(dict(self.config)) filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) From 3b1e4ce0e2635db5ac860cf30bb5c5524d55632e Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 1 Feb 2023 11:27:44 +0000 Subject: [PATCH 04/10] Update linux.vmayarascan to pull requirements from the generic yarascan plugin --- .../framework/plugins/linux/vmayarascan.py | 73 ++++++++++--------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index c7a48cc149..f0d42f6e38 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -1,4 +1,4 @@ -# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0 +# This file is Copyright 2023 Volatility Foundation and licensed under the Volatility Software License 1.0 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # @@ -15,68 +15,71 @@ class VmaYaraScan(interfaces.plugins.PluginInterface): """Scans all virtual memory areas for tasks using yara.""" _required_framework_version = (2, 4, 0) + _version = (1, 0, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: - return [ - requirements.ModuleRequirement( - name="kernel", - description="Linux kernel", - architectures=["Intel32", "Intel64"], - ), - requirements.BooleanRequirement( - name="wide", - description="Match wide (unicode) strings", - default=False, - optional=True, - ), - requirements.StringRequirement( - name="yara_rules", description="Yara rules (as a string)", optional=True - ), - requirements.URIRequirement( - name="yara_file", description="Yara rules (as a file)", optional=True - ), - # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code - # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later - requirements.URIRequirement( - name="yara_compiled_file", - description="Yara compiled rules (as a file)", - optional=True, - ), - requirements.IntRequirement( - name="max_size", - default=0x40000000, - description="Set the maximum size (default is 1GB)", + # create a list of requirements for vmayarascan + vmayarascan_requirements = [ + requirements.ListRequirement( + name="pid", + element_type=int, + description="Process IDs to include (all other processes are excluded)", optional=True, ), requirements.PluginRequirement( name="pslist", plugin=pslist.PsList, version=(2, 0, 0) ), + requirements.PluginRequirement( + name="yarascan", plugin=yarascan.YaraScan, version=(1, 1, 0) + ), requirements.VersionRequirement( name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0) ), - requirements.ListRequirement( - name="pid", - element_type=int, - description="Process IDs to include (all other processes are excluded)", - optional=True, + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=["Intel32", "Intel64"], ), ] + # get base yarascan requirements + yarascan_requirements = yarascan.YaraScan.get_requirements() + + # remove TranslationLayerRequirement from the base yarascan requirements + # if this is not removed automagic will not find both the TranslationLayerRequirement + # for YaraScan and the ModuleRequirement for VmaYaraScan + yarascan_requirements = [ + requirement + for requirement in yarascan_requirements + if not isinstance(requirement, requirements.TranslationLayerRequirement) + ] + + # return the combined requirements + return yarascan_requirements + vmayarascan_requirements + def _generator(self): + # use yarascan to parse the yara options provided and create the rules rules = yarascan.YaraScan.process_yara_options(dict(self.config)) + # filter based on the pid option if provided filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) for task in pslist.PsList.list_tasks( context=self.context, vmlinux_module_name=self.config["kernel"], filter_func=filter_func, ): + + # attempt to create a process layer for each task and skip those + # that cannot (e.g. kernel threads) proc_layer_name = task.add_process_layer() if not proc_layer_name: continue + # get the proc_layer object from the context proc_layer = self.context.layers[proc_layer_name] + + # scan the process layer with the yarascanner for offset, rule_name, name, value in proc_layer.scan( context=self.context, scanner=yarascan.YaraScanner(rules=rules), From 1a7ec07c28ee4830f14a0dfaa003aaa5f82eeffb Mon Sep 17 00:00:00 2001 From: Eve Date: Tue, 13 Dec 2022 16:09:57 +0000 Subject: [PATCH 05/10] add linux.vmayarascan based on windows.vadtarascan --- .../framework/plugins/linux/vmayarascan.py | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 volatility3/framework/plugins/linux/vmayarascan.py diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py new file mode 100644 index 0000000000..e9482089a6 --- /dev/null +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -0,0 +1,121 @@ +# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0 +# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 +# + +from typing import Iterable, List, Tuple + +from volatility3.framework import interfaces, renderers +from volatility3.framework.configuration import requirements +from volatility3.framework.renderers import format_hints +from volatility3.plugins import yarascan +from volatility3.plugins.linux import pslist + +class VmaYaraScan(interfaces.plugins.PluginInterface): + """Scans all virtual memory areas for tasks using yara.""" + + _required_framework_version = (2, 4, 0) + + @classmethod + def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: + return [ + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=["Intel32", "Intel64"], + ), + requirements.BooleanRequirement( + name="wide", + description="Match wide (unicode) strings", + default=False, + optional=True, + ), + requirements.StringRequirement( + name="yara_rules", description="Yara rules (as a string)", optional=True + ), + requirements.URIRequirement( + name="yara_file", description="Yara rules (as a file)", optional=True + ), + # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code + # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later + requirements.URIRequirement( + name="yara_compiled_file", + description="Yara compiled rules (as a file)", + optional=True, + ), + requirements.IntRequirement( + name="max_size", + default=0x40000000, + description="Set the maximum size (default is 1GB)", + optional=True, + ), + requirements.PluginRequirement( + name="pslist", plugin=pslist.PsList, version=(2, 0, 0) + ), + requirements.VersionRequirement( + name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0) + ), + requirements.ListRequirement( + name="pid", + element_type=int, + description="Process IDs to include (all other processes are excluded)", + optional=True, + ), + ] + + def _generator(self): + kernel = self.context.modules[self.config["kernel"]] + + rules = yarascan.YaraScan.process_yara_options(dict(self.config)) + + filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) + for task in pslist.PsList.list_tasks( + context=self.context, + vmlinux_module_name=self.config["kernel"], + filter_func=filter_func, + ): + proc_layer_name = task.add_process_layer() + if not proc_layer_name: + continue + + proc_layer = self.context.layers[proc_layer_name] + for offset, rule_name, name, value in proc_layer.scan( + context=self.context, + scanner=yarascan.YaraScanner(rules=rules), + sections=self.get_vma_maps(task), + ): + yield 0, ( + format_hints.Hex(offset), + task.tgid, + rule_name, + name, + value, + ) + + @staticmethod + def get_vma_maps( + task: interfaces.objects.ObjectInterface, + ) -> Iterable[Tuple[int, int]]: + """Creates a map of start/end addresses for each virtual memory area in a task. + + Args: + task: The task object of which to read the vmas from + + Returns: + An iterable of tuples containing start and end addresses for each descriptor + """ + if task.mm: + for vma in task.mm.get_mmap_iter(): + vm_size = vma.vm_end - vma.vm_start + yield (vma.vm_start, vm_size) + + def run(self): + return renderers.TreeGrid( + [ + ("Offset", format_hints.Hex), + ("PID", int), + ("Rule", str), + ("Component", str), + ("Value", bytes), + ], + self._generator(), + ) From 2279a83e3b53f92ae21cbd8ec8acd0dfa389458b Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 4 Jan 2023 09:32:39 +0000 Subject: [PATCH 06/10] liniting for linux.vmayarascan --- volatility3/framework/plugins/linux/vmayarascan.py | 1 + 1 file changed, 1 insertion(+) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index e9482089a6..3efbd2ae1f 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -10,6 +10,7 @@ from volatility3.plugins import yarascan from volatility3.plugins.linux import pslist + class VmaYaraScan(interfaces.plugins.PluginInterface): """Scans all virtual memory areas for tasks using yara.""" From 57e8234e6c795391ad99f4a76216bb3ef3db808a Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 4 Jan 2023 09:36:20 +0000 Subject: [PATCH 07/10] remove unused variable in linux.vmayarascan --- volatility3/framework/plugins/linux/vmayarascan.