Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux: add basic versions of linux.ip.Link and linux.ip.Addr plugins #1029

Closed
wants to merge 3 commits into from
Closed

Linux: add basic versions of linux.ip.Link and linux.ip.Addr plugins #1029

wants to merge 3 commits into from
+284 −0

Conversation

eve-mem
Copy link
Contributor

@eve-mem eve-mem commented Nov 2, 2023

Hello!

This PR brings very basic versions ip.Link and ip.Addr plugins for linux which I hope to complete with the full suite of ip information, e.g. ip route show, ip neigh show, etc etc.

They don't have smear protection yet, I can add that if it looks like this is the correct way of doing things. They are based on the vol2 plugin ifconfig but I've tried to include a little bit more information. I don't have a good selection of samples with very old kernels in them so I haven't done the path that using the dev_base symbol rather than net_namespace_list yet.

I've tested on kernels from v3 to v6 but I'd always welcome more testing! No doubt I've missed something somewhere.

Here is some example output from two different samples.

$ python vol.py -r pretty -f linux-sample-1.dmp linux.ip.Link
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished
  | NS | Interface |               MAC |   State |   MTU |      Qdisc |                  Flags
* |  - |        lo | 00:00:00:00:00:00 | UNKNOWN | 16436 |    noqueue |            UP,LOOPBACK
* |  - |      eth0 | 00:0c:29:8f:ed:ca |      UP |  1500 | pfifo_fast | UP,BROADCAST,MULTICAST

$ python vol.py -r pretty -f v6.1.15.dmp linux.ip.Link
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished
  |         NS | Interface |               MAC |   State |   MTU |      Qdisc |                  Flags
* | 4026531840 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |    noqueue |            LOOPBACK,UP
* | 4026531840 |     ens18 | a2:b6:23:fb:dc:83 |      UP |  1500 | pfifo_fast | BROADCAST,MULTICAST,UP
* | 4026532331 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |    noqueue |            LOOPBACK,UP
* | 4026532386 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |    noqueue |            LOOPBACK,UP
* | 4026532441 |        lo | 00:00:00:00:00:00 | UNKNOWN | 65536 |    noqueue |            LOOPBACK,UP

$ python vol.py -r pretty -f linux-sample-1.dmp linux.ip.Addr
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished
  | NS | Interface |                          IP |   State | Promiscuous
* |  - |        lo |                 127.0.0.1/8 | UNKNOWN |       False
* |  - |        lo |                     ::1/128 | UNKNOWN |       False
* |  - |      eth0 |          192.168.201.161/24 |      UP |       False
* |  - |      eth0 | fe80::20c:29ff:fe8f:edca/64 |      UP |       False

$ python vol.py -r pretty -f v6.1.15.dmp linux.ip.Addr
Volatility 3 Framework 2.5.2
Formatting...0.00               Stacking attempts finished
  |         NS | Interface |                           IP |   State | Promiscuous
* | 4026531840 |        lo |                  127.0.0.1/8 | UNKNOWN |       False
* | 4026531840 |        lo |                      ::1/128 | UNKNOWN |       False
* | 4026531840 |     ens18 |                10.10.10.5/24 |      UP |       False
* | 4026531840 |     ens18 | fe80::55c1:cae8:5b65:4ae5/64 |      UP |       False
* | 4026532331 |        lo |                  127.0.0.1/8 | UNKNOWN |       False
* | 4026532331 |        lo |                      ::1/128 | UNKNOWN |       False
* | 4026532386 |        lo |                  127.0.0.1/8 | UNKNOWN |       False
* | 4026532386 |        lo |                      ::1/128 | UNKNOWN |       False
* | 4026532441 |        lo |                  127.0.0.1/8 | UNKNOWN |       False
* | 4026532441 |        lo |                      ::1/128 | UNKNOWN |       False

ikelos
ikelos reviewed Nov 5, 2023
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, but I'll wait for @atcuno to verify this is all fine from a linux perspective... 5:)

volatility3/framework/constants/linux/__init__.py
@@ -281,3 +281,39 @@
)

ELF_MAX_EXTRACTION_SIZE = 1024 * 1024 * 1024 * 4 - 1

# net_device_flags was not always an enum, so these hard coded values
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comment! This is fine, but much better since it's commented! 5:D

volatility3/framework/symbols/linux/__init__.py
@@ -46,6 +46,7 @@ def __init__(self, *args, **kwargs) -> None:
self.set_type_class("sock", extensions.sock)
self.set_type_class("inet_sock", extensions.inet_sock)
self.set_type_class("unix_sock", extensions.unix_sock)
self.set_type_class("net_device", extensions.net_device)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this exist on all kernels, or should this be an optional set_type (as a few lines below)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it will exist - but it never hurts to double check! I'll look into it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm net_device exists at least from 2.6.30, so it should be safe.

volatility3/framework/symbols/linux/extensions/__init__.py
if self.has_member("perm_addr"):
raw_addr = self.perm_addr[0 : self.addr_len]
else: # perm_addr is not found in older kernels
raw_addr = parent_layer.read(self.dev_addr, self.addr_len, pad=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Liiiiiittle bit ugly, but it's only a line, so I guess that'll be ok. 5:S Can't think of how to improve it, so....

@gcmoreira gcmoreira mentioned this pull request Jan 9, 2024
Open
@eve-mem
Copy link
Contributor Author

eve-mem commented Jan 15, 2024

Closing in favor of #1079 by @gcmoreira

@eve-mem eve-mem closed this Jan 15, 2024
gcmoreira added a commit to gcmoreira/volatility3 that referenced this pull request Jan 27, 2024
@gcmoreira
Plugin renamed. Added net iface status and other improvements from @eve
6e0ffc9 
volatilityfoundation#1029

* IP address conversion via renderers.coversion.*
* Use MAC address internal size instead of hardcoded.
* Read NET_DEVICE_FLAGS from enumeration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikelos ikelos ikelos left review comments

@gcmoreira gcmoreira gcmoreira left review comments

Assignees

@atcuno atcuno

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@eve-mem @ikelos @gcmoreira @atcuno