Merge pull request #936 from volatilityfoundation/release/v2.4.1

Release  v2.4.1

```
New plugins:
   linux.sockstat
   linux.iomem
   linux.psscan
   linux.envars
   windows.drivermodule
   windows.vadwalk
Pid filtering for Windows pstree plugin
Minor fixes for Windows callbacks plugin
Minimum python version was increased to 3.7
Python-snappy dependency was replaced with ctypes to ease installation
Whole codebase was reformatted with black
Faster release cycle (targetting every 4 months)
```

.github/workflows/black.yml

@@ -6,7 +6,7 @@ jobs:
   lint:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: psf/black@stable
         with:
           options: "--check --diff --verbose"

.github/workflows/codeql.yml

@@ -17,8 +17,8 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "develop" ]
-  schedule:
-    - cron: '16 8 * * 0'
+#   schedule:
+#     - cron: '16 8 * * 0'
 
 jobs:
   analyze:

README.md

@@ -107,7 +107,7 @@ The latest generated copy of the documentation can be found at: <https://volatil
 
 ## Licensing and Copyright
 
-Copyright (C) 2007-2022 Volatility Foundation
+Copyright (C) 2007-2023 Volatility Foundation
 
 All Rights Reserved
 

doc/source/simple-plugin.rst

@@ -259,7 +259,7 @@ The plugin then takes the process's ``BaseDllName`` value, and calls :py:meth:`~
 as defined by the symbols, are directly accessible and use the case-style of the symbol library it came from (in Windows,
 attributes are CamelCase), such as ``entry.BaseDllName`` in this instance.  Any attributes not defined by the symbol but added
 by Volatility extensions cannot be properties (in case they overlap with the attributes defined in the symbol libraries)
-and are therefore always methods and pretended with ``get_``, in this example ``BaseDllName.get_string()``.
+and are therefore always methods and prepended with ``get_``, in this example ``BaseDllName.get_string()``.
 
 Finally, ``FullDllName`` is populated.  These operations read from memory, and as such, the memory image may be unable to
 read the data at a particular offset.  This will cause an exception to be thrown.  In Volatility 3, exceptions are thrown

requirements-dev.txt

@@ -20,7 +20,3 @@ jsonschema>=2.3.0
 
 # This is required for memory acquisition via leechcore/pcileech.
 leechcorepyc>=2.4.0
-
-# This is required for analyzing Linux samples compressed using AVMLs native
-# compression format.  It is not required for AVML's standard LiME compression.
-python-snappy==0.6.0

requirements.txt

@@ -16,7 +16,3 @@ pycryptodome
 
 # This is required for memory acquisition via leechcore/pcileech.
 leechcorepyc>=2.4.0
-
-# This is required for analyzing Linux samples compressed using AVMLs native
-# compression format.  It is not required for AVML's standard LiME compression.
-python-snappy==0.6.0

volatility3/cli/__init__.py

@@ -443,7 +443,7 @@ def run(self):
             # Construct and run the plugin
             if constructed:
                 renderers[args.renderer]().render(constructed.run())
-        except (exceptions.VolatilityException) as excp:
+        except exceptions.VolatilityException as excp:
             self.process_exceptions(excp)
 
     @classmethod

volatility3/cli/text_renderer.py

@@ -241,7 +241,9 @@ def render(self, grid: interfaces.renderers.TreeGrid) -> None:
             # Ignore the type because namedtuples don't realize they have accessible attributes
             header_list.append(f"{column.name}")
 
-        writer = csv.DictWriter(outfd, header_list, lineterminator="\n")
+        writer = csv.DictWriter(
+            outfd, header_list, lineterminator="\n", escapechar="\\"
+        )
         writer.writeheader()
 
         def visitor(node: interfaces.renderers.TreeNode, accumulator):
@@ -346,7 +348,7 @@ def visitor(
 
         column_titles = [""] + [column.name for column in grid.columns]
         outfd.write(format_string.format(*column_titles))
-        for (depth, line) in final_output:
+        for depth, line in final_output:
             nums_line = max([len(line[column]) for column in line])
             for column in line:
                 line[column] = line[column] + ([""] * (nums_line - len(line[column])))

volatility3/cli/volargparse.py

@@ -31,7 +31,6 @@ def __call__(
         values: Union[str, Sequence[Any], None],
         option_string: Optional[str] = None,
     ) -> None:
-
         parser_name = ""
         arg_strings = []  # type: List[str]
         if values is not None:

volatility3/framework/automagic/construct_layers.py

@@ -36,7 +36,6 @@ def __call__(
         progress_callback=None,
         optional=False,
     ) -> List[str]:
-
         # Make sure we import the layers, so they can reconstructed
         framework.import_files(sys.modules["volatility3.framework.layers"])
 

volatility3/framework/automagic/mac.py

@@ -251,7 +251,6 @@ def _scan_generator(cls, context, layer_name, progress_callback):
             context=context,
             progress_callback=progress_callback,
         ):
-
             banner = context.layers[layer_name].read(offset, 128)
 
             idx = banner.find(b"\x00")

volatility3/framework/automagic/symbol_cache.py

@@ -161,7 +161,8 @@ def get_location_statistics(
         """Returns ISF statistics based on the location
 