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index 3efbd2ae1f..c7a48cc149 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -64,8 +64,6 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface] ] def _generator(self): - kernel = self.context.modules[self.config["kernel"]] - rules = yarascan.YaraScan.process_yara_options(dict(self.config)) filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) From b54bbfb88f600e660d1ca6e8e7cec77138179c1f Mon Sep 17 00:00:00 2001 From: Eve Date: Wed, 1 Feb 2023 11:27:44 +0000 Subject: [PATCH 08/10] Update linux.vmayarascan to pull requirements from the generic yarascan plugin --- .../framework/plugins/linux/vmayarascan.py | 73 ++++++++++--------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index c7a48cc149..f0d42f6e38 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -1,4 +1,4 @@ -# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0 +# This file is Copyright 2023 Volatility Foundation and licensed under the Volatility Software License 1.0 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 # @@ -15,68 +15,71 @@ class VmaYaraScan(interfaces.plugins.PluginInterface): """Scans all virtual memory areas for tasks using yara.""" _required_framework_version = (2, 4, 0) + _version = (1, 0, 0) @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: - return [ - requirements.ModuleRequirement( - name="kernel", - description="Linux kernel", - architectures=["Intel32", "Intel64"], - ), - requirements.BooleanRequirement( - name="wide", - description="Match wide (unicode) strings", - default=False, - optional=True, - ), - requirements.StringRequirement( - name="yara_rules", description="Yara rules (as a string)", optional=True - ), - requirements.URIRequirement( - name="yara_file", description="Yara rules (as a file)", optional=True - ), - # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code - # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later - requirements.URIRequirement( - name="yara_compiled_file", - description="Yara compiled rules (as a file)", - optional=True, - ), - requirements.IntRequirement( - name="max_size", - default=0x40000000, - description="Set the maximum size (default is 1GB)", + # create a list of requirements for vmayarascan + vmayarascan_requirements = [ + requirements.ListRequirement( + name="pid", + element_type=int, + description="Process IDs to include (all other processes are excluded)", optional=True, ), requirements.PluginRequirement( name="pslist", plugin=pslist.PsList, version=(2, 0, 0) ), + requirements.PluginRequirement( + name="yarascan", plugin=yarascan.YaraScan, version=(1, 1, 0) + ), requirements.VersionRequirement( name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0) ), - requirements.ListRequirement( - name="pid", - element_type=int, - description="Process IDs to include (all other processes are excluded)", - optional=True, + requirements.ModuleRequirement( + name="kernel", + description="Linux kernel", + architectures=["Intel32", "Intel64"], ), ] + # get base yarascan requirements + yarascan_requirements = yarascan.YaraScan.get_requirements() + + # remove TranslationLayerRequirement from the base yarascan requirements + # if this is not removed automagic will not find both the TranslationLayerRequirement + # for YaraScan and the ModuleRequirement for VmaYaraScan + yarascan_requirements = [ + requirement + for requirement in yarascan_requirements + if not isinstance(requirement, requirements.TranslationLayerRequirement) + ] + + # return the combined requirements + return yarascan_requirements + vmayarascan_requirements + def _generator(self): + # use yarascan to parse the yara options provided and create the rules rules = yarascan.YaraScan.process_yara_options(dict(self.config)) + # filter based on the pid option if provided filter_func = pslist.PsList.create_pid_filter(self.config.get("pid", None)) for task in pslist.PsList.list_tasks( context=self.context, vmlinux_module_name=self.config["kernel"], filter_func=filter_func, ): + + # attempt to create a process layer for each task and skip those + # that cannot (e.g. kernel threads) proc_layer_name = task.add_process_layer() if not proc_layer_name: continue + # get the proc_layer object from the context proc_layer = self.context.layers[proc_layer_name] + + # scan the process layer with the yarascanner for offset, rule_name, name, value in