Linux extensions patches

[Abyss-W4tcher]

• Fix a small error in the kobject class (see https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/linux/linux.py#L1204 for comparison)

module class :

• Fix leftovers from 83a8afb
• Fix broken implementation of module symbols construction (sources : https://refspecs.linuxbase.org/elf/gabi4+/ch4.symtab.html, https://github.com/TheCodeArtist/elf-parser/blob/master/elf-parser.c#L313)

Reading symbols of an arbitrary module :

(layer_name) >>> from volatility3.framework.objects import utility
(layer_name) >>> vmlinux = self.context.modules[self.config["kernel"]]
(layer_name) >>> m = vmlinux.object("module",0xffffc06db040,absolute=True) # lime module
(layer_name) >>> utility.array_to_string(m.name)
'lime'
(layer_name) >>> list(m.get_symbols())
[('.LC0', 281473910153660, 281473910405065), ('setup_tcp', 281473910149120, 281473910405070), ('filp_open', 281473822829024, 281473910405080), ('crypto_alloc_ahash', 281473825133440, 281473910405090), ('strcpy', 281473826031120, 281473910405109), ('digest', 281473910158312, 281473910405313), ('deflate', 281473910153040, 281473910405339), ('path', 281473910158336, 281473910405116), ('localhostonly', 281473910158320, 281473910405121), ('ldigest_write_tcp', 281473910152432, 281473910405135)] # stripped for readability

[ikelos]

So, happy with the get_symbol_table_name() changes, happy with the refcnt change, but the big changes in the middle will need more explanation and detail as to why they're being done that way, what the end goal is (since it's not clear that's the best way of doing it) and I making a change to the API will be a lot messier than otherwise, so if possible please avoid that like the plague. Unfortunately it doens't look like this code has accurate type signatures yet, but if they were there mypy would be complaining loudly that they no longer matched. Happy for you to either resubmit the first two small changes and get them merged quickly, or for you to hold them up whilst we talk over the bigger change, but unfortunatly this won't get merged as is...

[Abyss-W4tcher]

Hello again,

EDIT : I moved this part of the comment to the corresponding conversation.

Thanks for your time and review :) !

Regards,
Abyss Watcher.

[Abyss-W4tcher]

The two previous commits include more comments, use of utilities functions, changing the config path and a general implementation following more closely the Volatilty2 one.

[ikelos]

Here's some replies. I don't mind changing how things work, but if we do we need to follow our own rules about such changes. Since the API is public, someone else may be using it even if we're not, so removing it (or changing how it returns) would require a major version bump. Adding a new one just requires a minor version bump (and we should add a deprecation notice to the old function).

See here for an example of how we do deprecation.

[Abyss-W4tcher]

Hello, I took notice of the different scenarios regarding deprecation. I think the best option is to keep the existing functions inputs and outputs types, and add, in a second time, functions that does what I initially (re)implemented.

To do so, I made a dedicated function to get the elf_table_name, which is called by get_symbols only once. There aren't multiple "elf" tables created with this logic (thanks for pointing it out).

I kept the sym object as return value of get_symbols(), and added a function get_symbols_names_and_addresses() to do the names and addresses extraction.

All already existing functions still have the same inputs and outputs types, but have their core logic changed, which I hope should only result in a "patch" number bump :)

[Abyss-W4tcher]

Hi👋,

I would like to know if the team had any news or plans regarding this PR. Indeed, I have some plugins, planned to be released as "community plugins", that depend on these edits.
Of course, there aren't any hurry, but if there is a schedule for this PR review, please let me know :) !

[ikelos]

Hiya, generally no complaints. I'd probably update the config name, but that can be changed without any effect later, so happy to merge this if you don't want to update it now. Just let me know either way and we'll get it merged...

[ikelos]

I'd ditch the config_name at the start of this. It's in the configuration, so the config_name is kind of implicit/seems a little odd...

[Abyss-W4tcher]

As I'm not sure to fully understand what you want me to do with the config_name, I'd prefer if you could change it later.

[ikelos]

Just change it from "config_name_elf_symbol_table", to "elf_symbol_table",

[Abyss-W4tcher]

Oh, I thought you were talking about the field type, not the string. Ok this makes sense indeed !

[ikelos]

Just spotted a few breaking changes. I thought you were just adding functions, but you took the old ones away, rather than deprecating them.

You can add the warning in like this and you can even use the new method to produce the results, but the function needs to return the same outputs when given the same inputs as the original.

[Abyss-W4tcher]

I added type hinting, as requested. Regarding your other comments, I answered directly in the corresponding conversation 👍.

[ikelos]

Cool, I'll make the config_name change in a bit then... 5:)