         Returns:
-            A tuple of base_types, types, enums, symbols, or None is location not found"""
+            A tuple of base_types, types, enums, symbols, or None is location not found
+        """
 
     def get_hash(self, location: str) -> Optional[str]:
         """Returns the hash of the JSON from within a location ISF"""
@@ -331,7 +332,7 @@ def update(self, progress_callback=None):
                     if inner_url.scheme == "file":
                         pathname = inner_url.path.split("!")[0]
 
-                if pathname:
+                if pathname and os.path.exists(pathname):
                     timestamp = datetime.datetime.fromtimestamp(
                         os.stat(pathname).st_mtime
                     )
@@ -370,7 +371,7 @@ def update(self, progress_callback=None):
 
                         # Get stats
                         stats_base_types = len(json_obj.get("base_types", {}))
-                        stats_types = len(json_obj.get("types", {}))
+                        stats_types = len(json_obj.get("user_types", {}))
                         stats_enums = len(json_obj.get("enums", {}))
                         stats_symbols = len(json_obj.get("symbols", {}))
 

volatility3/framework/automagic/symbol_finder.py

@@ -82,13 +82,13 @@ def __call__(
             shortcut=False,
         )
 
-        for (sub_path, requirement) in self._requirements:
+        for sub_path, requirement in self._requirements:
             parent_path = interfaces.configuration.parent_path(sub_path)
 
             if isinstance(
                 requirement, requirements.SymbolTableRequirement
             ) and requirement.unsatisfied(context, parent_path):
-                for (tl_sub_path, tl_requirement) in self._requirements:
+                for tl_sub_path, tl_requirement in self._requirements:
                     tl_parent_path = interfaces.configuration.parent_path(tl_sub_path)
                     # Find the TranslationLayer sibling to the SymbolTableRequirement
                     if (