proc_layer.scan( context=self.context, scanner=yarascan.YaraScanner(rules=rules), From 09b0c8e406ec1aaf49a87a99fc86523fce36ff69 Mon Sep 17 00:00:00 2001 From: Eve Date: Fri, 12 May 2023 13:30:32 +0100 Subject: [PATCH 09/10] Linux: Update linux.vmayarascan and yarascan so that command line options are taken from the base yarascan plugin --- .../framework/plugins/linux/vmayarascan.py | 16 +++------------- volatility3/framework/plugins/yarascan.py | 18 +++++++++++++++--- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index f0d42f6e38..8e4174c124 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -31,7 +31,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface] name="pslist", plugin=pslist.PsList, version=(2, 0, 0) ), requirements.PluginRequirement( - name="yarascan", plugin=yarascan.YaraScan, version=(1, 1, 0) + name="yarascan", plugin=yarascan.YaraScan, version=(1, 2, 0) ), requirements.VersionRequirement( name="yarascanner", component=yarascan.YaraScanner, version=(2, 0, 0) @@ -43,17 +43,8 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface] ), ] - # get base yarascan requirements - yarascan_requirements = yarascan.YaraScan.get_requirements() - - # remove TranslationLayerRequirement from the base yarascan requirements - # if this is not removed automagic will not find both the TranslationLayerRequirement - # for YaraScan and the ModuleRequirement for VmaYaraScan - yarascan_requirements = [ - requirement - for requirement in yarascan_requirements - if not isinstance(requirement, requirements.TranslationLayerRequirement) - ] + # get base yarascan requirements for command line options + yarascan_requirements = yarascan.YaraScan.get_yarascan_option_requirements() # return the combined requirements return yarascan_requirements + vmayarascan_requirements @@ -69,7 +60,6 @@ def _generator(self): vmlinux_module_name=self.config["kernel"], filter_func=filter_func, ): - # attempt to create a process layer for each task and skip those # that cannot (e.g. kernel threads) proc_layer_name = task.add_process_layer() diff --git a/volatility3/framework/plugins/yarascan.py b/volatility3/framework/plugins/yarascan.py index 1c84676895..11c7086073 100644 --- a/volatility3/framework/plugins/yarascan.py +++ b/volatility3/framework/plugins/yarascan.py @@ -61,19 +61,31 @@ class YaraScan(plugins.PluginInterface): """Scans kernel memory using yara rules (string or file).""" _required_framework_version = (2, 0, 0) - _version = (1, 1, 0) + _version = (1, 2, 0) # TODO: When the major version is bumped, take the opportunity to rename the yara_rules config to yara_string # or something that makes more sense @classmethod def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: - return [ + """Returns the requirements needed to run yarascan directly, combining the TranslationLayerRequirement + and the requirements from get_yarascan_option_requirements.""" + return cls.get_yarascan_option_requirements() + [ requirements.TranslationLayerRequirement( name="primary", description="Memory layer for the kernel", architectures=["Intel32", "Intel64"], - ), + ) + ] + + @classmethod + def get_yarascan_option_requirements( + cls, + ) -> List[interfaces.configuration.RequirementInterface]: + """Returns the requirements needed for the command lines options used by yarascan. This can + then also be used by other plugins that are using yarascan. This does not include a + TranslationLayerRequirement or a ModuleRequirement.""" + return [ requirements.BooleanRequirement( name="insensitive", description="Makes the search case insensitive", From cd03c52fd30d7caf57aaa38a7b32197e4d158ca2 Mon Sep 17 00:00:00 2001 From: Eve Date: Fri, 12 May 2023 13:37:15 +0100 Subject: [PATCH 10/10] Linux: Update linux.vmayarascan to use task.mm.get_vma_iter() which means it will work on linux kernels 6.1 and above --- volatility3/framework/plugins/linux/vmayarascan.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/linux/vmayarascan.py b/volatility3/framework/plugins/linux/vmayarascan.py index 8e4174c124..eda0d7dcaf 100644 --- a/volatility3/framework/plugins/linux/vmayarascan.py +++ b/volatility3/framework/plugins/linux/vmayarascan.py @@ -96,7 +96,7 @@ def get_vma_maps( An iterable of tuples containing start and end addresses for each descriptor """ if task.mm: - for vma in task.mm.get_mmap_iter(): + for vma in task.mm.get_vma_iter(): vm_size = vma.vm_end - vma.vm_start yield (vma.vm_start, vm_size)