volatility3/framework/constants/linux/__init__.py

@@ -14,3 +14,223 @@
 
 # include/linux/sched.h
 PF_KTHREAD = 0x00200000  # I'm a kernel thread
+
+# Standard well-defined IP protocols.
+# ref: include/uapi/linux/in.h
+IP_PROTOCOLS = {
+    0: "IP",
+    1: "ICMP",
+    2: "IGMP",
+    4: "IPIP",
+    6: "TCP",
+    8: "EGP",
+    12: "PUP",
+    17: "UDP",
+    22: "IDP",
+    29: "TP",
+    33: "DCCP",
+    41: "IPV6",
+    46: "RSVP",
+    47: "GRE",
+    50: "ESP",
+    51: "AH",
+    92: "MTP",
+    94: "BEETPH",
+    98: "ENCAP",
+    103: "PIM",
+    108: "COMP",
+    132: "SCTP",
+    136: "UDPLITE",
+    137: "MPLS",
+    143: "ETHERNET",
+    255: "RAW",
+    262: "MPTCP",
+}
+
+# IPV6 extension headers
+# ref: include/uapi/linux/in6.h
+IPV6_PROTOCOLS = {
+    0: "HOPBYHOP_OPTS",
+    43: "ROUTING",
+    44: "FRAGMENT",
+    58: "ICMPv6",
+    59: "NO_NEXT",
+    60: "DESTINATION_OPTS",
+    135: "MOBILITY",
+}
+
+# ref: include/net/tcp_states.h
+TCP_STATES = (
+    "",
+    "ESTABLISHED",
+    "SYN_SENT",
+    "SYN_RECV",
+    "FIN_WAIT1",
+    "FIN_WAIT2",
+    "TIME_WAIT",
+    "CLOSE",
+    "CLOSE_WAIT",
+    "LAST_ACK",
+    "LISTEN",
+    "CLOSING",
+    "TCP_NEW_SYN_RECV",
+)
+
+# ref: include/linux/net.h (socket_type enum)
+SOCK_TYPES = {
+    1: "STREAM",
+    2: "DGRAM",
+    3: "RAW",
+    4: "RDM",
+    5: "SEQPACKET",
+    6: "DCCP",
+    10: "PACKET",
+}
+
+# Address families
+# ref: include/linux/socket.h
+SOCK_FAMILY = (
+    "AF_UNSPEC",
+    "AF_UNIX",
+    "AF_INET",
+    "AF_AX25",
+    "AF_IPX",
+    "AF_APPLETALK",
+    "AF_NETROM",
+    "AF_BRIDGE",
+    "AF_ATMPVC",
+    "AF_X25",
+    "AF_INET6",
+    "AF_ROSE",
+    "AF_DECnet",
+    "AF_NETBEUI",
+    "AF_SECURITY",
+    "AF_KEY",
+    "AF_NETLINK",
+    "AF_PACKET",
+    "AF_ASH",
+    "AF_ECONET",
+    "AF_ATMSVC",
+    "AF_RDS",
+    "AF_SNA",
+    "AF_IRDA",
+    "AF_PPPOX",
+    "AF_WANPIPE",
+    "AF_LLC",
+    "AF_IB",
+    "AF_MPLS",
+    "AF_CAN",
+    "AF_TIPC",
+    "AF_BLUETOOTH",
+    "AF_IUCV",
+    "AF_RXRPC",
+    "AF_ISDN",
+    "AF_PHONET",
+    "AF_IEEE802154",
+    "AF_CAIF",
+    "AF_ALG",
+    "AF_NFC",
+    "AF_VSOCK",
+    "AF_KCM",
+    "AF_QIPCRTR",
+    "AF_SMC",
+    "AF_XDP",
+)
+
+# Socket states
+# ref: include/uapi/linux/net.h
+SOCKET_STATES = ("FREE", "UNCONNECTED", "CONNECTING", "CONNECTED", "DISCONNECTING")
+
+# Netlink protocols
+# ref: include/uapi/linux/netlink.h
+NETLINK_PROTOCOLS = (
+    "NETLINK_ROUTE",
+    "NETLINK_UNUSED",
+    "NETLINK_USERSOCK",
+    "NETLINK_FIREWALL",
+    "NETLINK_SOCK_DIAG",
+    "NETLINK_NFLOG",
+    "NETLINK_XFRM",
+    "NETLINK_SELINUX",
+    "NETLINK_ISCSI",
+    "NETLINK_AUDIT",
+    "NETLINK_FIB_LOOKUP",
+    "NETLINK_CONNECTOR",
+    "NETLINK_NETFILTER",
+    "NETLINK_IP6_FW",
+    "NETLINK_DNRTMSG",
+    "NETLINK_KOBJECT_UEVENT",
+    "NETLINK_GENERIC",
+    "NETLINK_DM",
+    "NETLINK_SCSITRANSPORT",
+    "NETLINK_ECRYPTFS",
+    "NETLINK_RDMA",
+    "NETLINK_CRYPTO",
+    "NETLINK_SMC",
+)
+
+# Short list of Ethernet Protocol ID's.
+# ref: include/uapi/linux/if_ether.h
+# Used in AF_PACKET socket family
+ETH_PROTOCOLS = {
+    0x0001: "ETH_P_802_3",
+    0x0002: "ETH_P_AX25",
+    0x0003: "ETH_P_ALL",
+    0x0004: "ETH_P_802_2",
+    0x0005: "ETH_P_SNAP",
+    0x0006: "ETH_P_DDCMP",
+    0x0007: "ETH_P_WAN_PPP",
+    0x0008: "ETH_P_PPP_MP",
+    0x0009: "ETH_P_LOCALTALK",
+    0x000C: "ETH_P_CAN",
+    0x000F: "ETH_P_CANFD",
+    0x0010: "ETH_P_PPPTALK",
+    0x0011: "ETH_P_TR_802_2",
+    0x0016: "ETH_P_CONTROL",
+    0x0017: "ETH_P_IRDA",
+    0x0018: "ETH_P_ECONET",
+    0x0019: "ETH_P_HDLC",
+    0x001A: "ETH_P_ARCNET",
+    0x001B: "ETH_P_DSA",
+    0x001C: "ETH_P_TRAILER",
+    0x0060: "ETH_P_LOOP",
+    0x00F6: "ETH_P_IEEE802154",
+    0x00F7: "ETH_P_CAIF",
+    0x00F8: "ETH_P_XDSA",
+    0x00F9: "ETH_P_MAP",
+    0x0800: "ETH_P_IP",
+    0x0805: "ETH_P_X25",
+    0x0806: "ETH_P_ARP",
+    0x8035: "ETH_P_RARP",
+    0x809B: "ETH_P_ATALK",
+    0x80F3: "ETH_P_AARP",
+    0x8100: "ETH_P_8021Q",
+}
+
+# Connection and socket states
+# ref: include/net/bluetooth/bluetooth.h
+BLUETOOTH_STATES = (
+    "",
+    "CONNECTED",
+    "OPEN",
+    "BOUND",
+    "LISTEN",
+    "CONNECT",
+    "CONNECT2",
+    "CONFIG",
+    "DISCONN",
+    "CLOSED",
+)
+
+# Bluetooth protocols
+# ref: include/net/bluetooth/bluetooth.h
+BLUETOOTH_PROTOCOLS = (
+    "L2CAP",
+    "HCI",
+    "SCO",
+    "RFCOMM",
+    "BNEP",
+    "CMTP",
+    "HIDP",
+    "AVDTP",
+)